Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content

GPU-assisted malware

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Malware writers constantly seek new methods to increase the infection lifetime of their malicious software. To that end, techniques such as code unpacking and polymorphism have become the norm for hindering automated or manual malware analysis and evading virus scanners. In this paper, we demonstrate how malware can take advantage of the ubiquitous and powerful graphics processing unit (GPU) to increase its robustness against analysis and detection. We present the design and implementation of brute-force unpacking and runtime polymorphism, two code armoring techniques based on the general-purpose computing capabilities of modern graphics processors. By running part of the malicious code on a different processor architecture with ample computational power, these techniques pose significant challenges to existing malware detection and analysis systems, which are tailored to the analysis of CPU code. We also discuss how upcoming GPU features can be used to build even more robust and evasive malware, as well as directions for potential defenses against GPU-assisted malware.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

Notes

  1. AMD offers a similar SDK for its ATI line of GPUs [4].

References

  1. Amazon.com: Online shopping for electronics, apparel, computers, books, DVDs, & more. http://www.amazon.com

  2. AMD loses share on graphics market. http://www.xbitlabs.com/news/video/display/20101026180100_AMD_Loses_Share_on_Graphics_Market.html

  3. Advanced Micro Devices, Inc.: AMD I/O virtualization technology (IOMMU) specification license agreement. http://support.amd.com/us/Processor_TechDocs/48882.pdf

  4. AMD: ATI Stream Software Development Kit (SDK) v2.1. http://developer.amd.com/gpu/ATIStreamSDK/Pages/default.aspx

  5. Bayer, U., Nentwich, F.: Anubis: analyzing unknown binaries. http://anubis.iseclab.org/ (2009)

  6. Biondi, P., Desclaux, F.: Silver needle in the Skype. BlackHat Europe (2008)

  7. Cappaert, J., Preneel, B., Anckaert, B., Madou, M., Bosschere, K.D.: Towards tamper resistant code encryption: practice and experience. In: Proceedings of the 4th Information Security Practice and Experience Conference (ISPEC) (2008)

  8. Eagle, C.: Strike/counter-strike: reverse engineering Shiva. BlackHat Federal (2003)

  9. Elcomsoft: Faster password recovery with modern GPUs. http://www.elcomsoft.com/presentations/faster_password_recovery_with_modern_GPUs.pdf

  10. Ferrie, P.: Anti-unpacker tricks. In: Proceedings of the 2nd International CARO Workshop (2008)

  11. GPU-accelerated Wi-Fi password cracking goes mainstream. http://www.zdnet.com/blog/security/gpu-accelerated-wi-fi-password-cracking-goes-mainstream/2419

  12. Giunta, G., Montella, R., Agrillo, G., Coviello, G.: gVirtuS: A GPGPU transparent virtualization component. http://osl.uniparthenope.it/projects/gvirtus/

  13. grugq, scut: Armouring the ELF: binary encryption on the UNIX platform. Phrack 11(58), Dec 2001

  14. Harrison, O., Waldron, J.: Practical symmetric key cryptography on modern graphics hardware. In Proceedings of the 17th USENIX Security Symposium (2008)

  15. Intel Corporation: Intel virtualization technology for directed I/O—architecture specification. http://download.intel.com/technology/computing/vptech/Intel(r)_VT_for_Direct_IO.pdf

  16. John the Ripper password cracker. http://www.openwall.com/john/

  17. Kang, M.G., Poosankam, P., Yin, H.: Renovo: a hidden code extractor for packed executables. In Proceedings of the 2007 ACM Workshop on Recurring Malcode (WORM) (2007)

  18. Khronos Group: OpenCL—the open standard for parallel programming of heterogeneous systems. http://www.khronos.org/opencl/

  19. Koromilas, L., Vasiliadis, G., Manousakis, I., Ioannidis, S.: Efficient software packet processing on heterogeneous and asymmetric hardware architectures. In: Proceedings of the 10th ACM/IEEE Symposium on Architecture for Networking and Communications Systems, ANCS (2014)

  20. Kruegel, C., Kirda, E., Bayer, U.: TTAnalyze: a tool for analyzing malware. In: Proceedings of the 15th European Institute for Computer Antivirus Research Annual Conference (EICAR), April 2006

  21. Ladakis, E., Koromilas, L., Vasiliadis, G., Polychronakis, M., Ioannidis, S.: You can type, but you can’t hide: a stealthy GPU-based keylogger. In: Proceedings of the 6th European Workshop on System Security (EuroSec) (2013)

  22. Lee, S., Kim, Y., Kim, J., Kim, J.: Stealing webpages rendered on your browser by exploiting GPU vulnerabilities. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy, SP ’14 (2014)

  23. Martignoni, L., Christodorescu, M., Jha, S.: OmniUnpack: fast, generic, and safe unpacking of malware. In: Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC) (2007)

  24. Maurice, C., Neumann, C., Heen, O., Francillon, A.: Confidentiality issues on a GPU in a virtualized environment. In: Proceedings of the Eighteenth International Conference on Financial Cryptography and Data Security, FC 14, March 2014

  25. Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: Proceedings of the 28th IEEE Symposium on Security and Privacy (2007)

  26. NVIDIA SLI Multi-OS. http://www.nvidia.co.uk/object/sli_multi_os.html

  27. NVIDIA: Compute Unified Device Architecture (CUDA) Toolkit, version 3.2. http://developer.nvidia.com/object/cuda_3_2_downloads.html

  28. Pietro, R.D., Lombardi, F., Villani, A.: CUDA leaks: information leakage in GPU architectures. ArXiv, May 2013

  29. Reynaud, D.: GPU powered malware. Ruxcon (2008)

  30. Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: PolyUnpack: automating the hidden-code extraction of unpack-executing malware. In: Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC) (2006)

  31. Russian crackers throw GPU power at passwords. http://arstechnica.com/business/news/2007/10/russian-crackers-throw-gpu-power-at-passwords.ars

  32. Sang, F.L., Lacombe, E., Nicomette, V., Deswarte, Y.: Exploiting an I/OMMU vulnerability. In: Proceedings of the 5th International Conference on Malicious and Unwanted Software (MALWARE) (2010)

  33. Sharif, M., Lanzi, A., Giffin, J., Lee, W.: Automatic reverse engineering of malware emulators. In: Proceedings of the 30th IEEE Symposium on Security and Privacy (2009)

  34. Stewin, P., Bystrov, I.: Understanding DMA malware. In: Proceedings of the 9th Conference on Detection of Intrusions and Malware and Vulnerability Assessment, DIMVA2012, July 2012

  35. Stewin, P., Seifert, J.-P., Mulliner, C.: Poster: towards detecting DMA malware. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS ’11, pp. 857–860 (2011)

  36. Ször, P.: The Art of Computer Virus Research and Defense. Addison-Wesley Professional, Reading (2005).

  37. Vasiliadis, G., Polychronakis, M., Ioannidis, S.: GPU-assisted malware. In: Proceedings of the 5th International Conference on Malicious and Unwanted Software (MALWARE) (2010)

  38. Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox. IEEE Secur. Priv. 5(2), 32–39 (2007)

    Article  Google Scholar 

  39. Wojtczuk, R., Rutkowska, J., Tereshkin, A.: Another way to circumvent Intel trusted execution technology. http://invisiblethingslab.com/resources/misc09/Another%20TXT%20Attack.pdf (2009)

Download references

Acknowledgments

This work was supported in part by the Marie Curie Actions—Reintegration Grants project PASS, by the Marie Curie FP7-PEOPLE-2009-IOF project MALCODE, by the project i-Code funded by the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme of the European Commission—Directorate-General for Home Affairs, by the General Secretariat for Research and Technology in Greece with a Research Excellence grant, and by the FP7 projects NECOMA and SysSec, funded by the European Commission under Grant Agreements No. 608533 and No. 257007. This publication reflects the views only of the authors, and the Commission cannot be held responsible for any use which may be made of the information contained herein. Giorgos Vasiliadis is also with the University of Crete.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Giorgos Vasiliadis.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Vasiliadis, G., Polychronakis, M. & Ioannidis, S. GPU-assisted malware. Int. J. Inf. Secur. 14, 289–297 (2015). https://doi.org/10.1007/s10207-014-0262-9

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-014-0262-9

Keywords