nach oben

International Journal of Information Security

Erschienen in:

01.06.2015 | Regular Contribution

GPU-assisted malware

verfasst von: Giorgos Vasiliadis, Michalis Polychronakis, Sotiris Ioannidis

Erschienen in: International Journal of Information Security | Ausgabe 3/2015

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Malware writers constantly seek new methods to increase the infection lifetime of their malicious software. To that end, techniques such as code unpacking and polymorphism have become the norm for hindering automated or manual malware analysis and evading virus scanners. In this paper, we demonstrate how malware can take advantage of the ubiquitous and powerful graphics processing unit (GPU) to increase its robustness against analysis and detection. We present the design and implementation of brute-force unpacking and runtime polymorphism, two code armoring techniques based on the general-purpose computing capabilities of modern graphics processors. By running part of the malicious code on a different processor architecture with ample computational power, these techniques pose significant challenges to existing malware detection and analysis systems, which are tailored to the analysis of CPU code. We also discuss how upcoming GPU features can be used to build even more robust and evasive malware, as well as directions for potential defenses against GPU-assisted malware.

Vorheriger Artikel A new algorithm for low-deterministic security

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

AMD offers a similar SDK for its ATI line of GPUs [4].

Amazon.com: Online shopping for electronics, apparel, computers, books, DVDs, & more. http://www.amazon.com

AMD loses share on graphics market. http://www.xbitlabs.com/news/video/display/20101026180100_AMD_Loses_Share_on_Graphics_Market.html

Advanced Micro Devices, Inc.: AMD I/O virtualization technology (IOMMU) specification license agreement. http://support.amd.com/us/Processor_TechDocs/48882.pdf

AMD: ATI Stream Software Development Kit (SDK) v2.1. http://developer.amd.com/gpu/ATIStreamSDK/Pages/default.aspx

Bayer, U., Nentwich, F.: Anubis: analyzing unknown binaries. http://anubis.iseclab.org/ (2009)

Biondi, P., Desclaux, F.: Silver needle in the Skype. BlackHat Europe (2008)

Cappaert, J., Preneel, B., Anckaert, B., Madou, M., Bosschere, K.D.: Towards tamper resistant code encryption: practice and experience. In: Proceedings of the 4th Information Security Practice and Experience Conference (ISPEC) (2008)

Eagle, C.: Strike/counter-strike: reverse engineering Shiva. BlackHat Federal (2003)

Elcomsoft: Faster password recovery with modern GPUs. http://www.elcomsoft.com/presentations/faster_password_recovery_with_modern_GPUs.pdf

10.

Ferrie, P.: Anti-unpacker tricks. In: Proceedings of the 2nd International CARO Workshop (2008)

11.

GPU-accelerated Wi-Fi password cracking goes mainstream. http://www.zdnet.com/blog/security/gpu-accelerated-wi-fi-password-cracking-goes-mainstream/2419

12.

Giunta, G., Montella, R., Agrillo, G., Coviello, G.: gVirtuS: A GPGPU transparent virtualization component. http://osl.uniparthenope.it/projects/gvirtus/

13.

grugq, scut: Armouring the ELF: binary encryption on the UNIX platform. Phrack 11(58), Dec 2001

14.

Harrison, O., Waldron, J.: Practical symmetric key cryptography on modern graphics hardware. In Proceedings of the 17th USENIX Security Symposium (2008)

15.

Intel Corporation: Intel virtualization technology for directed I/O—architecture specification. http://download.intel.com/technology/computing/vptech/Intel(r)_VT_for_Direct_IO.pdf

16.

John the Ripper password cracker. http://www.openwall.com/john/

17.

Kang, M.G., Poosankam, P., Yin, H.: Renovo: a hidden code extractor for packed executables. In Proceedings of the 2007 ACM Workshop on Recurring Malcode (WORM) (2007)

18.

Khronos Group: OpenCL—the open standard for parallel programming of heterogeneous systems. http://www.khronos.org/opencl/

19.

Koromilas, L., Vasiliadis, G., Manousakis, I., Ioannidis, S.: Efficient software packet processing on heterogeneous and asymmetric hardware architectures. In: Proceedings of the 10th ACM/IEEE Symposium on Architecture for Networking and Communications Systems, ANCS (2014)

20.

Kruegel, C., Kirda, E., Bayer, U.: TTAnalyze: a tool for analyzing malware. In: Proceedings of the 15th European Institute for Computer Antivirus Research Annual Conference (EICAR), April 2006

21.

Ladakis, E., Koromilas, L., Vasiliadis, G., Polychronakis, M., Ioannidis, S.: You can type, but you can’t hide: a stealthy GPU-based keylogger. In: Proceedings of the 6th European Workshop on System Security (EuroSec) (2013)

22.

Lee, S., Kim, Y., Kim, J., Kim, J.: Stealing webpages rendered on your browser by exploiting GPU vulnerabilities. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy, SP ’14 (2014)

23.

Martignoni, L., Christodorescu, M., Jha, S.: OmniUnpack: fast, generic, and safe unpacking of malware. In: Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC) (2007)

24.

Maurice, C., Neumann, C., Heen, O., Francillon, A.: Confidentiality issues on a GPU in a virtualized environment. In: Proceedings of the Eighteenth International Conference on Financial Cryptography and Data Security, FC 14, March 2014

25.

Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: Proceedings of the 28th IEEE Symposium on Security and Privacy (2007)

26.

NVIDIA SLI Multi-OS. http://www.nvidia.co.uk/object/sli_multi_os.html

27.

NVIDIA: Compute Unified Device Architecture (CUDA) Toolkit, version 3.2. http://developer.nvidia.com/object/cuda_3_2_downloads.html

28.

Pietro, R.D., Lombardi, F., Villani, A.: CUDA leaks: information leakage in GPU architectures. ArXiv, May 2013

29.

Reynaud, D.: GPU powered malware. Ruxcon (2008)

30.

Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: PolyUnpack: automating the hidden-code extraction of unpack-executing malware. In: Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC) (2006)

31.

Russian crackers throw GPU power at passwords. http://arstechnica.com/business/news/2007/10/russian-crackers-throw-gpu-power-at-passwords.ars

32.

Sang, F.L., Lacombe, E., Nicomette, V., Deswarte, Y.: Exploiting an I/OMMU vulnerability. In: Proceedings of the 5th International Conference on Malicious and Unwanted Software (MALWARE) (2010)

33.

Sharif, M., Lanzi, A., Giffin, J., Lee, W.: Automatic reverse engineering of malware emulators. In: Proceedings of the 30th IEEE Symposium on Security and Privacy (2009)

34.

Stewin, P., Bystrov, I.: Understanding DMA malware. In: Proceedings of the 9th Conference on Detection of Intrusions and Malware and Vulnerability Assessment, DIMVA2012, July 2012

35.

Stewin, P., Seifert, J.-P., Mulliner, C.: Poster: towards detecting DMA malware. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS ’11, pp. 857–860 (2011)

36.

Ször, P.: The Art of Computer Virus Research and Defense. Addison-Wesley Professional, Reading (2005).

37.

Vasiliadis, G., Polychronakis, M., Ioannidis, S.: GPU-assisted malware. In: Proceedings of the 5th International Conference on Malicious and Unwanted Software (MALWARE) (2010)

38.

Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox. IEEE Secur. Priv. 5(2), 32–39 (2007)CrossRef

39.

Wojtczuk, R., Rutkowska, J., Tereshkin, A.: Another way to circumvent Intel trusted execution technology. http://invisiblethingslab.com/resources/misc09/Another%20TXT%20Attack.pdf (2009)

Titel: GPU-assisted malware
verfasst von: Giorgos Vasiliadis
Michalis Polychronakis
Sotiris Ioannidis
Publikationsdatum: 01.06.2015
Verlag: Springer Berlin Heidelberg
Erschienen in: International Journal of Information Security / Ausgabe 3/2015
Print ISSN: 1615-5262
Elektronische ISSN: 1615-5270
DOI: https://doi.org/10.1007/s10207-014-0262-9

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 3/2015

Detection and analysis of eavesdropping in anonymous communication networks

A new algorithm for low-deterministic security

Automated inference of past action instances in digital investigations

Analysis of two authorization protocols using Colored Petri Nets

Premium Partner