GPU-assisted malware

  • Giorgos Vasiliadis
  • Michalis Polychronakis
  • Sotiris Ioannidis
Regular Contribution


Malware writers constantly seek new methods to increase the infection lifetime of their malicious software. To that end, techniques such as code unpacking and polymorphism have become the norm for hindering automated or manual malware analysis and evading virus scanners. In this paper, we demonstrate how malware can take advantage of the ubiquitous and powerful graphics processing unit (GPU) to increase its robustness against analysis and detection. We present the design and implementation of brute-force unpacking and runtime polymorphism, two code armoring techniques based on the general-purpose computing capabilities of modern graphics processors. By running part of the malicious code on a different processor architecture with ample computational power, these techniques pose significant challenges to existing malware detection and analysis systems, which are tailored to the analysis of CPU code. We also discuss how upcoming GPU features can be used to build even more robust and evasive malware, as well as directions for potential defenses against GPU-assisted malware.


GPU Malware Evasion 



This work was supported in part by the Marie Curie Actions—Reintegration Grants project PASS, by the Marie Curie FP7-PEOPLE-2009-IOF project MALCODE, by the project i-Code funded by the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme of the European Commission—Directorate-General for Home Affairs, by the General Secretariat for Research and Technology in Greece with a Research Excellence grant, and by the FP7 projects NECOMA and SysSec, funded by the European Commission under Grant Agreements No. 608533 and No. 257007. This publication reflects the views only of the authors, and the Commission cannot be held responsible for any use which may be made of the information contained herein. Giorgos Vasiliadis is also with the University of Crete.


  1. 1. Online shopping for electronics, apparel, computers, books, DVDs, & more.
  2. 2.
  3. 3.
    Advanced Micro Devices, Inc.: AMD I/O virtualization technology (IOMMU) specification license agreement.
  4. 4.
    AMD: ATI Stream Software Development Kit (SDK) v2.1.
  5. 5.
    Bayer, U., Nentwich, F.: Anubis: analyzing unknown binaries. (2009)
  6. 6.
    Biondi, P., Desclaux, F.: Silver needle in the Skype. BlackHat Europe (2008)Google Scholar
  7. 7.
    Cappaert, J., Preneel, B., Anckaert, B., Madou, M., Bosschere, K.D.: Towards tamper resistant code encryption: practice and experience. In: Proceedings of the 4th Information Security Practice and Experience Conference (ISPEC) (2008)Google Scholar
  8. 8.
    Eagle, C.: Strike/counter-strike: reverse engineering Shiva. BlackHat Federal (2003)Google Scholar
  9. 9.
  10. 10.
    Ferrie, P.: Anti-unpacker tricks. In: Proceedings of the 2nd International CARO Workshop (2008)Google Scholar
  11. 11.
  12. 12.
    Giunta, G., Montella, R., Agrillo, G., Coviello, G.: gVirtuS: A GPGPU transparent virtualization component.
  13. 13.
    grugq, scut: Armouring the ELF: binary encryption on the UNIX platform. Phrack 11(58), Dec 2001Google Scholar
  14. 14.
    Harrison, O., Waldron, J.: Practical symmetric key cryptography on modern graphics hardware. In Proceedings of the 17th USENIX Security Symposium (2008)Google Scholar
  15. 15.
    Intel Corporation: Intel virtualization technology for directed I/O—architecture specification.
  16. 16.
    John the Ripper password cracker.
  17. 17.
    Kang, M.G., Poosankam, P., Yin, H.: Renovo: a hidden code extractor for packed executables. In Proceedings of the 2007 ACM Workshop on Recurring Malcode (WORM) (2007)Google Scholar
  18. 18.
    Khronos Group: OpenCL—the open standard for parallel programming of heterogeneous systems.
  19. 19.
    Koromilas, L., Vasiliadis, G., Manousakis, I., Ioannidis, S.: Efficient software packet processing on heterogeneous and asymmetric hardware architectures. In: Proceedings of the 10th ACM/IEEE Symposium on Architecture for Networking and Communications Systems, ANCS (2014)Google Scholar
  20. 20.
    Kruegel, C., Kirda, E., Bayer, U.: TTAnalyze: a tool for analyzing malware. In: Proceedings of the 15th European Institute for Computer Antivirus Research Annual Conference (EICAR), April 2006Google Scholar
  21. 21.
    Ladakis, E., Koromilas, L., Vasiliadis, G., Polychronakis, M., Ioannidis, S.: You can type, but you can’t hide: a stealthy GPU-based keylogger. In: Proceedings of the 6th European Workshop on System Security (EuroSec) (2013)Google Scholar
  22. 22.
    Lee, S., Kim, Y., Kim, J., Kim, J.: Stealing webpages rendered on your browser by exploiting GPU vulnerabilities. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy, SP ’14 (2014)Google Scholar
  23. 23.
    Martignoni, L., Christodorescu, M., Jha, S.: OmniUnpack: fast, generic, and safe unpacking of malware. In: Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC) (2007)Google Scholar
  24. 24.
    Maurice, C., Neumann, C., Heen, O., Francillon, A.: Confidentiality issues on a GPU in a virtualized environment. In: Proceedings of the Eighteenth International Conference on Financial Cryptography and Data Security, FC 14, March 2014Google Scholar
  25. 25.
    Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: Proceedings of the 28th IEEE Symposium on Security and Privacy (2007)Google Scholar
  26. 26.
  27. 27.
    NVIDIA: Compute Unified Device Architecture (CUDA) Toolkit, version 3.2.
  28. 28.
    Pietro, R.D., Lombardi, F., Villani, A.: CUDA leaks: information leakage in GPU architectures. ArXiv, May 2013Google Scholar
  29. 29.
    Reynaud, D.: GPU powered malware. Ruxcon (2008)Google Scholar
  30. 30.
    Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: PolyUnpack: automating the hidden-code extraction of unpack-executing malware. In: Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC) (2006)Google Scholar
  31. 31.
  32. 32.
    Sang, F.L., Lacombe, E., Nicomette, V., Deswarte, Y.: Exploiting an I/OMMU vulnerability. In: Proceedings of the 5th International Conference on Malicious and Unwanted Software (MALWARE) (2010)Google Scholar
  33. 33.
    Sharif, M., Lanzi, A., Giffin, J., Lee, W.: Automatic reverse engineering of malware emulators. In: Proceedings of the 30th IEEE Symposium on Security and Privacy (2009)Google Scholar
  34. 34.
    Stewin, P., Bystrov, I.: Understanding DMA malware. In: Proceedings of the 9th Conference on Detection of Intrusions and Malware and Vulnerability Assessment, DIMVA2012, July 2012Google Scholar
  35. 35.
    Stewin, P., Seifert, J.-P., Mulliner, C.: Poster: towards detecting DMA malware. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS ’11, pp. 857–860 (2011)Google Scholar
  36. 36.
    Ször, P.: The Art of Computer Virus Research and Defense. Addison-Wesley Professional, Reading (2005).Google Scholar
  37. 37.
    Vasiliadis, G., Polychronakis, M., Ioannidis, S.: GPU-assisted malware. In: Proceedings of the 5th International Conference on Malicious and Unwanted Software (MALWARE) (2010)Google Scholar
  38. 38.
    Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox. IEEE Secur. Priv. 5(2), 32–39 (2007)CrossRefGoogle Scholar
  39. 39.
    Wojtczuk, R., Rutkowska, J., Tereshkin, A.: Another way to circumvent Intel trusted execution technology. (2009)

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Giorgos Vasiliadis
    • 1
  • Michalis Polychronakis
    • 2
  • Sotiris Ioannidis
    • 1
  1. 1.FORTHHeraklionGreece
  2. 2.Columbia UniversityNew YorkUSA

Personalised recommendations