Intel thinks the 'Jellyfish' graphics card virus isn't that scary

In May this year, a group of security experts came up with the so-called "graphics card virus", that is, malware running on GPU graphics cards, and claimed that current security solutions have no defense against it, which caused a lot of panic for a while, but Intel believes that it is not that scary after research. A group of developers collectively codenamed "Jellyfish" first created a rootkit and keylogger (keylogger) that can launch GPU attacks in Linux systems, and designed a remote access tool (RAT) in Windows, and also published proof-of-concept code on GitHub.

Intel researchers have been analyzing the code and say in a new security report that GPU malware can be easily detected if scanning tools know what to look for.

"Countless articles repeat the author's point of view," said Craig Schmugar, a security engineer from McAfee who is now at Intel, in the report. "If the relevant context is not considered, it is easy to misinterpret and create the illusion that there is an undetectable super virus that can run autonomously and current defenses are completely ineffective, which is not the case."

Intel focused on how JellyFish runs, especially how the GPU and memory communicate through the DMA bus, and found that it must first obtain the most core ring 0 level access rights on the CPU before it can map the system memory to the GPU for reading and writing. Whether this can be done depends on the degree of protection of the system kernel.

In addition, GPU malware needs to delete the CPU master file in the installer to hide itself, which makes the code exist only on the GPU. The timeout detection and recovery (TDR) process will be triggered in the Windows system, and the graphics card will be reset, and the malicious code will naturally disappear.

If an attacker attempts to adjust the default reset time of TDR (2 seconds), it will be regarded as suspicious behavior by the system and trigger a security warning.

In fact, if GPU malware continues to run, it will definitely consume a lot of GPU resources, causing the graphical interface and graphical applications to respond slowly, which users will definitely notice.

As for the claim that the code will exist even after a reboot, Intel said that only data can be retained, not executable code. If these malicious codes want to escape the reboot, they must hide outside the GPU, which is easy to detect.

As a winner of Toutiao's Qingyun Plan and Baijiahao's Bai+ Plan, the 2019 Baidu Digital Author of the Year, the Baijiahao's Most Popular Author in the Technology Field, the 2019 Sogou Technology and Culture Author, and the 2021 Baijiahao Quarterly Influential Creator, he has won many awards, including the 2013 Sohu Best Industry Media Person, the 2015 China New Media Entrepreneurship Competition Beijing Third Place, the 2015 Guangmang Experience Award, the 2015 China New Media Entrepreneurship Competition Finals Third Place, and the 2018 Baidu Dynamic Annual Powerful Celebrity.