Windows malware reported

Message boards : News : Windows malware reported
Message board moderation

To post messages, you must log in.

AuthorMessage
ProfileDavid Anderson
Volunteer moderator
Project administrator
Project developer
Avatar

Send message
Joined: 10 Sep 05
Posts: 722
Message 114191 - Posted: 26 Jun 2024, 23:01:38 UTC

We have received several reports of malware that installs and runs the 8.0.2 BOINC client on Windows computers. We are investigating this; we currently don't know how the malware works or how to defeat it. We'll report whatever we learn here.

This is not a vulnerability in BOINC; rather, it's malware that illegally installs BOINC.
ID: 114191 · Report as offensive     Reply Quote
Vitalii Koshura

Send message
Joined: 26 Apr 22
Posts: 5
Message 114194 - Posted: 27 Jun 2024, 13:31:49 UTC

What is known at this moment.

BOINC is loaded to the users' devices without their consent using some third-party payloader.
BOINC itself is not compromised, the binaries of BOINC that are downloaded to the users' devices are taken from the official BOINC installer 8.0.2 (BOINC installer itself is not used).
UNCONFIRMED: hidden Windows user is created.
Malicious software is installed as a service (currently no information about the service name).
Several copies of BOINC are downloaded to the 'C:\USERNAME\AppData\Roaming folder' and to the several subfolders.
BOINC client executables are renamed to: '.exe', 'gupdate.exe', 'SecurityHealthService.exe', 'trustedinstaller.exe'.
Fake BOINC server is created that looks like Rosetta@home server (for security reasons we cannot publish the name of the server, but it's already reported to the registrar).
Some software is created as a BOINC application (since there are no tasks on that fake project server, it's impossible to get it and analyze).
Only Windows devices are affected (from the information on the fake project server I see that around 7'000 devices are compromised).
We do not currently know the way users got this malicious software of their devices. One of the affected users reported back to us that they started seeing this after they were connected to the Starbucks public wifi.
Currently we received reports from the US users only.
Antivirus software we have tested were not able to find and block malicious payloader.

Currently we don't know how to defeat this malware, but we're working on it.

More information will be published when we receive it.
ID: 114194 · Report as offensive     Reply Quote
ProfileDave
Help desk expert

Send message
Joined: 28 Jun 10
Posts: 2591
United Kingdom
Message 114195 - Posted: 27 Jun 2024, 13:46:44 UTC - in response to Message 114194.  

The most obvious reason I can see for doing this would be gridcoin . Presumably 7K computers crunching could earn a fair amount?
ID: 114195 · Report as offensive     Reply Quote
Vitalii Koshura

Send message
Joined: 26 Apr 22
Posts: 5
Message 114196 - Posted: 27 Jun 2024, 13:54:24 UTC - in response to Message 114195.  
Last modified: 27 Jun 2024, 13:55:03 UTC

The most obvious reason I can see for doing this would be gridcoin . Presumably 7K computers crunching could earn a fair amount?

Might be the case, yes. For now all the installations connect only to the malicious fake server, not any other real project server.
ID: 114196 · Report as offensive     Reply Quote
nothanks

Send message
Joined: 27 Jun 24
Posts: 1
Message 114197 - Posted: 27 Jun 2024, 19:00:51 UTC

I'm not sure where to post this, but we had one instance of this in our office today. Note that I am NOT a malware specialist and anything I say needs to be taken with a grain of salt.

The malware appears to create multiple Task Scheduler entries that are set to run the files from the user's roaming folder on start and every 15 minutes from then on. It appears to also use powershell in the process, but I didn't let it run long enough to see how it all works. I didn't find any services directly associated with it, but I'm still digging in to see if I find any.

Here is what we have done so far, and it hasn't come back in the last couple hours... but I plan to keep watching.
If you come across an infected computer, immediately go to "Task Scheduler" and remove any entries that have an action which runs code from the "roaming" folder. It disguises the entries to look like Mozilla updates, Google updates, windows security updates, and some of the entries were just an underscore and numbers. Bottom line is if it runs code in the AppData/Roaming space then you probably shouldn't have that task scheduled. After getting all of these deleted you will also need to delete all the malicious files stored in the roaming folder and subfolders. You may have to kill processes using "Task Manager" to be able to delete all the files. For now this seems to have stopped the infection, but we will have to watch and see.
ID: 114197 · Report as offensive     Reply Quote
Vitalii Koshura

Send message
Joined: 26 Apr 22
Posts: 5
Message 114198 - Posted: 27 Jun 2024, 19:32:30 UTC - in response to Message 114197.  

I'm not sure where to post this, but we had one instance of this in our office today. Note that I am NOT a malware specialist and anything I say needs to be taken with a grain of salt.

The malware appears to create multiple Task Scheduler entries that are set to run the files from the user's roaming folder on start and every 15 minutes from then on. It appears to also use powershell in the process, but I didn't let it run long enough to see how it all works. I didn't find any services directly associated with it, but I'm still digging in to see if I find any.

Here is what we have done so far, and it hasn't come back in the last couple hours... but I plan to keep watching.
If you come across an infected computer, immediately go to "Task Scheduler" and remove any entries that have an action which runs code from the "roaming" folder. It disguises the entries to look like Mozilla updates, Google updates, windows security updates, and some of the entries were just an underscore and numbers. Bottom line is if it runs code in the AppData/Roaming space then you probably shouldn't have that task scheduled. After getting all of these deleted you will also need to delete all the malicious files stored in the roaming folder and subfolders. You may have to kill processes using "Task Manager" to be able to delete all the files. For now this seems to have stopped the infection, but we will have to watch and see.


Thank you for the valuable input. I'm afraid this might be not enough, but if this works for you - that's very great!
ID: 114198 · Report as offensive     Reply Quote
makeasnek

Send message
Joined: 29 Jun 24
Posts: 1
United States
Message 114204 - Posted: 30 Jun 2024, 0:15:20 UTC - in response to Message 114195.  
Last modified: 30 Jun 2024, 0:23:21 UTC

The most obvious reason I can see for doing this would be gridcoin . Presumably 7K computers crunching could earn a fair amount?


Probably not. Plus, they are not connecting to any real BOINC projects, so they aren't earning any Gridcoin.

A purely profit-motivated individual would be better off mining Monero or other CPU-mineable coins. IIRC in the past somebody tried a similar thing where they bundled BOINC in malware and their CPID was banned from the Gridcoin network. I'm not sure how that was accomplished or how feasible it is at a technical level on the Gridcoin side at this point, but certainly BOINC projects could play whack-a-mole banning this person's CPID if they wanted to. BOINC projects don't export stats for that CPID = no Gridcoin for that person.

Some rough math here. Gridcoin mints 28,750 Gridcoin per day across all projects. Assuming a single person could earn all of that (not possible since it's rewarded proportional to other users crunching for GRC), they would get 28,750 GRC per day. At current exchange rates (one half of one cent USD, highest I've ever seen it is 2c) that's $143/day. Let's be very generous and assume they could capture around half of that GRC, that's $70/day for 7,000 machines. Not a very profitable use of that resource.

There are roughly 2300 CPIDs on Gridcoin, which you can roughly map to "users". Though of course some users have multiple CPIDs and some CPIDs represent multiple "users". And of course, many "users" have more than one machine crunching. On any given project, 15-48% of RAC is earned by Gridcoiners crunchers. That's the competition they'd have to "out-weigh" to capture the majority of GRC. Roughly one twelfth of GRC is distributed to folding@home crunchers, so this person would have to fold as well to capture that portion of the GRC.

Selling that much GRC would also further crash the price, making any GRC they earned even more useless. Current 24hr trading volume is 55k GRC/day, so this person's earnings would represent a nearly half of the pre-existing trading volume, all in the sell direction. And there are questions around that trading volume, it's not unheard of for exchanges to fake their trading volume, somebody with more knowledge than me on the trading side could speak to it.

If somebody had that much computing power (and network access), there are much, much more profitable ways to leverage it. Granted, if they are running that much BOINC, they may as well claim their GRC as well because at that point it's free money. But clearly such a person has motivations aside from purely profit.
ID: 114204 · Report as offensive     Reply Quote
ProfileDave
Help desk expert

Send message
Joined: 28 Jun 10
Posts: 2591
United Kingdom
Message 114206 - Posted: 30 Jun 2024, 18:58:22 UTC - in response to Message 114204.  

Thanks. I now know rather more about gridcoin than I did!
ID: 114206 · Report as offensive     Reply Quote
Grumpy Swede
Avatar

Send message
Joined: 30 Mar 20
Posts: 382
Sweden
Message 114221 - Posted: 5 Jul 2024, 0:01:17 UTC

Any news on the forensic analysis of this malware? Any malware reverse engineering (MRE) going on?
If this is still spreading, and not dealt with, wouldn't be time now to post a warning about this malware on the different projects forum pages?
ID: 114221 · Report as offensive     Reply Quote
nickfurthermore
New member

Send message
Joined: 5 Jul 24
Posts: 1
United States
Message 114225 - Posted: 5 Jul 2024, 20:41:31 UTC - in response to Message 114221.  

I am just seeing this on a machine today 2024-07-05 that a friend brought over for me to look at. I can see the behavior that @Vitalii Koshura posted earlier. I do see the task in the windows scheduled task as mentioned as well. I did a Windows Defender Scan of the files and it did not flag any of the files as malicious.
ID: 114225 · Report as offensive     Reply Quote
Vitalii Koshura

Send message
Joined: 26 Apr 22
Posts: 5
Message 114226 - Posted: 5 Jul 2024, 21:35:41 UTC

Small update:

Malicious server is not reachable anymore.
That server was not configured properly, and thus no real malware was installed from it using BOINC.
Because the server was not configured properly, there was no chance to get the potential payload to analyze the behavior.
I got a report several days ago that Windows Defender started to recognize the initial malicious payloader (that was used to upload BOINC to the end machines) that was installed on a hidden partition.
I know nothing about the ways this malware reached the end users machines, since the reports I received have nothing in common.

For me the whole incident looks like a work of a lamer.
ID: 114226 · Report as offensive     Reply Quote
Vitalii Koshura

Send message
Joined: 26 Apr 22
Posts: 5
Message 114227 - Posted: 5 Jul 2024, 21:37:11 UTC - in response to Message 114225.  
Last modified: 5 Jul 2024, 21:51:28 UTC

I am just seeing this on a machine today 2024-07-05 that a friend brought over for me to look at. I can see the behavior that @Vitalii Koshura posted earlier. I do see the task in the windows scheduled task as mentioned as well. I did a Windows Defender Scan of the files and it did not flag any of the files as malicious.


I'm sorry to hear that your friend haы received that malware as well.
Try to do full system scan, it should help (at least, I received once the report that the malware was found on a hidden partition).
ID: 114227 · Report as offensive     Reply Quote
syu
New member

Send message
Joined: 9 Jul 24
Posts: 2
United States
Message 114238 - Posted: 9 Jul 2024, 3:36:50 UTC - in response to Message 114191.  

Recently, my computer began experiencing disruptions characterized by a PowerShell window that intermittently popped up and closed rapidly. This was not only annoying but also interrupted my workflow by abruptly affecting active windows. Based on the help of this thread, I was able to delete the malware in this order:
1. I deleted the BOINC program in task managers first
2. Proceeded to deleting the task scheduler
3. The files in the AppData/Roaming folder.

I waited 15 minutes to see if the program ran again and I'm happy to report that it hasn't so I think the malware has been handled. If not, I will update you here.

My account of the BOINC malware identification, hopefully it will help with investigating the source:

Identifying the Malware: I meticulously observed my Task Manager to identify the source during these pop-ups. I discovered that each appearance was associated with the execution of a BOINC application, which terminated just as quickly.

Evasion of Detection: To attempt a resolution, I installed and ran Malwarebytes, a reputable antivirus software, which unfortunately failed to detect any malicious activity. This suggests that the malware is capable of evading detection by standard antivirus tools.

Disguise Tactics: Further investigation revealed that the malware was disguised under innocuous file names like "Licensing Validator Updater," which camouflaged it among legitimate system processes.

Given the novelty of this malware a Google search wasn't enough to provide me with more detail. I also shared some of the file logs with ChatGPT to see if it understands what it's executing and it was unable to detect any foul play and said something like:

"Based on the content of the log you provided, it doesn't indicate that this is a virus. BOINC (Berkeley Open Infrastructure for Network Computing) is a legitimate platform that allows people to contribute their computer's unused processing power to scientific research projects. It's widely used for purposes such as disease research, climate change predictions, and astrophysics simulations."

The next question that led me to was how did it even get installed on my computer. Investigating more log files in the folder I noticed that although BOINC is a Berkeley project, it was referencing Rosetta and even have a http://rosettahome.cn/rosettahome/ url in some of the files that made it more suspicious.

I uncovered a file named "daily_xfer_history.xml" in the malware's directory. This file recorded extensive data uploads and downloads, clearly outlining unauthorized network activity. For instance, on one day, the log showed an upload of over 1.1 million units and a download of 181,511 units.

This is when I found this thread and started taking actions to remove it.

Connection to JetBlue Inflight Internet: The creation date of the malware's folder coincided with the day I accessed JetBlue's free inflight Internet on 6/24/24 flying out of JFK, suggesting a potential point of infection. It was the start of my vacation and I rarely used my computer for the week I was there. On the flight back home on JetBlue I noticed that my computer was considerably slower and attributed it to the WiFi, but most likely could've been the malware executing tasks.

System Information: My system runs on Windows 11 OS.
ID: 114238 · Report as offensive     Reply Quote
Grumpy Swede
Avatar

Send message
Joined: 30 Mar 20
Posts: 382
Sweden
Message 114239 - Posted: 9 Jul 2024, 5:03:29 UTC - in response to Message 114238.  
Last modified: 9 Jul 2024, 5:34:30 UTC

To Mods: If you need to hide this, for security or privacy reasons, at least fwd it to someone at BOINC, if they haven't already found the same information.

@syu

I take it that you normally do not run any projects under BOINC (the legitimate program) on your computer(s), or have it installed?

Anyhow, some data on rosettahome.cn, which really looks suspicious:

Whois Record for RosettaHome.cn

Domain Profile
Registrar Status
Dates 15 days old
Created on 2024-06-23
Expires on 2025-06-23

Name Servers NS1.HE.NET (has 64,374 domains)
NS2.HE.NET (has 64,374 domains)

IP Address 104.200.73.68 is hosted on a dedicated server


IP Location United States - California - Los Angeles - Crowncloud Us Llc
ASN United States AS8100 ASN-QUADRANET-GLOBAL, US (registered Oct 22, 2009)
Hosting History 1 change on 2 unique name servers over 0 year
Whois Record ( last updated on 2024-07-09 )
Domain Name: rosettahome.cn
ROID: 20240623s10001s58769039-cn
Domain Status: clientTransferProhibited
Registrant: cristian ratti
Registrant Contact Email:
Sponsoring Registrar: DYNADOTCHINA LLC
Name Server: ns2.he.net
Name Server: ns1.he.net
Registration Time: 2024-06-23 19:36:49
Expiration Time: 2025-06-23 19:36:49
DNSSEC: unsigned


Edit, added:

rosettahome.cn
Abuse issues with rosettahome.cn?
Abusive contact email(s):

43577893@protonmail.com
Technical Contact
Administrative Contact
Registrant
Name: cristian ratti

Email: 43577893@protonmail.com
ID: 114239 · Report as offensive     Reply Quote
syu
New member

Send message
Joined: 9 Jul 24
Posts: 2
United States
Message 114241 - Posted: 9 Jul 2024, 13:58:31 UTC - in response to Message 114239.  

Correct, I did not install BOINC on my computer. Never heard about it till I had to investigate the cause of the command window popping up and closing.
ID: 114241 · Report as offensive     Reply Quote

Message boards : News : Windows malware reported

Copyright © 2024 University of California.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.