Trojan boinc installation by rogue member

Message boards : BOINC Manager : Trojan boinc installation by rogue member
Message board moderation

To post messages, you must log in.

Previous · 1 · 2 · 3

AuthorMessage
mo.v
Avatar

Send message
Joined: 13 Aug 06
Posts: 778
United Kingdom
Message 9064 - Posted: 24 Mar 2007, 16:06:38 UTC

As the originator of the announcement, I've now posted my lengthy email to Mr Braun.
ID: 9064 · Report as offensive
Profile adrianxw
Avatar

Send message
Joined: 2 Oct 05
Posts: 347
Denmark
Message 9066 - Posted: 24 Mar 2007, 16:20:37 UTC
Last modified: 24 Mar 2007, 16:42:26 UTC

Ignore.
Wave upon wave of demented avengers march cheerfully out of obscurity into the dream.
ID: 9066 · Report as offensive
Profile Jord
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 14689
Netherlands
Message 9075 - Posted: 24 Mar 2007, 19:38:46 UTC
Last modified: 26 Mar 2007, 11:14:43 UTC

The W* account at Predictor has been blocked, while Mr. Braun considers the best way of action what to do with the credits, while trying not to break the PAH database.

We'll allow discussion, solutions and your opinion about the original problem to continue here. What we do not allow is for you to post inflammatory posts and rouses to make the problem worse. Any such posts will be removed.

It's time to stop the fire, not fan the flames.
ID: 9075 · Report as offensive
Angelo Mileto (c)

Send message
Joined: 27 Mar 07
Posts: 18
United States
Message 9497 - Posted: 10 Apr 2007, 22:18:03 UTC

While it may be a pain in the butt for the legitimate users, is there a way of sending some sort of verification message to a new client before they are able to start downloading work? Since the machine ID gets registered and the project knows it is the first time, maybe utilize the APIs in the system (maybe not a good idea but....) to generate an e-mail back to that user? NOTE: This would not be an e-mail back to the person who's account registered the new machine.

Failing that, why not utilize the application itself and when the client requests work for the first time, send a different XML file that pops up a message to the user having them validate with their account name. Then, that reply is sent back to the server and all is well.

Obviously, this would prevent the "automatically connect all/new hosts" option, but.....
ID: 9497 · Report as offensive
Nicolas

Send message
Joined: 19 Jan 07
Posts: 1174
Argentina
Message 9501 - Posted: 10 Apr 2007, 23:59:00 UTC - in response to Message 9497.  

While it may be a pain in the butt for the legitimate users, is there a way of sending some sort of verification message to a new client before they are able to start downloading work? Since the machine ID gets registered and the project knows it is the first time, maybe utilize the APIs in the system (maybe not a good idea but....) to generate an e-mail back to that user? NOTE: This would not be an e-mail back to the person who's account registered the new machine.


How do you get the computer owner's email address?

Failing that, why not utilize the application itself and when the client requests work for the first time, send a different XML file that pops up a message to the user having them validate with their account name. Then, that reply is sent back to the server and all is well.

Obviously, this would prevent the "automatically connect all/new hosts" option, but.....

Not only that: screen-less Unix computers, with no X server installed. You can't show a message there.
ID: 9501 · Report as offensive
Angelo Mileto (c)

Send message
Joined: 27 Mar 07
Posts: 18
United States
Message 9505 - Posted: 11 Apr 2007, 12:46:25 UTC - in response to Message 9501.  

How do you get the computer owner's email address?

Assuming the application is installed on a machine where the user has logged on and they use the same machine to send and receive e-mail, it is relatively easy to script a SendMail event back to the BOINC/BAM server. That application could then use that address to send a validation e-mail back to the user.

Not only that: screen-less Unix computers, with no X server installed. You can't show a message there.

True. How would those users normally monitor the status of the application? Possibly through the log file? If so, then they would see the message in the log file requiring the validation.

These are very good questions and I surely don't know all of the answers, but, it's a start.
ID: 9505 · Report as offensive
MikeMarsUK

Send message
Joined: 16 Apr 06
Posts: 386
United Kingdom
Message 9507 - Posted: 11 Apr 2007, 12:51:22 UTC


None of my 3 PCs at home is configured for local email.

ID: 9507 · Report as offensive
Profile KSMarksPsych
Avatar

Send message
Joined: 30 Oct 05
Posts: 1239
United States
Message 9509 - Posted: 11 Apr 2007, 13:19:48 UTC - in response to Message 9505.  

How do you get the computer owner's email address?

Assuming the application is installed on a machine where the user has logged on and they use the same machine to send and receive e-mail, it is relatively easy to script a SendMail event back to the BOINC/BAM server. That application could then use that address to send a validation e-mail back to the user.

Not only that: screen-less Unix computers, with no X server installed. You can't show a message there.

True. How would those users normally monitor the status of the application? Possibly through the log file? If so, then they would see the message in the log file requiring the validation.

These are very good questions and I surely don't know all of the answers, but, it's a start.



I do all my email through the web. So, no stand alone email app until recently (when I started backing up through Thunderbird). And I'd not like it if somehow BOINC "scanned" my computer to find an app and then extracted my email. Seems like a huge security hole.

People use things like BOINCView and even the built in remote config files in BOINC to control remote boxes.
Kathryn :o)
ID: 9509 · Report as offensive
Angelo Mileto (c)

Send message
Joined: 27 Mar 07
Posts: 18
United States
Message 9513 - Posted: 11 Apr 2007, 15:03:30 UTC

So instead of coming up with all the "reasons" it can't be done, why not offer a better suggestion? Also, notice that BOINC, nor anything else, needs to "scan" your machine and extract your e-mail. Clicking on a link on a web page that is a MAILTO:xxxxxx automatically launches your mail client and it will be sent from the user. This is all that is needed.
ID: 9513 · Report as offensive
Profile KSMarksPsych
Avatar

Send message
Joined: 30 Oct 05
Posts: 1239
United States
Message 9517 - Posted: 11 Apr 2007, 17:23:05 UTC - in response to Message 9513.  

So instead of coming up with all the "reasons" it can't be done, why not offer a better suggestion? Also, notice that BOINC, nor anything else, needs to "scan" your machine and extract your e-mail. Clicking on a link on a web page that is a MAILTO:xxxxxx automatically launches your mail client and it will be sent from the user. This is all that is needed.



I'm not a developer nor am I a programmer. So I don't have any solutions. I won't pretend to understand how send mail works, but to the average user (like me) what you're proposing seems to be a security risk (even if it's not). I know of quite a few people who don't even have an email client installed.

My suggestion for you is to subscribe to the developers list and start a conversation on that. The major developers don't read these boards unless Jord and I point them to a specific problem.
Kathryn :o)
ID: 9517 · Report as offensive
Profile Jord
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 14689
Netherlands
Message 9518 - Posted: 11 Apr 2007, 17:32:06 UTC - in response to Message 9513.  

Clicking on a link on a web page that is a MAILTO:xxxxxx automatically launches your mail client and it will be sent from the user. This is all that is needed.

Only if you set a default email client, else no email program will open. Before you say that Windows will always set (that stupid) Outlook Express as your default email program, what clicking on a MAILTO link will do then is start up the setup wizard for OE... Not really friendly.

All of what you are opting is all nice and well, but did you know that BOINC doesn't need to be installed on your computer? Just the boinc daemon and an account_*.xml file is needed for it to start crunching. So then what? You want the the boinc daemon to periodically scan the system it is on to check if it's 'installed correctly'? I wouldn't want it to do that.

You can't use a spot in the registry either, as BOINC is multi-platform, only Windows uses a registry (as far as I know). Besides, the spot can be spoofed by adding a batchfile that runs a .reg file.
ID: 9518 · Report as offensive
Angelo Mileto (c)

Send message
Joined: 27 Mar 07
Posts: 18
United States
Message 9523 - Posted: 11 Apr 2007, 19:42:35 UTC - in response to Message 9075.  

My suggestion for you is to subscribe to the developers list and start a conversation on that. The major developers don't read these boards unless Jord and I point them to a specific problem.

That's why I started the discussion; as Jord indicated, it's time to put out the fire.
The W* account at Predictor has been blocked, while Mr. Braun considers the best way of action what to do with the credits, while trying not to break the PAH database.

We'll allow discussion, solutions and your opinion about the original problem to continue here. What we do not allow is for you to post inflammatory posts and rouses to make the problem worse. Any such posts will be removed.

It's time to stop the fire, not fan the flames.


I'm not a developer nor am I a programmer. So I don't have any solutions. I won't pretend to understand how send mail works, but to the average user (like me) what you're proposing seems to be a security risk (even if it's not). I know of quite a few people who don't even have an email client installed.

I completely understand your misunderstanding and concern. As I indicated, I wasn't proposing this to be "the way to go", just a suggestion. I'd leave it to the "smart people" to determine if it could be done securely.

Thanks for the input!!!!

Only if you set a default email client, else no email program will open. Before you say that Windows will always set (that stupid) Outlook Express as your default email program, what clicking on a MAILTO link will do then is start up the setup wizard for OE... Not really friendly.

All of what you are opting is all nice and well, but did you know that BOINC doesn't need to be installed on your computer? Just the boinc daemon and an account_*.xml file is needed for it to start crunching. So then what? You want the the boinc daemon to periodically scan the system it is on to check if it's 'installed correctly'? I wouldn't want it to do that.

You can't use a spot in the registry either, as BOINC is multi-platform, only Windows uses a registry (as far as I know). Besides, the spot can be spoofed by adding a batchfile that runs a .reg file.

I believe I did indicate the SENDMAIL option would only work if the user had setup an e-mail account using whatever application on that machine. Obviously, if non is setup, then MAILTO would not work just as it would not work from a web page.

I also think I mentioned the proper time to do this would be not necessarily at "install" but at the first request for data. I'm sure the "smart guys" have a way of determining if this is the first request from a particular machine ID. That would be the trigger.

Again, I'm not trying to say I'm smart enough to know everything nor that this is "the answer". It's just that reading through here, I thought I'd offer my suggestions to maybe get some meaningful discussion going.

Thanks for the input!!!!


ID: 9523 · Report as offensive
Nicolas

Send message
Joined: 19 Jan 07
Posts: 1174
Argentina
Message 9525 - Posted: 11 Apr 2007, 20:02:43 UTC

True. How would those users normally monitor the status of the application? Possibly through the log file? If so, then they would see the message in the log file requiring the validation.


If with "Those users" you're refering to a victim of "BOINC infection" from a trojan, most wouldn't know BOINC exists, so they don't know any log to look at.

There's a reason simpler than all that, why we can't do anything: the hacker could always compile his own BOINC core client, removing *any* protection we add now.
ID: 9525 · Report as offensive
Profile Jord
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 14689
Netherlands
Message 9531 - Posted: 11 Apr 2007, 21:45:54 UTC - in response to Message 9525.  

There's a reason simpler than all that, why we can't do anything: the hacker could always compile his own BOINC core client, removing *any* protection we add now.

I suppose it could be done if the code was really needed for the daemon to work and with it removed BOINC just wouldn't work at all. But that would only work on present code. All the old versions of BOINC, without the code present, would still work alright on any of the projects out there.
ID: 9531 · Report as offensive
Angelo Mileto (c)

Send message
Joined: 27 Mar 07
Posts: 18
United States
Message 9532 - Posted: 11 Apr 2007, 21:50:28 UTC - in response to Message 9525.  

True. How would those users normally monitor the status of the application? Possibly through the log file? If so, then they would see the message in the log file requiring the validation.


If with "Those users" you're refering to a victim of "BOINC infection" from a trojan, most wouldn't know BOINC exists, so they don't know any log to look at.

There's a reason simpler than all that, why we can't do anything: the hacker could always compile his own BOINC core client, removing *any* protection we add now.


Sorry for the confusion. I was referring to those who were running command line versions.
ID: 9532 · Report as offensive
Profile Jord
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 14689
Netherlands
Message 9533 - Posted: 11 Apr 2007, 22:04:37 UTC - in response to Message 9532.  

Sorry for the confusion. I was referring to those who were running command line versions.

There is no command line version for BOINC. At least, not for Windows, which is the most and easiest infected system we're talkng about.

The BOINC daemon (boinc.exe) can be started by itself and then runs in a command line window.
It will be started when you start Boinc Manager and then runs in the background (unseen). It exits when you exit BM.
It can be set as a service to completely invisibly run all the time.

But there's no separate CL version of BOINC for Windows.
ID: 9533 · Report as offensive
SekeRob

Send message
Joined: 25 Aug 06
Posts: 1596
Message 9571 - Posted: 14 Apr 2007, 9:25:38 UTC - in response to Message 9533.  

Sorry for the confusion. I was referring to those who were running command line versions.

There is no command line version for BOINC. At least, not for Windows, which is the most and easiest infected system we're talkng about.

The BOINC daemon (boinc.exe) can be started by itself and then runs in a command line window.
It will be started when you start Boinc Manager and then runs in the background (unseen). It exits when you exit BM.
It can be set as a service to completely invisibly run all the time.

But there's no separate CL version of BOINC for Windows.


I've been running on occasion BOINCcmd.exe in a DOS window just to know what's on offer in the 'commands' department. Is this something different from what's understood running it under Linux?

I've also been passing startup instructions from BOINCmgr.exe to BOINC.exe via the "/b,", thus maybe there is a some misunderstanding of what is what.

Coelum Non Animum Mutant, Qui Trans Mare Currunt
ID: 9571 · Report as offensive
Profile Jord
Volunteer tester
Help desk expert
Avatar

Send message
Joined: 29 Aug 05
Posts: 14689
Netherlands
Message 9572 - Posted: 14 Apr 2007, 16:36:05 UTC - in response to Message 9571.  

I've been running on occasion BOINCcmd.exe in a DOS window just to know what's on offer in the 'commands' department. Is this something different from what's understood running it under Linux?

Checking the download site I see for the Mac that there's an offering of the GUI or command line version. The latter is the core client only. So just as I said, if you just start boinc.exe, it'll start up in a command line window.

That you open a command line window and then go to your BOINC directory to start Boinccmd.exe has nothing to do with the actual running of Boinc in a command line window... I think. Does Boinccmd.exe start up boinc.exe? Or does Boinc.exe already need to be started before you can use Boinccmd.exe?

I've also been passing startup instructions from BOINCmgr.exe to BOINC.exe via the "/b,", thus maybe there is a some misunderstanding of what is what.

No, with the /b option you by-pass the Windows installer. It will in effect unpack the BOINC installer files and put them in a directory of your choice, without installing BOINC (adding to registry). This way you can have your normal BOINC installed and you can put another BOINC version on your computer without disrupting the usual install. Both will run fine.
ID: 9572 · Report as offensive
Previous · 1 · 2 · 3

Message boards : BOINC Manager : Trojan boinc installation by rogue member

Copyright © 2021 University of California. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.