• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Hackers Innovate Way to Store and Execute Malware from Video Memory to Evade Anti-Malware

btarunr

Editor & Senior Moderator
Staff member
Joined
Oct 9, 2007
Messages
47,291 (7.53/day)
Location
Hyderabad, India
System Name RBMK-1000
Processor AMD Ryzen 7 5700G
Motherboard ASUS ROG Strix B450-E Gaming
Cooling DeepCool Gammax L240 V2
Memory 2x 8GB G.Skill Sniper X
Video Card(s) Palit GeForce RTX 2080 SUPER GameRock
Storage Western Digital Black NVMe 512GB
Display(s) BenQ 1440p 60 Hz 27-inch
Case Corsair Carbide 100R
Audio Device(s) ASUS SupremeFX S1220A
Power Supply Cooler Master MWE Gold 650W
Mouse ASUS ROG Strix Impact
Keyboard Gamdias Hermes E2
Software Windows 11 Pro
Cybercriminals have innovated a way to store malware code inside GPU dedicated memory (video memory), and execute code directly from there. Execution from video memory may not be new, but they've mostly been confined to the academic space, and unrefined. This would be the first time a proof-of-concept of a working tool that injects executables to video memory, surfaced on a hacker forum.

The tool relies on OpenCL 2.0, and its developers claim to have successfully tested it on Intel Gen9, AMD RDNA, NVIDIA Kepler, and NVIDIA Turing graphics architectures (i.e. UHD 620, UHD 630, Radeon RX 5700, GeForce GTX 740M, and GTX 1650). What makes this ingenious is that the malware binary is stored entirely in GPU memory address-space and is executed by the GPU, rather than the CPUs. Conventional anti-malware software are only known to scan the system memory, disks, and network traffic for malware; but not video memory. Hopefully this will change.



View at TechPowerUp Main Site
 
Joined
Feb 11, 2009
Messages
5,569 (0.96/day)
System Name Cyberline
Processor Intel Core i7 2600k -> 12600k
Motherboard Asus P8P67 LE Rev 3.0 -> Gigabyte Z690 Auros Elite DDR4
Cooling Tuniq Tower 120 -> Custom Watercoolingloop
Memory Corsair (4x2) 8gb 1600mhz -> Crucial (8x2) 16gb 3600mhz
Video Card(s) AMD RX480 -> RX7800XT
Storage Samsung 750 Evo 250gb SSD + WD 1tb x 2 + WD 2tb -> 2tb MVMe SSD
Display(s) Philips 32inch LPF5605H (television) -> Dell S3220DGF
Case antec 600 -> Thermaltake Tenor HTCP case
Audio Device(s) Focusrite 2i4 (USB)
Power Supply Seasonic 620watt 80+ Platinum
Mouse Elecom EX-G
Keyboard Rapoo V700
Software Windows 10 Pro 64bit
henceforth nothing made to this day will meet the requirements of windows 11, cannot be too careful !!
 
Joined
May 8, 2018
Messages
1,570 (0.65/day)
Location
London, UK
Directstorage is coming and that will make easier for this hack to work.
 
Joined
Jun 10, 2021
Messages
20 (0.02/day)
System Name KAAN
Processor AMD 5950X B2
Motherboard Asus Crosshair VIII Formula
Cooling ARCTIC Liquid Freezer II 280
Memory G.SKILL 4000C16 @3666C14 - 4x16GB - Samsung B-Die
Video Card(s) MSI GeForce RTX 3080 SUPRIM X 10G
Storage Kingston KC3000 2TB
Display(s) ASUS ROG Swift PG279Q 27"
Case Phanteks ECLIPSE P600s
Audio Device(s) Audeze Mobius
Power Supply Corsair HX750i
Mouse Logitech G604 LIGHTSPEED
Keyboard Logitech G815
Software Windows 11 (VBS)
Any microchip can be a malware if you are brave enough...
 

freeagent

Moderator
Staff member
Joined
Sep 16, 2018
Messages
8,812 (3.86/day)
Location
Winnipeg, Canada
Processor AMD R7 5800X3D
Motherboard Asus Crosshair VIII Dark Hero
Cooling Thermalright Frozen Edge 360, 3x TL-B12 V2, 2x TL-B12 V1
Memory 2x8 G.Skill Trident Z Royal 3200C14, 2x8GB G.Skill Trident Z Black and White 3200 C14
Video Card(s) Zotac 4070 Ti Trinity OC
Storage WD SN850 1TB, SN850X 2TB, SN770 1TB
Display(s) LG 50UP7100
Case Fractal Torrent Compact
Audio Device(s) JBL Bar 700
Power Supply Seasonic Vertex GX-1000, Monster HDP1800
Mouse Logitech G502 Hero
Keyboard Logitech G213
VR HMD Oculus 3
Software Yes
Benchmark Scores Yes
How do windows 11 users fare?
 
Joined
Jan 5, 2006
Messages
18,584 (2.68/day)
System Name AlderLake
Processor Intel i7 12700K P-Cores @ 5Ghz
Motherboard Gigabyte Z690 Aorus Master
Cooling Noctua NH-U12A 2 fans + Thermal Grizzly Kryonaut Extreme + 5 case fans
Memory 32GB DDR5 Corsair Dominator Platinum RGB 6000MT/s CL36
Video Card(s) MSI RTX 2070 Super Gaming X Trio
Storage Samsung 980 Pro 1TB + 970 Evo 500GB + 850 Pro 512GB + 860 Evo 1TB x2
Display(s) 23.8" Dell S2417DG 165Hz G-Sync 1440p
Case Be quiet! Silent Base 600 - Window
Audio Device(s) Panasonic SA-PMX94 / Realtek onboard + B&O speaker system / Harman Kardon Go + Play / Logitech G533
Power Supply Seasonic Focus Plus Gold 750W
Mouse Logitech MX Anywhere 2 Laser wireless
Keyboard RAPOO E9270P Black 5GHz wireless
Software Windows 11
Benchmark Scores Cinebench R23 (Single Core) 1936 @ stock Cinebench R23 (Multi Core) 23006 @ stock
Joined
Jul 5, 2013
Messages
28,208 (6.74/day)
Cybercriminals have innovated a way to store malware code inside GPU dedicated memory (video memory), and execute code directly from there.
I've wondered if that would work for decades, guess we have an answer now. THIS will piss a few people off!

The hackers might be twots, but no denying they are clever.
True!

I was reading somewhere they could store and execute malware from TPM....
Yuppers. It takes some doing but can be done. This is also why TPM is useless outside of a certain usage context and why microsoft requiring it for Windows 11 is as pointless as it is transparent.
 
Joined
Apr 15, 2021
Messages
882 (0.66/day)
Proof-of-concept has been known for years, but there really wasn't much need for it given the simpler alternatives available.
I've wondered if that would work for decades, guess we have an answer now. THIS will piss a few people off!

Eventually we're all going to be using AV programs running mirrors of our system on virtual machines because sometimes the only way to detect this stuff is by identification through its behavior(dynamic analysis).

Until countries band together and agree to start tracking down and putting bullets into the heads of individuals that do this kind of stuff, its just going to continue.
 
Joined
Aug 20, 2007
Messages
21,529 (3.40/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
I was reading somewhere they could store and execute malware from TPM....
First I've heard of it. Malware can use the TPM to store keys away from the user, but it can't run from it.
 
Joined
Jul 10, 2017
Messages
2,671 (0.98/day)
Even NIC's have some sort of firmware and write-enabled memory.

Usually all firmware have some interface for writing things in its memory. Also, usually vendors rely on non-documented interfaces or ones that are under NDA with the OEM/ODM, i.e. bad for us.

There are so many places to hide malware or exploit freely writeable memory that I get the hibbidyjibbies just thinking about it.

Proof-of-concept has been known for years, but there really wasn't much need for it given the simpler alternatives available.


Eventually we're all going to be using AV programs running mirrors of our system on virtual machines because sometimes the only way to detect this stuff is by identification through its behavior(dynamic analysis).

Until countries band together and agree to start tracking down and putting bullets into the heads of individuals that do this kind of stuff, its just going to continue.
Complete virtualization and isolation, in combination with dynamic root of trust can solve 99% (or maybe around 95%?) of all problems.

It's not yet implemented because it is expensive and has a significant performance hit. Also, very few SOHO users demand it. Enterprises already run almost everything on some form of (somewhat) secure virtualization platform.
 
Joined
Oct 10, 2009
Messages
795 (0.14/day)
Location
Madrid, Spain
System Name Rectangulote
Processor Core I9-9900KF
Motherboard Asus TUF Z390M
Cooling Alphacool Eisbaer Aurora 280 + Eisblock RTX 3090 RE + 2 x 240 ST30
Memory 32 GB DDR4 3600mhz CL16 Crucial Ballistix
Video Card(s) KFA2 RTX 3090 SG
Storage WD Blue 3D 2TB + 2 x WD Black SN750 1TB
Display(s) 2 x Asus ROG Swift PG278QR / Samsung Q60R
Case Corsair 5000D Airflow
Audio Device(s) Evga Nu Audio + Sennheiser HD599SE + Trust GTX 258
Power Supply Corsair RMX850
Mouse Razer Naga Wireless Pro / Logitech MX Master
Keyboard Keychron K4 / Dierya DK61 Pro
Software Windows 11 Pro
Until countries band together and agree to start tracking down and putting bullets into the heads of individuals that do this kind of stuff, its just going to continue.
Forget about that, that's were everyone get their security operators/advisors/hackers for their own interests. It's the same as demilitarizing, should be the common goal, no ones does because of what others might do.
 
Joined
Aug 25, 2015
Messages
210 (0.06/day)
Location
Chicago, IL
System Name Mass Effect/Lost Ark
Processor AMD Ryzen 5 5600X/AMD Ryzen 7 2700X
Motherboard Asus ROG Strix X470-F Gaming/Asus ROG Strix B450-F Gaming II
Cooling Noctua NH-D15S/AMD Wraith Max
Memory G.Skill Ripjaws V Series 16GB (2x8GB) DDR4-3200/Corsair Vengeance RGB Pro 16GB (2x8GB) DDR4-3200
Video Card(s) MSI AMD Radeon RX 6750 XT Mech 2x/MSI AMD Radeon RX 5700 XT Mech OC
Storage Samsung 860 Evo 500GB 2.5" SSDs x2, WD Black 4TB 3.5" 7200RPM, Samsung 970 EVO 500GB 1TB NVME M.2
Display(s) Acer XF270H 1920x1080p @ 144Hz
Case Thermaltake Core P3 TG ATX Mid Tower/CoolerMaster MasterCase Pro 5
Audio Device(s) SteelSeries Actis Nova 3 RGB
Power Supply Cooler Master V850 80+ Gold/Corsair CX650M 80+ Bronze
Mouse Thermaltake Level 10 M/Logitech G502
Keyboard Corsair K70 RGB MK.2 Wired Gaming Edition/Steelseries Apex 3 RGB
Software Windows 10 Pro OEM 64bit/Ubuntu 22.04.1 64bit
Takes buying an open box or used GPU to a whole different level. :laugh:
 
Top