The source code of both the Jellyfish Rootkit and the Demon keylogger, which are described as proof-of-concepts malware, have been published on Github.

Until now, security researchers have discovered nasty malware running on the CPU and exploiting the GPU capabilities in an attempt to mine cryptocurrencies such as Bitcoins.

However, these two malware could operate without exploiting or modifying the processes in the operating system kernel, and this is why they do not trigger any suspicion that a system is infected and remain hidden.

Jellyfish is capable of running on Nvidia, AMD, and Intel hardware (this last thanks to support from AMD’s APP SDK). The advantage of using a GPU to perform system snooping and keylogging is substantial. If you stop and think about it, there are a variety of methods to determine exactly what is running on your CPU. From the Windows Task Manager to applications like Process Explorer, there are built-in or free tools that will help you isolate exactly which processes are being called and what those processes are doing. Malware detection software is more complex, but it offers an even deeper window into process analysis.

Contrast that with GPUs. In terms of freeware utilities, you’ve got GPU-Z and a handful of other applications that provide a similar “GPU Load” monitoring function. Nvidia, AMD, and Intel all provide some basic profiling tools that can be used to analyze a GPU’s performance in a specific application, but these toolkits plug into existing software packages, like Visual Studio. They don’t take a snapshot of what’s running on the GPU in general — they allow you to monitor code that you’ve explicitly told to run on the GPU.

Hackers and researchers have been exploring more of what a GPU can be used for and come away with some interesting results, including a project last year that turned a graphics card into a keylogger. As they noted at the time, “By instructing the GPU to carefully monitor via DMA the physical page where the keyboard buffer resides, a GPU-based keylogger can record all user keystrokes and store them in the memory space of the GPU.”

For those of you wondering about using a simple GPU load monitor to catch this work, it’s not really feasible — the estimated CPU and GPU utilization was ~0.1%. The Jellyfish rootkit discussed above doesn’t just have the ability to transmit information back across a network — it can theoretically remain resident in between warm reboots of the target system.