TECH NEWS – The graphics card’s (or GPU for short) memory can hide malicious code that even the antivirus applications can’t recognize!
Bleeping Computer reports that criminals in cyberspace have created a malware program that can be hidden in GPU memory and make it invisible to antivirus applications. This technique utilizes GPU memory allocation space, and the code is executed there. The OpenCL 2.0 API technology is used in Windows operating systems at the moment. The code has worked on Intel (UHD 620, 630), Nvidia (GeForce GTX 1650, GT 740M), and AMD (Radeon RX 5700) GPUs. All modern GPUs could be affected, given how all three manufacturers had successful tests. The technology was revealed via a hacker trying to sell it on a forum…
The rootkit (as it runs on such a low level that it cannot be identified and is malicious) basics was conceptualized by a research group in 2015 by putting a keylogger inside of a GPU that could activate remote access trojans into Windows operating systems. However, this new technique is a more recent concept, not derivative of the 2015 creation. “Under normal conditions, executing code on the GPU requires a controlling process running on the host. The host process adds a task on the command queue, eventually fetched and executed by the GPU.
However, GPUs have a non-preemptive nature: once the execution of a task is initiated, the GPU is locked with the execution of that task, and no one else can use the GPU in the meanwhile. This is particularly problematic when the GPU is used for rendering and computation, as this could generate undesired effects such as an unresponsive user interface. Consequently, the graphic driver usually enforces a timeout to kill long-lasting kernels to ensure proper behaviour. This could represent a significant limitation for GPU malware because the malicious kernel needs to be sent over and over in a loop, making it easier to detect in system memory. The first anti-forensic technique consists in disabling the existing timeout to take complete control of the GPU. For instance, in Vasiliadis et al. (2014), the authors disabled the GPU hangcheck to lock the GPUs indefinitely,” Science Direct says.
VX-Underground announced on Twitter to create a demonstration of a malware attack on Windows in September. The GPU will execute malware binaries from within the graphic card’s memory allocated spaces.