Open CL 2.0 flaw allows malware to be stored and executed from VRAM

Mr Evil

Weaksauce
Joined
Jul 11, 2015
Messages
90
This doesn't sound like an OpenCL exploit, but rather a limitation of antivirus software that they don't scan VRAM.
 

Lakados

Supreme [H]ardness
Joined
Feb 3, 2014
Messages
4,512
This doesn't sound like an OpenCL exploit, but rather a limitation of antivirus software that they don't scan VRAM.
not quite and yes, a flaw was identified in 2013 with the LD_PRELOAD call, it's still there. This could be an evolution of that exploit which has been undergoing active development (here's its github: https://github.com/nwork/WIN_JELLY)
But getting AV the ability to scan into GPU memory is going to have to be a thing now
 
Last edited:

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
32,843
ot quite and yes, a flaw was identified in 2013 with the LD_PRELOAD call, it's still there. This could be an evolution of that exploit which has been undergoing active development (here's its github: https://github.com/nwork/WIN_JELLY)
But getting AV the ability to scan into GPU memory is going to have to be a thing now

Since GPU memory is volatile, is that really necessary?

I mean, it would have to be stored somewhere in some sort of NVRAM (disk, drive, whatever) or it would be cleaned out simply by power cycling?
 

Lakados

Supreme [H]ardness
Joined
Feb 3, 2014
Messages
4,512
Since GPU memory is volatile, is that really necessary?

I mean, it would have to be stored somewhere in some sort of NVRAM (disk, drive, whatever) or it would be cleaned out simply by power cycling?
Maybe maybe not? Really depends on what the infection is capable of but a keylogger running in GPU memory on the right system may go weeks with no reboots. That’s a lot of compromised passwords. Based on the reports it should also be perfectly valid on IGP’s using their partition in ram as well dating back to the Intel 5300 released in 2014.
 

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
32,843
Maybe maybe not? Really depends on what the infection is capable of but a keylogger running in GPU memory on the right system may go weeks with no reboots. That’s a lot of compromised passwords. Based on the reports it should also be perfectly valid on IGP’s using their partition in ram as well dating back to the Intel 5300 released in 2014.

True.

I guess it would still have to get into VRAM somehow though right? And if scanning is adequate on all points of entry (via disk or system RAM) you should capture it.
 
Top