GPU-Acceleration in the Malware Scene

As there is proof-of-concept (PoC) malware code out there which uses the GPU (the Graphics Processing Unit of the computer), we need to think about using GPGPU (General Purpose Graphical Processing Unit) technology as well.

Malware

GPU assisted malware cannot execute any API calls of the operating system directly. However, it is possible to use GPGPU instructions for en- and decryption, code generation or transformation. The harmful code of such malware still must be executed on the CPU of the system. This is also what happens in the PoC.

Apparently, it took the researchers quite some time to produce such GPU assisted malware code. Obviously, it is non-trivial to implement as GPGPU code can be highly complex.

While writing GPU code is certainly not beyond the abilities of many malware authors, another reason why a widespread use of this technique within malware is unlikely is that the differences in GPU architectures capabilities may make it necessary to either adopt the code for several platforms, or lose many of the targeted systems because the malware won’t run properly. Additionally, there are many computers out there using for example Intel chipsets with integrated GPUs which don’t support GPGPU technology at all. Of course there are several APIs in existence that try to make many of these differences less of a hurdle, but the computing capabilities of the hardware along with some oddities may still require a lot of manual work to get things running properly on a vast number of different system configurations.

Ultimately, the cyber criminals would trade in compatibility for complexity and in the end gain nothing. They cannot do things that way they couldn’t do using the usual CPU approach as well. Actually large parts of the scenario are quite reminiscent of a few old DOS viruses, which used sliding windows for decryption/encryption and malware that relies on the hardware of a system in one way or the other.

Even better, doing such uncommon things with a GPU might just be a nice trigger for detection! However, that remains to be seen once we encounter real threats using such techniques in the wild.

Anti-Malware

So there are many plausible reasons why malware won’t be using GPGPU technology in the foreseeable future. But this technology might be interesting for the anti-malware industry as well; the promise of accelerated malware scans makes thinking about this technology necessary.

But this technology produces more problems than it solves. For example, efficient code may be highly platform specific (Nvidia, ATI, different computing capabilities).

Another problem lies within the interoperability with other programs. It is recommended to use an extra GPU for GPGPU tasks and not the one responsible for the display.

Also, the bottleneck for scanning malware within Avira AntiVir is the harddisk throughput. This can’t be accelerated by GPGPU. One proper way to improve performance would be using a SSD instead of a usual harddisk.

Algorithmically, very few tasks of an AV engine would see significant performance gains, as many algorithms are simply not fit for being ported to a GPU.

There exist some PoC implementations of GPGPU scanning. They show the limits mentioned before: They are mostly used for pattern matching with a special limited set of signatures, and a few simple algorithms like BASE64 decoding or hashes.

GPUs are very good at performing some tasks, and they can outperform CPUs by a large factor. But they are not equally good at all tasks. If they were, what would be the need for a CPU after all?

We keep on monitoring the malware scene closely. If it is necessary to add GPGPU scanning, we will implement that. For now, we believe the drawbacks are bigger than the potential advantages. Especially for a product that is supposed to run on user systems.

Marcus Matten
Engine Research & Development