We have received several reports of malware that installs and runs the 8.0.2 BOINC client on Windows computers. We are investigating this; we currently don't know how the malware works or how to defeat it. We'll report whatever we learn here.

This is not a vulnerability in BOINC; rather, it's malware that illegally installs BOINC.

---

What is known at this moment.

BOINC is loaded to the users' devices without their consent using some third-party payloader.
BOINC itself is not compromised, the binaries of BOINC that are downloaded to the users' devices are taken from the official BOINC installer 8.0.2 (BOINC installer itself is not used).
UNCONFIRMED: hidden Windows user is created.
Malicious software is installed as a service (currently no information about the service name).
Several copies of BOINC are downloaded to the 'C:\USERNAME\AppData\Roaming folder' and to the several subfolders.
BOINC client executables are renamed to: '.exe', 'gupdate.exe', 'SecurityHealthService.exe', 'trustedinstaller.exe'.
Fake BOINC server is created that looks like Rosetta@home server (for security reasons we cannot publish the name of the server, but it's already reported to the registrar).
Some software is created as a BOINC application (since there are no tasks on that fake project server, it's impossible to get it and analyze).
Only Windows devices are affected (from the information on the fake project server I see that around 7'000 devices are compromised).
We do not currently know the way users got this malicious software of their devices. One of the affected users reported back to us that they started seeing this after they were connected to the Starbucks public wifi.
Currently we received reports from the US users only.
Antivirus software we have tested were not able to find and block malicious payloader.

Currently we don't know how to defeat this malware, but we're working on it.

More information will be published when we receive it.

The most obvious reason I can see for doing this would be gridcoin . Presumably 7K computers crunching could earn a fair amount?

The most obvious reason I can see for doing this would be gridcoin . Presumably 7K computers crunching could earn a fair amount?

Might be the case, yes. For now all the installations connect only to the malicious fake server, not any other real project server.

I'm not sure where to post this, but we had one instance of this in our office today. Note that I am NOT a malware specialist and anything I say needs to be taken with a grain of salt.

The malware appears to create multiple Task Scheduler entries that are set to run the files from the user's roaming folder on start and every 15 minutes from then on. It appears to also use powershell in the process, but I didn't let it run long enough to see how it all works. I didn't find any services directly associated with it, but I'm still digging in to see if I find any.

Here is what we have done so far, and it hasn't come back in the last couple hours... but I plan to keep watching.
If you come across an infected computer, immediately go to "Task Scheduler" and remove any entries that have an action which runs code from the "roaming" folder. It disguises the entries to look like Mozilla updates, Google updates, windows security updates, and some of the entries were just an underscore and numbers. Bottom line is if it runs code in the AppData/Roaming space then you probably shouldn't have that task scheduled. After getting all of these deleted you will also need to delete all the malicious files stored in the roaming folder and subfolders. You may have to kill processes using "Task Manager" to be able to delete all the files. For now this seems to have stopped the infection, but we will have to watch and see.

I'm not sure where to post this, but we had one instance of this in our office today. Note that I am NOT a malware specialist and anything I say needs to be taken with a grain of salt.

The malware appears to create multiple Task Scheduler entries that are set to run the files from the user's roaming folder on start and every 15 minutes from then on. It appears to also use powershell in the process, but I didn't let it run long enough to see how it all works. I didn't find any services directly associated with it, but I'm still digging in to see if I find any.

Here is what we have done so far, and it hasn't come back in the last couple hours... but I plan to keep watching.
If you come across an infected computer, immediately go to "Task Scheduler" and remove any entries that have an action which runs code from the "roaming" folder. It disguises the entries to look like Mozilla updates, Google updates, windows security updates, and some of the entries were just an underscore and numbers. Bottom line is if it runs code in the AppData/Roaming space then you probably shouldn't have that task scheduled. After getting all of these deleted you will also need to delete all the malicious files stored in the roaming folder and subfolders. You may have to kill processes using "Task Manager" to be able to delete all the files. For now this seems to have stopped the infection, but we will have to watch and see.

Thank you for the valuable input. I'm afraid this might be not enough, but if this works for you - that's very great!

The most obvious reason I can see for doing this would be gridcoin . Presumably 7K computers crunching could earn a fair amount?

Probably not. Plus, they are not connecting to any real BOINC projects, so they aren't earning any Gridcoin.

A purely profit-motivated individual would be better off mining Monero or other CPU-mineable coins. IIRC in the past somebody tried a similar thing where they bundled BOINC in malware and their CPID was banned from the Gridcoin network. I'm not sure how that was accomplished or how feasible it is at a technical level on the Gridcoin side at this point, but certainly BOINC projects could play whack-a-mole banning this person's CPID if they wanted to. BOINC projects don't export stats for that CPID = no Gridcoin for that person.

Some rough math here. Gridcoin mints 28,750 Gridcoin per day across all projects. Assuming a single person could earn all of that (not possible since it's rewarded proportional to other users crunching for GRC), they would get 28,750 GRC per day. At current exchange rates (one half of one cent USD, highest I've ever seen it is 2c) that's $143/day. Let's be very generous and assume they could capture around half of that GRC, that's $70/day for 7,000 machines. Not a very profitable use of that resource.

There are roughly 2300 CPIDs on Gridcoin, which you can roughly map to "users". Though of course some users have multiple CPIDs and some CPIDs represent multiple "users". And of course, many "users" have more than one machine crunching. On any given project, 15-48% of RAC is earned by Gridcoiners crunchers. That's the competition they'd have to "out-weigh" to capture the majority of GRC. Roughly one twelfth of GRC is distributed to folding@home crunchers, so this person would have to fold as well to capture that portion of the GRC.

Selling that much GRC would also further crash the price, making any GRC they earned even more useless. Current 24hr trading volume is 55k GRC/day, so this person's earnings would represent a nearly half of the pre-existing trading volume, all in the sell direction. And there are questions around that trading volume, it's not unheard of for exchanges to fake their trading volume, somebody with more knowledge than me on the trading side could speak to it.

If somebody had that much computing power (and network access), there are much, much more profitable ways to leverage it. Granted, if they are running that much BOINC, they may as well claim their GRC as well because at that point it's free money. But clearly such a person has motivations aside from purely profit.

Thanks. I now know rather more about gridcoin than I did!