New Linux rootkit leverages GPUs for stealth

A team of developers has created a rootkit for Linux systems that uses the processing power and memory of graphics cards instead of CPUs in order to remain hidden.

The rootkit, called Jellyfish, is a proof of concept designed to demonstrate that completely running malware on GPUs (graphics processing units) is a viable option. This is possible because dedicated graphics cards have their own processors and RAM.

Such threats could be more sinister than traditional malware programs, according to the Jellyfish developers. For one, there are no tools to analyze GPU malware, they said.

Also, such rootkits can snoop on the host's primary memory, which is used by most other programs, via DMA (direct memory access). This feature allows hardware components to read the main system memory without going through the CPU, making such operations harder to detect.

Additionally, the malicious GPU memory persists even after the system is shut down, the Jellyfish developers said on their GitHub page.

The rootkit code uses the OpenCL API developed by the Kronos Group, a consortium of GPU vendors and other companies that develops open standards. So, in order to function, the OpenCL drivers need to be installed on the targeted system.

Jellyfish currently works with AMD and Nvidia graphics cards, but Intel cards are also supported through the AMD APP SDK, a software development kit that allows GPUs to be used for accelerating applications.

GPUs perform mathematical calculations faster than CPUs, which is why some malware programs already leverage their computing power, for example, to mine Bitcoin cryptocurrency. However, those malicious programs do not run completely on GPUs like Jellyfish does.

The rootkit's developers warned that Jellyfish is still a work in progress, so it's buggy and incomplete. The code is intended to be used for educational purposes only, they said.

The developers also created a separate, GPU-based keylogger called Demon that's inspired by a 2013 academic research paper titled "You Can Type, but You Can't Hide: A Stealthy GPU-based Keylogger."

"We are not associated with the creators of this paper," the Demon developers said. "We only PoC'd what was described in it, plus a little more."

Users probably shouldn't worry about criminals using GPU-based malware just yet, but proof-of-concepts like Jellyfish and Demon could inspire future developments. It's usually just a matter of time before attacks devised by researchers are adopted by malicious attackers.