The report summarises the statistical and analytical information about the past, present, and future of digital devices that suffer from cyber threats. The report is divided into three big sections: A retrospective analysis of the companiesâ combined efforts, new ways of stealing data, and research into GPU as a malware carrier.
One of the most significant discoveries in the first section became the observation of the cybercrime evolution. Historically, viruses were created by enthusiasts for recreational purposes while vile minds saw their potential and started using them for criminal activities such as stealing data, blocking access, and braking hardware. Today, as McAfee and Intel specialists note, the scale of cybercrime has risen to unprecedented levels. Nowadays, there are organized criminal groups who use malware to yield economic benefit and state-sponsored cyber defense and offense (or espionage) professionals with virtually unlimited resources. Among the newest advancement in malware was fileless intrusion. Since the devices and operating systems have grown in numbers, companies offer bounties to those who can detect a weak spot in the defenses. The total damage done by cybercrime in 2015 was estimated at $400 billion in the U.S. only (âMcAfee labs threats report: 2015,â 2018). The authors of the report also note that the existence of TOR and Bitcoin significantly increases the capabilities of criminals to remain undetected. In addition, the amount of specific knowledge required to participate in criminal activities has plummeted. One can now buy hacking hardware and software easily operatable by an average user. However, McAfee and Intel specialists say that corporations and governments unite their forces to catch criminals and protect the devices of users from attacks.
When it comes to places the criminals steal information from, the report notes that large retail networks often fall under attacks in point of sale systems where credit card data gets stolen. Developer workstations and control systems, if gained access to, could potentially inflict billions of dollars worth of damage. So-called domain generation algorithms can emulate domain names and control the information flow.
When GPU malware is concerned, there are certain ways to steal information through it. âWin_Jelly,â remote GPU control malware that allows a hacker to create executable code storage within the graphics processor. It is possible and highly dangerous due to the absence of GPU monitoring tools. To protect oneself against such threats, the report creators suggest updating OS and software frequently and refraining from using administrator mode for applications when possible. According to statistics, there are 1.2 million types of malware only on mobile devices. The Internet is also full of threats (âMcAfee labs threats report: 2015,â 2018). As of 25 million URLs that can potentially harm your device.
The Impact of GPU-Assisted Malware on Memory Forensics
A Case Study
The article narrates the ways how GPU malware can be hidden from detection and how a user can suspect that his or her GPU was attacked. Once the control over the graphics processor is gained, it can be programmed by desktop applications to take over the control over the hostâs memory, which makes this vector of attack even more dangerous. Balzarotti, Pietro, and Villani (2015) state that such a threat has been partly made so great by the fact that little or no software nowadays allows monitoring the processes that run within GPU. The researchers have been able to answer the question of whether or not a forensics expert can differentiate a GPU process from a foreign code. To be able to test it, the authors of the article used GPU-assisted malware and tested it in 4 different attack scenarios to reveal which scenario allows using memory analysis. For each scenario, a different Linux proof-of-concept was used.
The authors note that the experiment was held on integrated Intel GPUs, but the results may be extrapolated to discrete GPUs. Malware can gain access to GPU by bypassing âhangcheckâ in the Intel graphics driver that blocks kernels. To do so, the malware needs administrative privileges. It is also possible to gain access to GPU with user privileges, but the presence of malware could be traced by memory map, âlist kernelsâ or âlist processes.â As a result, 3 out of 4 attack scenarios were noticed by either of the forensic tools. The only untraceable variant of attack was to use super-user privileges together with the knowledge of driver data structure.
The authors devised their tools for marking the malwareâs presence. Among them is a hangcheck flag which allows monitoring the condition of this âwatchdog.â Lists of buffer objects and contexts are also helpful in detecting the threat as they allow viewing the information about driver status (whether its data structure was changed) and commands given by CPU to GPU. Register file parsed by authors allows monitoring of the internal structure of the GPU and is easily accessible through a central processor. The limitation of this study and the GPU forensic procedures is that there are too many combinations of graphics cards, central processors, and operating systems, which may require elaborating specific tools for each one. Fortunately, Linuxâs DRM simplifies the process of accessing viable data.
References
Balzarotti, D., Di Pietro, R., & Villani, A. (2015). The impact of GPU-assisted malware on memory forensics: A case study. Digital Investigation, 14, S16-S24.
McAfee labs threats report: 2015. (2018).Web.