Virus–writers have demonstrated the concept of a new rootkit called Jellyfish. The main innovative feature of this malware is its ability to use graphics processor (GPU) and live in the memory of the accelerator.
Jellyfish – rootkit, developed based on Linux, which represents a conceptual design, which uses LD_PRELOAD technique from Jynx and OpenCL API from the Khronos group. Supported malware video cards AMD and NVIDIA.
Demon – Keylogger.
Both malware exploiting the GPU of infected devices. To work in stealth mode and increasing computing power, the malware uses the graphics card instead of the CPU. Programs run on the CPU and use the functions of GP for potential counterfeit bitcoins and other virtual currencies.
According to the authors of malware key idea of the pilot project is to monitor the system clipboard directly from the GPU via a direct memory access (Direct Memory Access, DMA) without any connections or modifications of code in the kernel.
Also, the malware authors warn that the experimental options were developed solely for educational purposes and the developers are not liable for further use of rootkit Jellyfish and keylogger Demon.
The work of Jellyfish in the graphics card provides complete invisibility. According to experts in information security, there is no antivirus tools that could detect malicious objects in video memory, not to mention the treatment of PC.
Once on the victim’s computer is set Jellyfish, the malware begins to intercept keystrokes in search of passwords and use GPU to generate cryptocurrencies. The developers promise that soon the functionality of the rootkit will be expanded.
The most ominous ability Jellyfish is the ability to survive the shutdown. The malicious code will be saved and will be running the next time. How it is implemented is not reported, because the graphics cards installed conventional RAM type DDR, which loses stored data when disconnected. However, the writers report that found a way to keep the body of the rootkit in the graphics card. Thus, treatment of the hard disk will not help, as tools to combat viruses in memory, does not exist. It turns out that the citizen is caught on the computer, Jellyfish, will need some time to accept the theft of their passwords and improper use of the computer.
Surprisingly, Jellyfish is to be distributed under a free license. Another feature of the rootkit — and very funny — is the dependence on the OpenCL library, which is used to access the basic functions of graphics cards from Nvidia and AMD. If the computer that library is not installed, or use an accelerator of another company, Jellyfish refuses to work.
Another reason not to connect the repository from a third party. Because of the availability of the source when, now half of the programs in the third-party repository will be dirtied by this Jellyfish.
May the Force be with you,