Trojan found in Boinc Data

log in

Advanced search

Message boards : Questions and problems : Trojan found in Boinc Data

Author Message
Richard
Send message
Joined: 21 Dec 10
Posts: 1
Message 36172 - Posted: 21 Dec 2010, 16:51:22 UTC

I awoke today to find the following info from my antivirus scan today and I must say I am none to happy with it:

Date/Time,Affected Files,Threat,Source,Response
12/21/2010 12:44 AM,C:\ProgramData\BOINC\projects\setiathome.berkeley.edu\setiathome_6.03_windows_intelx86.exe,TROJ_GEN.FA2CZLJ,Threat,Removed
12/21/2010 1:48 AM,C:\ProgramData\BOINC\projects\setiathome.berkeley.edu\setiathome_6.03_windows_intelx86.exe,TROJ_GEN.FA2CZLJ,Threat,Removed
12/21/2010 1:48 AM,C:\ProgramData\BOINC\projects\setiathome.berkeley.edu\setiathome_6.03_windows_intelx86.exe,TROJ_GEN.FA2CZLJ,Threat,Removed
12/21/2010 1:49 AM,C:\ProgramData\BOINC\projects\setiathome.berkeley.edu\setiathome_6.03_windows_intelx86.exe,TROJ_GEN.FA2CZLJ,Threat,Removed
12/21/2010 2:03 AM,C:\ProgramData\BOINC\projects\setiathome.berkeley.edu\setiathome_6.03_windows_intelx86.exe,TROJ_GEN.FA2CZLJ,Threat,Removed

I have posted the same info on the Seti forums and want an explanation as to why data files are not scaned by SETI or Bonic before they are uploaded to peoples computers who are giving of their computer time to help

Profile Ageless
Volunteer moderator
Project administrator
Avatar
Send message
Joined: 29 Aug 05
Posts: 9096
Message 36173 - Posted: 21 Dec 2010, 17:49:30 UTC - in response to Message 36172.

This is what's called in the trade a "false positive". Something in your antivirus scanner's scanning ability changed by which it sees things that aren't there. Easily tested by going to http://www.virustotal.com and inputting the setiathome_6.03_windows_intelx86.exe into the scanner there. Then the file is scanned by 30+ AV scanners. And only if most all say there's something wrong, there will be something wrong.

If something is wrong, it's 99.99% of the time an infection that happened on your system. Projects mainly make their science applications on Linux computers and distribute them from there. This means that the chance they are infected with whatever is minimal at best, as there's not many virus writers who write virii for this platform.
____________
Jord

BOINC FAQs.

mo.v
Avatar
Send message
Joined: 13 Aug 06
Posts: 778
Message 36174 - Posted: 21 Dec 2010, 18:03:37 UTC

That looks very worrying.

Could you please give us a link to your thread on the Seti forum so we can see what is said there?

Am I right in thinking that what your AV scanner has identified as a trojan or containing a trojan is files for this particular Seti task type in your Boinc Data folder? It's difficult to tell whether it's identified 5 different tasks or 5 files from the same task.

Which AV have you got? Is it bundled with a firewall or have you got that separately?

I'm not taking what you say and have shown as prima facie evidence of the presence of a trojan. It may be but I'm not sure yet. For example, quite a few AVs immediately think that CPDN climate models are a risk and block them from running unless the member excludes Boinc and CPDN from scans and/or puts these folders into the AV's trusted section. CPDN has members whose AVs won't let them run anything because they haven't done this; all their tasks crash because the AV blocks them, thinking they're risky or dangerous. But other people with different AVs run the same climate model types with no trouble at all and without needing to tell the AV that these folders should be considered safe.

Of course, classifying files as safe requires the member to trust both Boinc and the project.

I will be interested to see how these tasks and their files are treated by the AVs of other Seti members who've downloaded the same task type.

Claggy
Send message
Joined: 23 Apr 07
Posts: 930
Message 36175 - Posted: 21 Dec 2010, 18:11:00 UTC - in response to Message 36174.

setiathome_6.03_windows_intelx86.exe is the Stock CPU app for Setiathome Enhanced Multibeam tasks and a has been in use for a couple of years now,

Claggy

Profile Ageless
Volunteer moderator
Project administrator
Avatar
Send message
Joined: 29 Aug 05
Posts: 9096
Message 36176 - Posted: 21 Dec 2010, 21:21:56 UTC - in response to Message 36174.
Last modified: 21 Dec 2010, 21:22:35 UTC

I will be interested to see how these tasks and their files are treated by the AVs of other Seti members who've downloaded the same task type.

Seti is down at the moment due to big maintenance (moving of database files to the new server).

Yet before they went down, 3 different people had started 3 different threads already complaining how their Trend Micro would all of a sudden make a fuss of Seti's app, it being purportedly 'infected' with a Trojan horse virus.

When your AV will Monday say there's nothing to worry about, then get an update in between Monday and Tuesday, to go Tuesday say that Seti's app is infected with a Whatdowehavehere virus, then it's 99% sure that it's your freshly updated AV scanner that's doing it and seeing it wrong.

This isn't the first time that we have seen on any project that a freshly updated AV scanner went nuts about project applications. Then at the next update of their Av scanner, things would go back to normal. The user though is usually in complete panic and blaming projects and program makers for adding things, over absolutely completely nothing.
____________
Jord

BOINC FAQs.

Richard Haselgrove
Send message
Joined: 5 Oct 06
Posts: 1288
Message 36185 - Posted: 23 Dec 2010, 1:16:45 UTC

Since nobody has reported back on this, I've done my own test.

VirusTotal test results have been posted in the SETI@home News message board area, where the first warning was posted.

Note my comment on methodology - I pasted the download url for the SETI file directly into VirusTotal, so the file was downloaded directly from Berkeley to VirusTotal with no risk of contamination or modification on my machine.

mo.v
Avatar
Send message
Joined: 13 Aug 06
Posts: 778
Message 36187 - Posted: 23 Dec 2010, 2:54:38 UTC

Thanks for carrying out the test.

Sometimes my AV (AVG freebie) asks me 'What's this?' and asks me to report on something new. Until now I've always declined to fill in the AVG report form in case it's very complicated, but to some extent the AV companies do depend on their clients making the effort to explain what apps consist of.

Message boards : Questions and problems : Trojan found in Boinc Data


BOINC home page · Log in · Create account

Copyright © 2014 University of California. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.