Wednesday, September 1st 2021
Hackers Innovate Way to Store and Execute Malware from Video Memory to Evade Anti-Malware
Cybercriminals have innovated a way to store malware code inside GPU dedicated memory (video memory), and execute code directly from there. Execution from video memory may not be new, but they've mostly been confined to the academic space, and unrefined. This would be the first time a proof-of-concept of a working tool that injects executables to video memory, surfaced on a hacker forum.
The tool relies on OpenCL 2.0, and its developers claim to have successfully tested it on Intel Gen9, AMD RDNA, NVIDIA Kepler, and NVIDIA Turing graphics architectures (i.e. UHD 620, UHD 630, Radeon RX 5700, GeForce GTX 740M, and GTX 1650). What makes this ingenious is that the malware binary is stored entirely in GPU memory address-space and is executed by the GPU, rather than the CPUs. Conventional anti-malware software are only known to scan the system memory, disks, and network traffic for malware; but not video memory. Hopefully this will change.
Source:
Bleeping Computer
The tool relies on OpenCL 2.0, and its developers claim to have successfully tested it on Intel Gen9, AMD RDNA, NVIDIA Kepler, and NVIDIA Turing graphics architectures (i.e. UHD 620, UHD 630, Radeon RX 5700, GeForce GTX 740M, and GTX 1650). What makes this ingenious is that the malware binary is stored entirely in GPU memory address-space and is executed by the GPU, rather than the CPUs. Conventional anti-malware software are only known to scan the system memory, disks, and network traffic for malware; but not video memory. Hopefully this will change.
17 Comments on Hackers Innovate Way to Store and Execute Malware from Video Memory to Evade Anti-Malware
Until countries band together and agree to start tracking down and putting bullets into the heads of individuals that do this kind of stuff, its just going to continue.
Usually all firmware have some interface for writing things in its memory. Also, usually vendors rely on non-documented interfaces or ones that are under NDA with the OEM/ODM, i.e. bad for us.
There are so many places to hide malware or exploit freely writeable memory that I get the hibbidyjibbies just thinking about it.Complete virtualization and isolation, in combination with dynamic root of trust can solve 99% (or maybe around 95%?) of all problems.
It's not yet implemented because it is expensive and has a significant performance hit. Also, very few SOHO users demand it. Enterprises already run almost everything on some form of (somewhat) secure virtualization platform.