A proof of concept keylogging hack called Jellyfish has been in the news about security vulnerabilities in Windows and Linux systems, but according to ITWorld, a Mac version being worked on called MAC_JELLY. This malware takes advantage of the graphics processing environments on modern PC systems, allowing a hacker to inject code that will monitor the system by way of a unique remote access trojan (RAT). While demonstrated on Windows and Linux systems, Apple’s OpenCL environment leaves Macs vulnerable as well.
RATs and malware on PC systems are nothing new, and most instances of known malware run in the main operating system environment, utilizing the system’s central processor (CPU) for executing code, and storing necessary information in the system’s RAM. For the most part, this allows anti-malware tools to detect known malware, and shut them down. However, this is not the case for Jellyfish.
The computations performed by your computer’s graphics processor are more specialized, and revolve around massive parallel computations. These are largely used for 2D and 3D visuals, but can also be used to take on a number of other tasks. Along with the advancements in PC graphics processing capabilities has come separate process executing libraries that operate solely on the graphics processor.
Unfortunately, these libraries have opened up this execution environment to malware developers, and given that it has not been a route for known malware attacks, has somewhat slid under the radar of security companies. As such, most security software packages do not scan the graphics card’s execution environment (such as the video RAM), even if the video RAM is shared system memory. Basically, if malware exists in this RAM, then it will not be detected.
The specifics of how this malware infects systems is being kept under wraps until it can be properly addressed by Nvidia, AMD, Apple, and other parties. For now, if you are interested, the computer science group at Columbia University that found the vulnerability has its findings outlined in a brief publication (pdf).
While such proof of concept attacks show the security flaws in current computing infrastructure, it is good to keep in mind that these are simply demonstrations. Currently there are no known attacks for OS X and other platforms that use this mode of attack, and given that this exploit has come to light, there will be efforts taken to close the holes that allow it.
This news sounds concerning, but is primarily news because of the unique route by which this malware concept functions. This follows other exploits that have attempted to bypass OS X’s security, such as the recent Thunderstrike exploit where malware that could be passed to a system through a compromised Thunderbolt device, bypassing the operating system’s execution environment, and overwriting firmware.
Overall, your best bet for staying secure is to observe safe computing practices by avoiding installing any programs from unknown developers and from untrusted sources, and avoiding any underground Web sources, and torrent warez sites, among clicking links in e-mail spam. If an offer sounds too good, then it probably is, and is likely not worth the click.
Password required for infection?
So as is the usual case these days the user must be tricked into downloading a trojan and authenticating its operation. Once again the real vulnerability is between the ears of the person sitting at the keyboard.
After having fixed an issue involving software, I’ll sometimes tell people that (short version:) “it was a hardware problem” … and people who know me will know what I really meant — and it applies to lkrupp215’s comment, as well … (long version:) “there was a “nut loose” on my keyboard!”