A GPU-based rootkit prototype and a keylogger for Linux presented

gpu rootkit linux keylogger

Security researchers from Team Jellyfish have implemented a theoretical method of applying GPU to monitoring activity of the system, and produced a working prototype of a rootkit and a keylogger running on the GPU to hide its presence in the system. It is interesting to note that when the rootkit and the keylogger gain access to the GPU, they do without traditional hooks and changing code of the operating system kernel.

Tracking the buffer containing data about keystrokes pressed is done directly from the GPU using DMA. Only initialization is done in the CPU; afterwards all activity of the rootkit limited to GPU.

Currently this software works only on systems with a stand-alone graphics card AMD and NVIDIA (GPUs, integrated with CPU are not supported yet). The prototype rootkit is implemented in user space and is downloaded by means of LD_PRELOAD. For the code to be executed on the GPU, OpenCL API is used, so the drivers that support OpenCL are required. After loading, all the data are stored in video memory, making the intrusion difficult to detect. The contents of CPU memory are intercepted through DMA. Execution on GPU also means that GPU can be used to perform complex calculations.