New Linux rootkit leverages GPUs to hide

The Jellyfish proof-of-concept rootkit uses the processing power of graphics cards and runs in their dedicated memory

A team of developers has created a rootkit for Linux systems that uses the processing power and memory of graphics cards instead of CPUs in order to remain hidden.

The rootkit, called Jellyfish, is a proof of concept designed to demonstrate that completely running malware on GPUs (graphics processing units) is a viable option. This is possible because dedicated graphics cards have their own processors and RAM.

Such threats could be more sinister than traditional malware programs, according to the Jellyfish developers. For one, there are no tools to analyze GPU malware, they said.

Additionally, the malicious GPU memory persists even after the system is shut down, the Jellyfish developers said on their GitHub page.

---

New Linux rootkit leverages GPUs to hide

The Jellyfish proof-of-concept rootkit uses the processing power of graphics cards and runs in their dedicated memory

A team of developers has created a rootkit for Linux systems that uses the processing power and memory of graphics cards instead of CPUs in order to remain hidden.

The rootkit, called Jellyfish, is a proof of concept designed to demonstrate that completely running malware on GPUs (graphics processing units) is a viable option. This is possible because dedicated graphics cards have their own processors and RAM.

Such threats could be more sinister than traditional malware programs, according to the Jellyfish developers. For one, there are no tools to analyze GPU malware, they said.

Additionally, the malicious GPU memory persists even after the system is shut down, the Jellyfish developers said on their GitHub page.

Thanks for that one, rather good, and all forged by the leading edge of Linux! ;-)

Also note:

Users probably shouldn't worry about criminals using GPU-based malware just yet, but proof-of-concepts like Jellyfish and Demon could inspire future developments. It's usually just a matter of time before attacks devised by researchers are adopted by malicious attackers.

Had to happen at some point as "GPGPU" usage becomes more general.

The race is now on for all systems to protect against such abuse.

My own favored methods are to ensure that "by design" and definitely NOT by use of wastefully harmful "anti-virus" falling prey to false hopes...


IT is what we make it!
Martin

---

See new freedom: Mageia Linux
Take a look for yourself: Linux Format
The Future is what We all make IT (GPLv3)

I don't think this rootkit can travel from 'infected' GPU memory directly to another system's GPU memory.
It have to use the usual means of spreading (through CPU memory, disk/file, network) - e.g. by luring people to Download some file and run it.

So it's just a matter of adding signatures and/or heuristic to existing Antiviruses
(by normal means of signatures/modules update, no need for a new kind of Antivirus to detect just a normal file before it is run/at the moment it is written to disk)

But since Linux people don't think they need Antivirus ...

---

 


- ALF - "Find out what you don't do well ..... then don't do it!" :)
 

We don't need no stinking ...! Never mind.
(insert usual hope that limited Linux user base
makes us less interesting...)

We do have rkhunter and chkrootkit
that check for some things.
Hmm. I should build latest chkrootkit
as it may be 9 months old, but it is newer
than what Ubuntu current Long Term Stable
release has.

Security researchers I respect
suggest AV is effective on maybe
50% of Windows viruses (yikes).

I also believe the labels on grocery products,
so I guess that makes me gullible :-)

To get chkrootkit 0.50 to build I changed %ld to %d, two places.
Neither 32- nor 64- bit Ubuntu uid are type 'long' in 14.04.

Found 3 suspicious apps running without a terminal...
Oh. Just Einstein on GPUs. stopped boinc and that warning
went away. Restarted boinc.