Researchers have developed malware for Linux and Windows that can hide in the video card and is therefore undetectable. A version for Mac is in development. The malware that hides in the videocard is the Linux based Jellyfish rootkit and Demon keylogger. Of both a proof-of-concept was posted on opensource hosting website Github. Last week a Linux version was released but today also a Windows version has become available.
According to the anonymous developers there are several advantages of hiding malware in a videocard. One of them is that there are currently no tools to analyze GPU malware, another one is that the GPU of the video card can be used for all kinds of mathematical calculations.
The Demon keylogger is based on a keylogger that was presented in 2013 already. The keylogger can record keystrokes to the memory of the video card.
Both malware variants require a video card with either an AMD or Nvidia chip. Cards with an Intel chipset are supported through a specific software development kit. The rootkit also requires the OpenCL API from the Kronos Group, a consortium of GPU vendors and other companies that develop open standards. The OpenCL drivers have to be available on the attacked system in order for the rootkit to function.
The Windows version of the malware is described as a remote access tool (RAT) and copies a DLL file from the HDD to the video card's memory. When the system reboots the DLL is searched for in the GPU memory and when found executed without any HDD activity. The Windows version also requires specific drives and software.
The researchers state the malware is still in development and that it has only been created for educational purposes and that they are not responsible for actions of third parties.
