Abstract
Malware writers constantly seek new methods to increase the infection lifetime of their malicious software. To that end, techniques such as code unpacking and polymorphism have become the norm for hindering automated or manual malware analysis and evading virus scanners. In this paper, we demonstrate how malware can take advantage of the ubiquitous and powerful graphics processing unit (GPU) to increase its robustness against analysis and detection. We present the design and implementation of brute-force unpacking and runtime polymorphism, two code armoring techniques based on the general-purpose computing capabilities of modern graphics processors. By running part of the malicious code on a different processor architecture with ample computational power, these techniques pose significant challenges to existing malware detection and analysis systems, which are tailored to the analysis of CPU code. We also discuss how upcoming GPU features can be used to build even more robust and evasive malware, as well as directions for potential defenses against GPU-assisted malware.
Similar content being viewed by others
Notes
AMD offers a similar SDK for its ATI line of GPUs [4].
References
Amazon.com: Online shopping for electronics, apparel, computers, books, DVDs, & more. http://www.amazon.com
AMD loses share on graphics market. http://www.xbitlabs.com/news/video/display/20101026180100_AMD_Loses_Share_on_Graphics_Market.html
Advanced Micro Devices, Inc.: AMD I/O virtualization technology (IOMMU) specification license agreement. http://support.amd.com/us/Processor_TechDocs/48882.pdf
AMD: ATI Stream Software Development Kit (SDK) v2.1. http://developer.amd.com/gpu/ATIStreamSDK/Pages/default.aspx
Bayer, U., Nentwich, F.: Anubis: analyzing unknown binaries. http://anubis.iseclab.org/ (2009)
Biondi, P., Desclaux, F.: Silver needle in the Skype. BlackHat Europe (2008)
Cappaert, J., Preneel, B., Anckaert, B., Madou, M., Bosschere, K.D.: Towards tamper resistant code encryption: practice and experience. In: Proceedings of the 4th Information Security Practice and Experience Conference (ISPEC) (2008)
Eagle, C.: Strike/counter-strike: reverse engineering Shiva. BlackHat Federal (2003)
Elcomsoft: Faster password recovery with modern GPUs. http://www.elcomsoft.com/presentations/faster_password_recovery_with_modern_GPUs.pdf
Ferrie, P.: Anti-unpacker tricks. In: Proceedings of the 2nd International CARO Workshop (2008)
GPU-accelerated Wi-Fi password cracking goes mainstream. http://www.zdnet.com/blog/security/gpu-accelerated-wi-fi-password-cracking-goes-mainstream/2419
Giunta, G., Montella, R., Agrillo, G., Coviello, G.: gVirtuS: A GPGPU transparent virtualization component. http://osl.uniparthenope.it/projects/gvirtus/
grugq, scut: Armouring the ELF: binary encryption on the UNIX platform. Phrack 11(58), Dec 2001
Harrison, O., Waldron, J.: Practical symmetric key cryptography on modern graphics hardware. In Proceedings of the 17th USENIX Security Symposium (2008)
Intel Corporation: Intel virtualization technology for directed I/O—architecture specification. http://download.intel.com/technology/computing/vptech/Intel(r)_VT_for_Direct_IO.pdf
John the Ripper password cracker. http://www.openwall.com/john/
Kang, M.G., Poosankam, P., Yin, H.: Renovo: a hidden code extractor for packed executables. In Proceedings of the 2007 ACM Workshop on Recurring Malcode (WORM) (2007)
Khronos Group: OpenCL—the open standard for parallel programming of heterogeneous systems. http://www.khronos.org/opencl/
Koromilas, L., Vasiliadis, G., Manousakis, I., Ioannidis, S.: Efficient software packet processing on heterogeneous and asymmetric hardware architectures. In: Proceedings of the 10th ACM/IEEE Symposium on Architecture for Networking and Communications Systems, ANCS (2014)
Kruegel, C., Kirda, E., Bayer, U.: TTAnalyze: a tool for analyzing malware. In: Proceedings of the 15th European Institute for Computer Antivirus Research Annual Conference (EICAR), April 2006
Ladakis, E., Koromilas, L., Vasiliadis, G., Polychronakis, M., Ioannidis, S.: You can type, but you can’t hide: a stealthy GPU-based keylogger. In: Proceedings of the 6th European Workshop on System Security (EuroSec) (2013)
Lee, S., Kim, Y., Kim, J., Kim, J.: Stealing webpages rendered on your browser by exploiting GPU vulnerabilities. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy, SP ’14 (2014)
Martignoni, L., Christodorescu, M., Jha, S.: OmniUnpack: fast, generic, and safe unpacking of malware. In: Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC) (2007)
Maurice, C., Neumann, C., Heen, O., Francillon, A.: Confidentiality issues on a GPU in a virtualized environment. In: Proceedings of the Eighteenth International Conference on Financial Cryptography and Data Security, FC 14, March 2014
Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: Proceedings of the 28th IEEE Symposium on Security and Privacy (2007)
NVIDIA SLI Multi-OS. http://www.nvidia.co.uk/object/sli_multi_os.html
NVIDIA: Compute Unified Device Architecture (CUDA) Toolkit, version 3.2. http://developer.nvidia.com/object/cuda_3_2_downloads.html
Pietro, R.D., Lombardi, F., Villani, A.: CUDA leaks: information leakage in GPU architectures. ArXiv, May 2013
Reynaud, D.: GPU powered malware. Ruxcon (2008)
Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: PolyUnpack: automating the hidden-code extraction of unpack-executing malware. In: Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC) (2006)
Russian crackers throw GPU power at passwords. http://arstechnica.com/business/news/2007/10/russian-crackers-throw-gpu-power-at-passwords.ars
Sang, F.L., Lacombe, E., Nicomette, V., Deswarte, Y.: Exploiting an I/OMMU vulnerability. In: Proceedings of the 5th International Conference on Malicious and Unwanted Software (MALWARE) (2010)
Sharif, M., Lanzi, A., Giffin, J., Lee, W.: Automatic reverse engineering of malware emulators. In: Proceedings of the 30th IEEE Symposium on Security and Privacy (2009)
Stewin, P., Bystrov, I.: Understanding DMA malware. In: Proceedings of the 9th Conference on Detection of Intrusions and Malware and Vulnerability Assessment, DIMVA2012, July 2012
Stewin, P., Seifert, J.-P., Mulliner, C.: Poster: towards detecting DMA malware. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS ’11, pp. 857–860 (2011)
Ször, P.: The Art of Computer Virus Research and Defense. Addison-Wesley Professional, Reading (2005).
Vasiliadis, G., Polychronakis, M., Ioannidis, S.: GPU-assisted malware. In: Proceedings of the 5th International Conference on Malicious and Unwanted Software (MALWARE) (2010)
Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox. IEEE Secur. Priv. 5(2), 32–39 (2007)
Wojtczuk, R., Rutkowska, J., Tereshkin, A.: Another way to circumvent Intel trusted execution technology. http://invisiblethingslab.com/resources/misc09/Another%20TXT%20Attack.pdf (2009)
Acknowledgments
This work was supported in part by the Marie Curie Actions—Reintegration Grants project PASS, by the Marie Curie FP7-PEOPLE-2009-IOF project MALCODE, by the project i-Code funded by the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme of the European Commission—Directorate-General for Home Affairs, by the General Secretariat for Research and Technology in Greece with a Research Excellence grant, and by the FP7 projects NECOMA and SysSec, funded by the European Commission under Grant Agreements No. 608533 and No. 257007. This publication reflects the views only of the authors, and the Commission cannot be held responsible for any use which may be made of the information contained herein. Giorgos Vasiliadis is also with the University of Crete.