GPU based Key-logger

GPU based Key-logger

The world of hacking has become more and more organized over the years and so has the techniques used by hackers. Highly sophisticated tactics are used by hackers these days, as they go to extraordinary lengths to carry out an attack.

And now, something else has been added to the list.

A team of developers have created two pieces of malware that work on infected computer graphics processor unit (GPU), in place of its central processor unit (CPU), so as to boost their secretiveness as well as computational efficiency.

The two malware are:

• Jellyfish Rootkit (for Linux operating system)
• Demon Keylogger

Till now, security researchers have found nasty malware running on CPU and misusing the GPU capabilities, in order to undermine cryptocurrencies such as Bitcoins.

Without exploiting or changing the processes, these two malware can operate, in the operating system kernel. This is the reason they remain hidden and do not create any suspicion that the system has been infected.

Jellyfish Rootkit

This is a proof-of-concept malware code developed to show that running malware on GPUs is fundamentally possible, as graphics cards have their memory and processors.

These rootkits can snoop on the CPU host memory via DMA (direct memory access), which in turn permits hardware components to read the main system memory without being through the CPU, making actions like these even more harder to detect.

Benefits of GPU stored memory:

• There are no GPU malware protection tools available on the internet
• It is possible to snoop on CPU host memory, through DMA (direct memory access)
• It can be used for quick mathematical calculations such as parsing or XORing
• Malicious memory remains in the GPU even after the device shuts down
• Stubs

Requirements for usage:

Have OpenCL icds/drivers set up

Change line 103 in rootkit/kit.c to server ip, through which you can monitor your GPU clients

AMD or Nvidia graphics card (Intel supports AMD’s SDK)

Demon Keylogger

Moreover, developers have also created a different, GPU-based keylogger, which has been dubbed Demon, although no technical details have been provided about the tool.

Demon Keylogger has been inspired by the malware explained in the 2013 academic research – “You Can Type, but You Can’t Hide: A Stealthy GPU-based Keylogger”. Developers have assured that they were not working with the researchers.

“We are not associated with the creators of this paper,” the Demon developers said. “We only PoC’d what was described in it, plus a little more.”

There are two main components to GPU-based keystroke logger:

• A CPU-based component carried out once during the bootstrap phase, along with the task of spotting the address of keyboard buffer in the main memory.
• A GPU-based component oversees, via DMA (the keyboard buffer, and notes all keystroke events.

However, users don’t have to worry about hackers or cyber criminals using GPU-based malware, but proof-of-concept malware like Jellyfish Rootkit and Demon keylogger is capable of inspiring future developments.

Let us know what you think