Trojan boinc installation by rogue member

log in

Advanced search

Message boards : BOINC Manager : Trojan boinc installation by rogue member

1 · 2 · 3 · Next
Author Message
mo.v
Avatar
Send message
Joined: 13 Aug 06
Posts: 778
United Kingdom
Message 8318 - Posted: 20 Feb 2007, 12:55:24 UTC
Last modified: 20 Feb 2007, 13:26:12 UTC

It recently came to the attention of boinc staff that a multi-project cruncher called Wate who occupied a very high position in the boinc and project stats had reached this exalted position by dishonest means.

In early June 2006 he appears to to have released onto the internet a link purporting to provide Windows updates including now for Vista. Some 1500 members of the public worldwide downloaded these 'updates' which in fact consisted of a trojan application that downloaded boinc.exe and attached the person's computer to Wate's account, giving him the subsequent fraudulent credits.

About 90% of the people affected appear to have uninstalled or disabled the unwanted boinc installation, but some compromised computers are still running and crashing climate models. Boinc and project staff have no means of contacting the owners of these computers.

The problem came to light when an affected member of the public noticed the heavy drain on his laptop's battery, looked in Task Manager at the running processes, identified boinc and contacted a group of genuine boinc members in Italy.

Carl deleted Wate's cpdn credits last Friday. An unfortunate side-effect of this was that cpdn credits did not update over the weekend. This problem is now sorted. The managers of most of the other projects Wate was attached to have chosen a different course, altering his registration details.

Wate's method of hijacking computers via a dishonest download is one of the classic methods used by spammers.

Boinc staff, the ClimatePrediction programmers and your moderators stress that boinc and project software was never at fault, nor was there ever any breach of Windows XP or Vista security. The dishonest application was Wate's trojan. Boinc and project software were never infiltrated and remain secure.

How can we prevent our own computers being similarly compromised by frauds and spammers?

*Use legitimate software (it is said that half the illegal copies of Windows sold in China come with a virus pre-installed).

*Download updates for your operating system and other programmes via the tools on your computer, not through links in emails or links on web pages.

*Download new programmes only through links on websites you thoroughly trust, or type the address yourself.

*Keep your AV and firewall up-to-date and scan regularly. Install and use malware cleaners such as Spybot and Adaware.

*Look at Task Manager from time to time to see all the running processes on your computer. Right-click on the digital clock and select it. The processes whose names you don't recognise can be identified through a search engine. If you suspect a rogue application, download HijackThis and post your log there. You will be told what can be safely deleted.

*If your computer behaves unexpectedly, post on the forums.


Here is Wate:

http://www.boincstats.com/stats/boinc_user_graph.php?pr=bo&id=873722

http://climateapps2.oucs.ox.ac.uk/cpdnboinc/show_user.php?userid=188887

http://boinc.berkeley.edu/chart_list.php

http://burp.boinc.dk/forum_user_posts.php?userid=100 - appears to be the same member.

This thread can be used for discussion, reprobation and ridicule. And members of other projects are welcome to copy this post to their own forums.

Mo (cpdn)

____________

LucaB76 - BOINC.Italy
Avatar
Send message
Joined: 6 Feb 07
Posts: 19
Italy
Message 8325 - Posted: 20 Feb 2007, 22:57:17 UTC - in response to Message 8318.

Thanks for your post, mo.v!

When the victim of the infection came to our forum, we helped in every possible way but every our effort was, at first, unsuccessful. Then we started to understand that something "unusual" was running on his notebook.

So we asked him to save & send the infected directories... and we discovered the truth! An ugly trick from an irresponsible user... and he risked to lose his laptop and, most important, his work.

With this post I wish to thank every projects staff member, that replied to our forum moderator, GHz, to have done every effort to stop "Wate".

Let's hope that this problem won't happen again!

Greetings from Italy
by LucaB76 & BOINC.Italy
____________

mo.v
Avatar
Send message
Joined: 13 Aug 06
Posts: 778
United Kingdom
Message 8327 - Posted: 21 Feb 2007, 0:35:24 UTC

Molte grazie a tutti i partecipianti italiani chi hanno aiutato con questa difficile investigazione. La sua collaborazzione e stato importante per la integrita dei nostri projecti.

Many thanks to all the Italian boinc members who helped in this investigation.
____________

Profile GHz
Avatar
Send message
Joined: 21 Jan 07
Posts: 4
Italy
Message 8332 - Posted: 21 Feb 2007, 6:34:45 UTC
Last modified: 21 Feb 2007, 6:39:39 UTC

Hi mo.v,
thanks to inform all the BOINC comunity about the "Wate" problem.

We are happy for having contributed to discover and to stop it.

I've first contacted Dr.David to explain him the problem, and the day after we contacted all the interested project (thanks to LucaB for his effort in this phase too!). The first project that blocked Wate account was Rosetta, and after CPDN where the account was totaly deleted (that is the best thing we hoped for that bad user!). After all other projects blocked his account (the last was BURP, yesterday where Wate is ranked #1!). I can't verify it on Predictor and SIMAP because I don't have his account key of that projects. When the infected user send me the BOINC folder for the analysis, I've checked some of wate accounts, and the thing that impressed me so much, was the very high number of infected hosts listed!

When we tried to investigate about the cause of the infection, the infected user said that he downloaded a suspected file from P2P that can be the cause of the problems. I've tired to download the same file, and I discover that it was a trojan/backdoor, and I think that is the method used by Wate (I've not executed it to test :P). So I recommend to use a good antivirus program and always pay attention on what we download from unknown sources.

We are happy that now the Wate game is over. Thanks to the infected user for his collaboration to resolve the mystery, and thanks to all other BOINC.Italy members that have helped and contributet in some way, first of all LucaB. Thanks also to Dr.David and to all the project's admins.

Bye,
Paolo (GHz)
BOINC.Italy team
____________

Profile Saenger
Avatar
Send message
Joined: 9 Nov 05
Posts: 123
Germany
Message 8334 - Posted: 21 Feb 2007, 9:20:18 UTC

Thanks to all involved in the removement of this ***** (insert your smear word of choice).

Thanks GHz for his efforts.

Thanks the unknown (and unvoluntary) cruncher for his/her cooperation.

Thanks to the guys'n'galy at the projects to deal with this ***** quite fast (the remaining ones will follow soon I hope).


____________
Gruesse vom Saenger

For questions about Boinc look in the BOINC-Wiki

mo.v
Avatar
Send message
Joined: 13 Aug 06
Posts: 778
United Kingdom
Message 8335 - Posted: 21 Feb 2007, 11:01:19 UTC

Thank you to the members of Boinc Italy for all the information. If you have some way of contacting your anonymous informant (private message or email?), would you please say thank you to him from us all.
____________

SekeRob
Send message
Joined: 25 Aug 06
Posts: 1417
Message 8359 - Posted: 22 Feb 2007, 19:08:03 UTC - in response to Message 8335.

Carl deleted Wate's cpdn credits last Friday. An unfortunate side-effect of this was that cpdn credits did not update over the weekend. This problem is now sorted. The managers of most of the other projects Wate was attached to have chosen a different course, altering his registration details.


When looking at the WCG BOINC country stats for Italy, there is a one day negative bar > than a days worth of country production! One can guess what happened on Feb.11, 2007.



____________
Coelum Non Animum Mutant, Qui Trans Mare Currunt

Nicolas
Send message
Joined: 19 Jan 07
Posts: 1174
Argentina
Message 8360 - Posted: 22 Feb 2007, 19:47:12 UTC

Primegrid has 10 days worth of total project credits decreased. See graphs for total credit and credit per day.

Profile GHz
Avatar
Send message
Joined: 21 Jan 07
Posts: 4
Italy
Message 8362 - Posted: 22 Feb 2007, 21:20:38 UTC - in response to Message 8335.

Thanks to all involved in the removement of this ***** (insert your smear word of choice).

Thanks GHz for his efforts.

Thanks the unknown (and unvoluntary) cruncher for his/her cooperation.

Thanks to the guys'n'galy at the projects to deal with this ***** quite fast (the remaining ones will follow soon I hope).





Thank you to the members of Boinc Italy for all the information. If you have some way of contacting your anonymous informant (private message or email?), would you please say thank you to him from us all.


Of course, I've sent him a message about with a link to this thread too ;)

Bye,
Paolo - GHz
____________

Studebaker Hawk
Avatar
Send message
Joined: 21 Feb 07
Posts: 22
Canada
Message 8382 - Posted: 23 Feb 2007, 7:58:27 UTC - in response to Message 8362.


I am glad Wate was caught and "discredited" but he did not get the punishment he deserves. The police should have been informed before any action was taken by any of the project admins. The police might have been able to trick Wate and lure him out of his hiding place then arrest him and put him in jail where he belongs. Now he has been warned so now he will disappear and escape punishment.

When a crime has been committed it is important to always inform the police first before doing anything unless someone is in immediate and grave danger. The police are trained and experienced in criminal matters, we are not. We should report crimes to them first and avoid alerting the criminal. Then it is easier to catch him. If the police decide they cannot investigate then we still have the option to take the matter into our own hands.

I hope project admins learn from the mistake they made with Wate. I hope this mistake is not repeated in the future. You can be sure more people will try Wate's method because now they have the impression project admins will not inform the police. Project admins have thus made the problem worse not better.

Miko
Send message
Joined: 1 Sep 06
Posts: 10
Austria
Message 8386 - Posted: 23 Feb 2007, 10:35:10 UTC - in response to Message 8382.
Last modified: 23 Feb 2007, 10:40:28 UTC

WOW...

For shure i did'nt want help Wate, he's an ...hole!!!

But i think it's not the BOINC community's (Berkeley's or the project's) work to punish Wate!
He could, or should be punished, but not by BOINC or the projects!

The user with Wates software and the unwanted BOINC, living in the same country as Wate, should go to police!
They are able to show their computers and are able to tell police the URL of the downloadpage...
I'm shure if the police ask the project-leaders they give all infos needet to punish Wate by law...
But what is it? They can just say that there is a user called Wateand they could tell the number of his credits. And his emailadress, but if he's clever, and i think so, he used an instand mailaccount like "Temporary Inbox"...

I don't know, but maybe Wate put his BOINC-Trojan to a cracked Softwareversion...
So the "damaged" user are given to punishment by law allso!
And they are punished by Wate enough...

Or in easy words:
The people with the most troubles / damage should cry for a punishment and call the police!

Investigating Wates "kind of work" and making it public to the community was a really good job!
Thank You!!!

____________

Message 8388 - Posted: 23 Feb 2007, 15:24:42 UTC

I wouldn't call deletion of credits etc. punishment. I mean, it's not like prisontime or anything like that. Deletion of credits is, in my humble view, a fair measure to the rest of the community - as long as the rest of the community isn't affected as well, which it seems to me that it has. By that I mean there was good work done, involuntarily by some people, but deletion of credits should only affect the perpatrator - not be subtracted from project, country etc. as they weren't the perpatrators. For the future, perhabs there should be a dummy account, to which the credits are transfered - I mean, the credits still represent work done, right?
____________

Profile Carl Christensen
Send message
Joined: 20 Oct 06
Posts: 30
United States
Message 8389 - Posted: 23 Feb 2007, 15:42:15 UTC - in response to Message 8388.

I think the problem is that it's up to the people affected to report it and follow-through. I imagine that they're more embarassed that they fell for something like this.

It's basically been a glorified "phishing" attack -- i.e. if someone sets up a phony server that looks like, say, Barclays Bank, and emails a million people that their "Barclay Bank details need updating," and fools a few out of that million; you can't blame Barclay's Bank for it.

____________

Studebaker Hawk
Avatar
Send message
Joined: 21 Feb 07
Posts: 22
Canada
Message 8395 - Posted: 23 Feb 2007, 22:34:27 UTC - in response to Message 8386.

I'm shure if the police ask the project-leaders they give all infos needet to punish Wate by law...
But what is it? They can just say that there is a user called Wateand they could tell the number of his credits. And his emailadress, but if he's clever, and i think so, he used an instand mailaccount like "Temporary Inbox"...


You might be right, Wate may be very clever. Or maybe he is not very clever. Remember, the police can be very clever too. We should never assume he cannot be caught. We must first go to the police and let them try. It was not necessary for CPDN or anybody to act so quickly. There was no benefit from acting quickly. They should have taken time to think carefully and find the best solution not just the fast solution.


I don't know, but maybe Wate put his BOINC-Trojan to a cracked Softwareversion...
So the "damaged" user are given to punishment by law allso!
And they are punished by Wate enough...


But CPDN can prove that thousands were tricked by Wate so then the police will realise they are innocent. They have nothing to fear.

Message 8396 - Posted: 23 Feb 2007, 23:58:04 UTC - in response to Message 8389.

I think the problem is that it's up to the people affected to report it and follow-through. I imagine that they're more embarassed that they fell for something like this.


Probably - same goes for alot of companies who's network vulnarabilities have been taken advantage of - but people should put their embarresment aside, or else they would actually be aiding the perpatrators. If you don't talk, you let them walk...

It's basically been a glorified "phishing" attack -- i.e. if someone sets up a phony server that looks like, say, Barclays Bank, and emails a million people that their "Barclay Bank details need updating," and fools a few out of that million; you can't blame Barclay's Bank for it.


Precisely. Personally I don't go around blaming eBay for all the fishing-mails I get in their name. But I'm pretty sure that some do, and eBay loose on that account - which in turn may make eBay's users into a loosing part on that same account.

Profile pschoefer
Send message
Joined: 5 Aug 06
Posts: 44
Germany
Message 8770 - Posted: 15 Mar 2007, 16:53:32 UTC

What a shame!
Wate is the featured volunteer of the day!
____________

Richard Haselgrove
Help desk expert
Send message
Joined: 5 Oct 06
Posts: 1745
United Kingdom
Message 8771 - Posted: 15 Mar 2007, 17:23:06 UTC - in response to Message 8770.
Last modified: 15 Mar 2007, 17:32:53 UTC

What a shame!
Wate is the featured volunteer of the day!

Actually, it's not "volunteer of the day", but "random volunteer of the moment" - just try hitting 'refresh' when viewing the front page. But I'm not surprised you jumped to that conclusion - it gave me quite a turn the first time I saw his/her name on the page, just after the story had broken.

But on a more serious note - shouldn't the account have been purged by now? It's almost a month since the problem was first spotted.

[Edit - especially since the wording visitors see is "Wate is contributing 283 billion floating-point operations per second (GFLOPS)". Does the fact that his/her project percentages add up to 10.1% mean that some projects have purged the data, or just that there's a margin-width bug in the pie-chart generator? /edit]
____________

mo.v
Avatar
Send message
Joined: 13 Aug 06
Posts: 778
United Kingdom
Message 8774 - Posted: 15 Mar 2007, 22:32:31 UTC
Last modified: 15 Mar 2007, 22:52:14 UTC

Is this where you saw W's name? (I'm not even prepared to use his full name in a post because he's probably also a Google-rating junkie.)

http://boinc.berkeley.edu/

Carl at cpdn purged all his credits, both real and spurious. As far as I know, the other projects scrambled his account details eg changing his password and email address so that the project accounts became inaccessible to him and unusable. But both types of action still leave his name there in the memberlists.

There's the boinc featured member of the day, and the same for each project. Do members need to have a profile to be selected by project servers? When I first started searching W's history, I don't think I found any profiles.

Later....by repeated clicking, I got his name to reappear. It linked to this boinc page for him

http://boinc.netsoft-online.com/get_user.php?cpid=76db680ba32bbff7599ce4aa12d06341&html=1

It looks as if the hijacked computers are still producing 283 billion gigaflops, which isn't good. And if I've understood the graphs correctly, his credits are building up again, except for Einstein. I'd like to know whether Einstein treated W's account differently. Or whether the Einstein server is broken.


____________

Richard Haselgrove
Help desk expert
Send message
Joined: 5 Oct 06
Posts: 1745
United Kingdom
Message 8775 - Posted: 15 Mar 2007, 22:41:57 UTC - in response to Message 8774.

Is this where you saw W's name? (I'm not even prepared to use his full name in a post because he's probably also a Google-rating junkie.)

http://boinc.berkeley.edu/

Yes, that where we saw it - but it's just a random pick from http://boinc.berkeley.edu/chart_list.php, where's he's static at number 11.
____________

mo.v
Avatar
Send message
Joined: 13 Aug 06
Posts: 778
United Kingdom
Message 8777 - Posted: 15 Mar 2007, 23:01:32 UTC
Last modified: 15 Mar 2007, 23:07:23 UTC

Yes, he was #4 in the multi-project list, but being #11 worldwide could still induce in him a perverse pleasure.

Assuming that the infected peer-to-peer file is still available for download on one of the music or film-clip sites, I wonder whether having scrambled accounts actually makes it impossible for new computers to be added.

I think I'll ask one of the cpdn programmers to have a look at the last few posts here.
____________

1 · 2 · 3 · Next

Message boards : BOINC Manager : Trojan boinc installation by rogue member


BOINC home page · Log in · Create account

Copyright © 2016 University of California. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.