GPU-assisted malware

  • Giorgos Vasiliadis
  • Michalis Polychronakis
  • Sotiris Ioannidis
Regular Contribution
  • 604 Downloads

Abstract

Malware writers constantly seek new methods to increase the infection lifetime of their malicious software. To that end, techniques such as code unpacking and polymorphism have become the norm for hindering automated or manual malware analysis and evading virus scanners. In this paper, we demonstrate how malware can take advantage of the ubiquitous and powerful graphics processing unit (GPU) to increase its robustness against analysis and detection. We present the design and implementation of brute-force unpacking and runtime polymorphism, two code armoring techniques based on the general-purpose computing capabilities of modern graphics processors. By running part of the malicious code on a different processor architecture with ample computational power, these techniques pose significant challenges to existing malware detection and analysis systems, which are tailored to the analysis of CPU code. We also discuss how upcoming GPU features can be used to build even more robust and evasive malware, as well as directions for potential defenses against GPU-assisted malware.

Keywords

GPU Malware Evasion 

References

  1. 1.
    Amazon.com: Online shopping for electronics, apparel, computers, books, DVDs, & more. http://www.amazon.com
  2. 2.
  3. 3.
    Advanced Micro Devices, Inc.: AMD I/O virtualization technology (IOMMU) specification license agreement. http://support.amd.com/us/Processor_TechDocs/48882.pdf
  4. 4.
    AMD: ATI Stream Software Development Kit (SDK) v2.1. http://developer.amd.com/gpu/ATIStreamSDK/Pages/default.aspx
  5. 5.
    Bayer, U., Nentwich, F.: Anubis: analyzing unknown binaries. http://anubis.iseclab.org/ (2009)
  6. 6.
    Biondi, P., Desclaux, F.: Silver needle in the Skype. BlackHat Europe (2008)Google Scholar
  7. 7.
    Cappaert, J., Preneel, B., Anckaert, B., Madou, M., Bosschere, K.D.: Towards tamper resistant code encryption: practice and experience. In: Proceedings of the 4th Information Security Practice and Experience Conference (ISPEC) (2008)Google Scholar
  8. 8.
    Eagle, C.: Strike/counter-strike: reverse engineering Shiva. BlackHat Federal (2003)Google Scholar
  9. 9.
  10. 10.
    Ferrie, P.: Anti-unpacker tricks. In: Proceedings of the 2nd International CARO Workshop (2008)Google Scholar
  11. 11.
  12. 12.
    Giunta, G., Montella, R., Agrillo, G., Coviello, G.: gVirtuS: A GPGPU transparent virtualization component. http://osl.uniparthenope.it/projects/gvirtus/
  13. 13.
    grugq, scut: Armouring the ELF: binary encryption on the UNIX platform. Phrack 11(58), Dec 2001Google Scholar
  14. 14.
    Harrison, O., Waldron, J.: Practical symmetric key cryptography on modern graphics hardware. In Proceedings of the 17th USENIX Security Symposium (2008)Google Scholar
  15. 15.
    Intel Corporation: Intel virtualization technology for directed I/O—architecture specification. http://download.intel.com/technology/computing/vptech/Intel(r)_VT_for_Direct_IO.pdf
  16. 16.
    John the Ripper password cracker. http://www.openwall.com/john/
  17. 17.
    Kang, M.G., Poosankam, P., Yin, H.: Renovo: a hidden code extractor for packed executables. In Proceedings of the 2007 ACM Workshop on Recurring Malcode (WORM) (2007)Google Scholar
  18. 18.
    Khronos Group: OpenCL—the open standard for parallel programming of heterogeneous systems. http://www.khronos.org/opencl/
  19. 19.
    Koromilas, L., Vasiliadis, G., Manousakis, I., Ioannidis, S.: Efficient software packet processing on heterogeneous and asymmetric hardware architectures. In: Proceedings of the 10th ACM/IEEE Symposium on Architecture for Networking and Communications Systems, ANCS (2014)Google Scholar
  20. 20.
    Kruegel, C., Kirda, E., Bayer, U.: TTAnalyze: a tool for analyzing malware. In: Proceedings of the 15th European Institute for Computer Antivirus Research Annual Conference (EICAR), April 2006Google Scholar
  21. 21.
    Ladakis, E., Koromilas, L., Vasiliadis, G., Polychronakis, M., Ioannidis, S.: You can type, but you can’t hide: a stealthy GPU-based keylogger. In: Proceedings of the 6th European Workshop on System Security (EuroSec) (2013)Google Scholar
  22. 22.
    Lee, S., Kim, Y., Kim, J., Kim, J.: Stealing webpages rendered on your browser by exploiting GPU vulnerabilities. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy, SP ’14 (2014)Google Scholar
  23. 23.
    Martignoni, L., Christodorescu, M., Jha, S.: OmniUnpack: fast, generic, and safe unpacking of malware. In: Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC) (2007)Google Scholar
  24. 24.
    Maurice, C., Neumann, C., Heen, O., Francillon, A.: Confidentiality issues on a GPU in a virtualized environment. In: Proceedings of the Eighteenth International Conference on Financial Cryptography and Data Security, FC 14, March 2014Google Scholar
  25. 25.
    Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: Proceedings of the 28th IEEE Symposium on Security and Privacy (2007)Google Scholar
  26. 26.
  27. 27.
    NVIDIA: Compute Unified Device Architecture (CUDA) Toolkit, version 3.2. http://developer.nvidia.com/object/cuda_3_2_downloads.html
  28. 28.
    Pietro, R.D., Lombardi, F., Villani, A.: CUDA leaks: information leakage in GPU architectures. ArXiv, May 2013Google Scholar
  29. 29.
    Reynaud, D.: GPU powered malware. Ruxcon (2008)Google Scholar
  30. 30.
    Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: PolyUnpack: automating the hidden-code extraction of unpack-executing malware. In: Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC) (2006)Google Scholar
  31. 31.
  32. 32.
    Sang, F.L., Lacombe, E., Nicomette, V., Deswarte, Y.: Exploiting an I/OMMU vulnerability. In: Proceedings of the 5th International Conference on Malicious and Unwanted Software (MALWARE) (2010)Google Scholar
  33. 33.
    Sharif, M., Lanzi, A., Giffin, J., Lee, W.: Automatic reverse engineering of malware emulators. In: Proceedings of the 30th IEEE Symposium on Security and Privacy (2009)Google Scholar
  34. 34.
    Stewin, P., Bystrov, I.: Understanding DMA malware. In: Proceedings of the 9th Conference on Detection of Intrusions and Malware and Vulnerability Assessment, DIMVA2012, July 2012Google Scholar
  35. 35.
    Stewin, P., Seifert, J.-P., Mulliner, C.: Poster: towards detecting DMA malware. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS ’11, pp. 857–860 (2011)Google Scholar
  36. 36.
    Ször, P.: The Art of Computer Virus Research and Defense. Addison-Wesley Professional, Reading (2005).Google Scholar
  37. 37.
    Vasiliadis, G., Polychronakis, M., Ioannidis, S.: GPU-assisted malware. In: Proceedings of the 5th International Conference on Malicious and Unwanted Software (MALWARE) (2010)Google Scholar
  38. 38.
    Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox. IEEE Secur. Priv. 5(2), 32–39 (2007)CrossRefGoogle Scholar
  39. 39.
    Wojtczuk, R., Rutkowska, J., Tereshkin, A.: Another way to circumvent Intel trusted execution technology. http://invisiblethingslab.com/resources/misc09/Another%20TXT%20Attack.pdf (2009)

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Giorgos Vasiliadis
    • 1
  • Michalis Polychronakis
    • 2
  • Sotiris Ioannidis
    • 1
  1. 1.FORTHHeraklionGreece
  2. 2.Columbia UniversityNew YorkUSA

Personalised recommendations