Open CL 2.0 flaw allows malware to be stored and executed from VRAM

[Lakados]

https://www.bleepingcomputer.com/ne...ells-tool-to-hide-malware-in-amd-nvidia-gpus/

Using exploits in OpenCL 2.0 malware can now be hidden in VRAM and executed by the GPU. Proof of concept coming shortly, tested on Intel, AMD, and NVidia hardware.

 

[Zarathustra[H]]

Fun.

 

[Mr Evil]

This doesn't sound like an OpenCL exploit, but rather a limitation of antivirus software that they don't scan VRAM.

 

[Lakados]

This doesn't sound like an OpenCL exploit, but rather a limitation of antivirus software that they don't scan VRAM.

not quite and yes, a flaw was identified in 2013 with the LD_PRELOAD call, it's still there. This could be an evolution of that exploit which has been undergoing active development (here's its github: https://github.com/nwork/WIN_JELLY)
But getting AV the ability to scan into GPU memory is going to have to be a thing now

 

[Zarathustra[H]]

ot quite and yes, a flaw was identified in 2013 with the LD_PRELOAD call, it's still there. This could be an evolution of that exploit which has been undergoing active development (here's its github: https://github.com/nwork/WIN_JELLY)
But getting AV the ability to scan into GPU memory is going to have to be a thing now

Since GPU memory is volatile, is that really necessary?

I mean, it would have to be stored somewhere in some sort of NVRAM (disk, drive, whatever) or it would be cleaned out simply by power cycling?

 

[Lakados]

Since GPU memory is volatile, is that really necessary?

I mean, it would have to be stored somewhere in some sort of NVRAM (disk, drive, whatever) or it would be cleaned out simply by power cycling?

Maybe maybe not? Really depends on what the infection is capable of but a keylogger running in GPU memory on the right system may go weeks with no reboots. That’s a lot of compromised passwords. Based on the reports it should also be perfectly valid on IGP’s using their partition in ram as well dating back to the Intel 5300 released in 2014.

 

[Zarathustra[H]]

Maybe maybe not? Really depends on what the infection is capable of but a keylogger running in GPU memory on the right system may go weeks with no reboots. That’s a lot of compromised passwords. Based on the reports it should also be perfectly valid on IGP’s using their partition in ram as well dating back to the Intel 5300 released in 2014.

True.

I guess it would still have to get into VRAM somehow though right? And if scanning is adequate on all points of entry (via disk or system RAM) you should capture it.