Trojan boinc installation by rogue member

Message boards : Number crunching : Trojan boinc installation by rogue member

To post messages, you must log in.

AuthorMessage
Profile Saenger
Avatar

Send message
Joined: 19 Sep 05
Posts: 271
Credit: 824,883
RAC: 0
Message 37016 - Posted: 20 Feb 2007, 18:10:30 UTC

I just found this post on the CPDN board:

The person in question is Wate, who is crunching (and abusing others) here as well. Is there anything been done about hin(her?
It recently came to the attention of boinc staff that a multi-project cruncher called Wate who occupied a very high position in the boinc and project stats had reached this exalted position by dishonest means.

In early June 2006 he appears to to have released onto the internet a link purporting to provide Windows updates including now for Vista. Some 1500 members of the public worldwide downloaded these 'updates' which in fact consisted of a trojan application that downloaded boinc.exe and attached the person's computer to Wate's account, giving him the subsequent fraudulent credits.

About 90% of the people affected appear to have uninstalled or disabled the unwanted boinc installation, but some compromised computers are still running and crashing climate models. Boinc and project staff have no means of contacting the owners of these computers.

The problem came to light when an affected member of the public noticed the heavy drain on his laptop's battery, looked in Task Manager at the running processes, identified boinc and contacted a group of genuine boinc members in Italy.

Carl deleted Wate's cpdn credits last Friday. An unfortunate side-effect of this was that cpdn credits did not update over the weekend. This problem is now sorted. The managers of most of the other projects Wate was attached to have chosen a different course, altering his registration details.

Wate's method of hijacking computers via a dishonest download is one of the classic methods used by spammers.

Boinc staff, the ClimatePrediction programmers and your moderators stress that boinc and project software was never at fault, nor was there ever any breach of Windows XP or Vista security. The dishonest application was Wate's trojan. Boinc and project software were never infiltrated and remain secure.

How can we prevent our own computer being similarly compromised by frauds and spammers?

*Use legitimate software (it is said that half the illegal copies of Windows sold in China come with a virus pre-installed).

*Download updates for your operating system and other programmes via the tools on your computer, not through links in emails or links on web pages.

*Download new programmes only through links on websites you thoroughly trust, or type the address yourself.

*Keep your AV and firewall up-to-date and scan regularly. Install and use malware cleaners such as Spybot and Adaware.

*Look at Task Manager from time to time to see all the running processes on your computer. Right-click on the digital clock and select it. The processes whose names you don't recognise can be identified through a search engine. If you suspect a rogue application, download HijackThis and post your log there. You will be told what can be safely deleted.

*If your computer behaves unexpectedly, post on the forums.


Here is Wate:

http://www.boincstats.com/stats/boinc_user_graph.php?pr=bo&id=873722

http://climateapps2.oucs.ox.ac.uk/cpdnboinc/show_user.php?userid=188887

http://boinc.berkeley.edu/chart_list.php

http://burp.boinc.dk/forum_user_posts.php?userid=100 - appears to be the same member.

This thread can be used for discussion, reprobation and ridicule.



Grüße vom Sänger
ID: 37016 · Rating: 1 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile Paydirt
Avatar

Send message
Joined: 10 Aug 06
Posts: 127
Credit: 960,607
RAC: 0
Message 37021 - Posted: 20 Feb 2007, 18:46:31 UTC

Thanks for the heads up!
ID: 37021 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Michael.L

Send message
Joined: 12 Nov 06
Posts: 67
Credit: 31,295
RAC: 0
Message 37022 - Posted: 20 Feb 2007, 19:07:55 UTC

Very many thanks to Saenger!
ID: 37022 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile River~~
Avatar

Send message
Joined: 15 Dec 05
Posts: 761
Credit: 285,578
RAC: 0
Message 37034 - Posted: 20 Feb 2007, 21:52:30 UTC - in response to Message 37016.  
Last modified: 20 Feb 2007, 22:09:54 UTC

... some compromised computers are still running and crashing climate models. Boinc and project staff have no means of contacting the owners of these computers. ...


As I understand it, cpdn can abort a job at a trickle-up.

On its own this would not be much use, as the client would simply download another client. I wonder how easy it would be to have a 'badlist' of banned users so that the scheduler would simply refuse to issue more work to them. This might prove useful in other situations as well.

Just a thought. If anyone feels it is worth passing on, please repost on the BOINC forums.

And I too would like to join in the thanks to Saenger for re-posting this.

I have copied it across to LHC and LC.

River~~


ID: 37034 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
BennyRop

Send message
Joined: 17 Dec 05
Posts: 555
Credit: 140,800
RAC: 0
Message 37046 - Posted: 21 Feb 2007, 2:46:55 UTC

Since projects have the ip#s of the machines that are running the project under his name, they can contact the ISPs and ask the ISPs to forward a message to the owners of those ISP accounts being used. While they won't give out their email addresses to Boinc or the projects, they should be willing to pass on that information to those affected, getting them to remove the client, or sign themselves up and join a team of their own choosing.

Seti was recently credited as being able to help track down a stolen laptop; so DC projects can be used to help identify systems being used on those projects.
ID: 37046 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile Saenger
Avatar

Send message
Joined: 19 Sep 05
Posts: 271
Credit: 824,883
RAC: 0
Message 37048 - Posted: 21 Feb 2007, 5:25:13 UTC - in response to Message 37046.  

Since projects have the ip#s of the machines that are running the project under his name, they can contact the ISPs and ask the ISPs to forward a message to the owners of those ISP accounts being used. While they won't give out their email addresses to Boinc or the projects, they should be willing to pass on that information to those affected, getting them to remove the client, or sign themselves up and join a team of their own choosing.

Seti was recently credited as being able to help track down a stolen laptop; so DC projects can be used to help identify systems being used on those projects.

Usually the IPs change quite often, some even daily, as most users are not on a permanent connection, quite a lot probably even on dial-in. To store all of them in some enormous data base would probably put a lot os stress to the data servers.

The stolen puter was another matter. This was a single event with a single user, nothing to put a global drag net over every user.
ID: 37048 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile adrianxw
Avatar

Send message
Joined: 18 Sep 05
Posts: 650
Credit: 11,637,805
RAC: 799
Message 37050 - Posted: 21 Feb 2007, 8:24:51 UTC
Last modified: 21 Feb 2007, 8:26:22 UTC

they can contact the ISPs and ask the ISPs to forward a message to the owners of those ISP accounts being used.

I moderate a couple of forums. At times there have been abusers, and I have tried to remedy the problem via the perps ISP. Frankly, I have never found an ISP prepared to take action against one of their customers, unless of course, they stop paying their bills.

Theoretically, from an IP address and an accurate date/time, server logs should be able to resolve a DHCP address to an end point.
Wave upon wave of demented avengers march cheerfully out of obscurity into the dream.
ID: 37050 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile Feet1st
Avatar

Send message
Joined: 30 Dec 05
Posts: 1755
Credit: 4,690,520
RAC: 0
Message 37066 - Posted: 21 Feb 2007, 14:20:20 UTC

Not through to an end-point... but through to a specific user's account. Yep. And the ISPs keep such logs and run other statistics over them. Timestamp, IP addr, account name, and perhaps duration... the files aren't unmanageably huge.
Add this signature to your EMail:
Running Microsoft's "System Idle Process" will never help cure cancer, AIDS nor Alzheimer's. But running Rosetta@home just might!
https://boinc.bakerlab.org/rosetta/
ID: 37066 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Ensor
Avatar

Send message
Joined: 7 Jan 07
Posts: 6
Credit: 27,111
RAC: 0
Message 37088 - Posted: 21 Feb 2007, 22:21:06 UTC - in response to Message 37050.  


....Frankly, I have never found an ISP prepared to take action against one of their customers, unless of course, they stop paying their bills....

Never a truer word said....

A few years ago I was on the receiving end of a torrent of spam from a US based spammer, 300+ spam emails PER DAY!!!! His ISP point blank refused to do anything to stop him from doing this - they were/are well known for harbouring spammers and offered accounts which they guaranteed would never be suspended, for any reason....

His spam stopped abruptly when his email address database, ahem, "somehow" got poisoned with the email addresses of the CEO and other high-ups at his ISP <EVIL CACKLE>.


TTFN - Pete.


ID: 37088 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
BennyRop

Send message
Joined: 17 Dec 05
Posts: 555
Credit: 140,800
RAC: 0
Message 37091 - Posted: 22 Feb 2007, 0:59:38 UTC

During the Nimda outbreak, most ISPs in the 24.x.x.x range seemed interested in Nimda infection reports so they could contact their clients and get the problem taken care of. And since I had someone in my area bring their machine in for cleaning that was told of their infection by our ISP, I got the impression that my communications with the security team bore fruit. With my experience, ISPs are willing to pass on information about infected machines to their clients. I wasn't after their email address, contact info, or trying to get them kicked off the ISP.. just get the machines cleaned up.
ID: 37091 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Ensor
Avatar

Send message
Joined: 7 Jan 07
Posts: 6
Credit: 27,111
RAC: 0
Message 37095 - Posted: 22 Feb 2007, 4:39:48 UTC - in response to Message 37091.  


....trying to get them kicked off the ISP.. just get the machines cleaned up.

All I was doing was asking the ISP concerned to enforce their own anti-spam policy, which they flatly refused to do.... :-(


TTFN - Pete.


ID: 37095 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile River~~
Avatar

Send message
Joined: 15 Dec 05
Posts: 761
Credit: 285,578
RAC: 0
Message 37102 - Posted: 22 Feb 2007, 8:33:02 UTC - in response to Message 37095.  
Last modified: 22 Feb 2007, 8:33:47 UTC


....trying to get them kicked off the ISP.. just get the machines cleaned up.

All I was doing was asking the ISP concerned to enforce their own anti-spam policy, which they flatly refused to do.... :-(


TTFN - Pete.


In all fairness Pete, the ISP you mentioned was one that made money out of harbouring people who are 'wittingly' abusing others, ie spammers.

ISP's that make money out of offering customer service to folk who have been unwittingly have been caught in a scam will react differently.

My response would have been to start a DOS attacl on the ISP, but the approach "someone" actually tried, effectively a DOS attack on their executive is rather neat. If you <ahem> happen to identify the "someone" give them my congratulations ;-)

ID: 37102 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Misfit
Avatar

Send message
Joined: 17 Sep 05
Posts: 79
Credit: 171
RAC: 0
Message 37137 - Posted: 23 Feb 2007, 1:35:29 UTC

Rosetta Admin should remove all of Wate's credits. That way when the stats update he loses everything.
me@rescam.org
ID: 37137 · Rating: 1 · rate: Rate + / Rate - Report as offensive    Reply Quote
Nightbird

Send message
Joined: 17 Sep 05
Posts: 70
Credit: 32,418
RAC: 0
Message 37239 - Posted: 27 Feb 2007, 22:13:30 UTC - in response to Message 37137.  

Rosetta Admin should remove all of Wate's credits. That way when the stats update he loses everything.

I wonder if any admin here reads this topic.

ClimatPrediction : 3,631,651 credits -> zeroed
Einstein@home : 2,463,297.43 credits -> zeroed
PrimeGrid : + 930,000 credits -> zeroed
Simap : 94,494 credits -> zeroed




ID: 37239 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile David E K
Volunteer moderator
Project administrator
Project developer
Project scientist

Send message
Joined: 1 Jul 05
Posts: 1018
Credit: 4,334,829
RAC: 0
Message 37240 - Posted: 27 Feb 2007, 22:37:57 UTC

did it.
ID: 37240 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile River~~
Avatar

Send message
Joined: 15 Dec 05
Posts: 761
Credit: 285,578
RAC: 0
Message 37346 - Posted: 3 Mar 2007, 19:33:13 UTC - in response to Message 37240.  

did it.


Thanks David
ID: 37346 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote

Message boards : Number crunching : Trojan boinc installation by rogue member



©2024 University of Washington
https://www.bakerlab.org