Thread 'Windows malware reported'

Message boards : News : Windows malware reported
Message board moderation

To post messages, you must log in.

1 · 2 · Next

AuthorMessage
ProfileDavid Anderson
Volunteer moderator
Project administrator
Project developer
Avatar

Send message
Joined: 10 Sep 05
Posts: 726
Message 114191 - Posted: 26 Jun 2024, 23:01:38 UTC

We have received several reports of malware that installs and runs the 8.0.2 BOINC client on Windows computers. We are investigating this; we currently don't know how the malware works or how to defeat it. We'll report whatever we learn here.

This is not a vulnerability in BOINC; rather, it's malware that illegally installs BOINC.
ID: 114191 · Report as offensive     Reply Quote
Vitalii Koshura

Send message
Joined: 26 Apr 22
Posts: 6
Message 114194 - Posted: 27 Jun 2024, 13:31:49 UTC

What is known at this moment.

BOINC is loaded to the users' devices without their consent using some third-party payloader.
BOINC itself is not compromised, the binaries of BOINC that are downloaded to the users' devices are taken from the official BOINC installer 8.0.2 (BOINC installer itself is not used).
UNCONFIRMED: hidden Windows user is created.
Malicious software is installed as a service (currently no information about the service name).
Several copies of BOINC are downloaded to the 'C:\USERNAME\AppData\Roaming folder' and to the several subfolders.
BOINC client executables are renamed to: '.exe', 'gupdate.exe', 'SecurityHealthService.exe', 'trustedinstaller.exe'.
Fake BOINC server is created that looks like Rosetta@home server (for security reasons we cannot publish the name of the server, but it's already reported to the registrar).
Some software is created as a BOINC application (since there are no tasks on that fake project server, it's impossible to get it and analyze).
Only Windows devices are affected (from the information on the fake project server I see that around 7'000 devices are compromised).
We do not currently know the way users got this malicious software of their devices. One of the affected users reported back to us that they started seeing this after they were connected to the Starbucks public wifi.
Currently we received reports from the US users only.
Antivirus software we have tested were not able to find and block malicious payloader.

Currently we don't know how to defeat this malware, but we're working on it.

More information will be published when we receive it.
ID: 114194 · Report as offensive     Reply Quote
ProfileDave
Help desk expert

Send message
Joined: 28 Jun 10
Posts: 2703
United Kingdom
Message 114195 - Posted: 27 Jun 2024, 13:46:44 UTC - in response to Message 114194.  

The most obvious reason I can see for doing this would be gridcoin . Presumably 7K computers crunching could earn a fair amount?
ID: 114195 · Report as offensive     Reply Quote
Vitalii Koshura

Send message
Joined: 26 Apr 22
Posts: 6
Message 114196 - Posted: 27 Jun 2024, 13:54:24 UTC - in response to Message 114195.  
Last modified: 27 Jun 2024, 13:55:03 UTC

The most obvious reason I can see for doing this would be gridcoin . Presumably 7K computers crunching could earn a fair amount?

Might be the case, yes. For now all the installations connect only to the malicious fake server, not any other real project server.
ID: 114196 · Report as offensive     Reply Quote
nothanks

Send message
Joined: 27 Jun 24
Posts: 1
Message 114197 - Posted: 27 Jun 2024, 19:00:51 UTC

I'm not sure where to post this, but we had one instance of this in our office today. Note that I am NOT a malware specialist and anything I say needs to be taken with a grain of salt.

The malware appears to create multiple Task Scheduler entries that are set to run the files from the user's roaming folder on start and every 15 minutes from then on. It appears to also use powershell in the process, but I didn't let it run long enough to see how it all works. I didn't find any services directly associated with it, but I'm still digging in to see if I find any.

Here is what we have done so far, and it hasn't come back in the last couple hours... but I plan to keep watching.
If you come across an infected computer, immediately go to "Task Scheduler" and remove any entries that have an action which runs code from the "roaming" folder. It disguises the entries to look like Mozilla updates, Google updates, windows security updates, and some of the entries were just an underscore and numbers. Bottom line is if it runs code in the AppData/Roaming space then you probably shouldn't have that task scheduled. After getting all of these deleted you will also need to delete all the malicious files stored in the roaming folder and subfolders. You may have to kill processes using "Task Manager" to be able to delete all the files. For now this seems to have stopped the infection, but we will have to watch and see.
ID: 114197 · Report as offensive     Reply Quote
Vitalii Koshura

Send message
Joined: 26 Apr 22
Posts: 6
Message 114198 - Posted: 27 Jun 2024, 19:32:30 UTC - in response to Message 114197.  

I'm not sure where to post this, but we had one instance of this in our office today. Note that I am NOT a malware specialist and anything I say needs to be taken with a grain of salt.

The malware appears to create multiple Task Scheduler entries that are set to run the files from the user's roaming folder on start and every 15 minutes from then on. It appears to also use powershell in the process, but I didn't let it run long enough to see how it all works. I didn't find any services directly associated with it, but I'm still digging in to see if I find any.

Here is what we have done so far, and it hasn't come back in the last couple hours... but I plan to keep watching.
If you come across an infected computer, immediately go to "Task Scheduler" and remove any entries that have an action which runs code from the "roaming" folder. It disguises the entries to look like Mozilla updates, Google updates, windows security updates, and some of the entries were just an underscore and numbers. Bottom line is if it runs code in the AppData/Roaming space then you probably shouldn't have that task scheduled. After getting all of these deleted you will also need to delete all the malicious files stored in the roaming folder and subfolders. You may have to kill processes using "Task Manager" to be able to delete all the files. For now this seems to have stopped the infection, but we will have to watch and see.


Thank you for the valuable input. I'm afraid this might be not enough, but if this works for you - that's very great!
ID: 114198 · Report as offensive     Reply Quote
makeasnek

Send message
Joined: 29 Jun 24
Posts: 1
United States
Message 114204 - Posted: 30 Jun 2024, 0:15:20 UTC - in response to Message 114195.  
Last modified: 30 Jun 2024, 0:23:21 UTC

The most obvious reason I can see for doing this would be gridcoin . Presumably 7K computers crunching could earn a fair amount?


Probably not. Plus, they are not connecting to any real BOINC projects, so they aren't earning any Gridcoin.

A purely profit-motivated individual would be better off mining Monero or other CPU-mineable coins. IIRC in the past somebody tried a similar thing where they bundled BOINC in malware and their CPID was banned from the Gridcoin network. I'm not sure how that was accomplished or how feasible it is at a technical level on the Gridcoin side at this point, but certainly BOINC projects could play whack-a-mole banning this person's CPID if they wanted to. BOINC projects don't export stats for that CPID = no Gridcoin for that person.

Some rough math here. Gridcoin mints 28,750 Gridcoin per day across all projects. Assuming a single person could earn all of that (not possible since it's rewarded proportional to other users crunching for GRC), they would get 28,750 GRC per day. At current exchange rates (one half of one cent USD, highest I've ever seen it is 2c) that's $143/day. Let's be very generous and assume they could capture around half of that GRC, that's $70/day for 7,000 machines. Not a very profitable use of that resource.

There are roughly 2300 CPIDs on Gridcoin, which you can roughly map to "users". Though of course some users have multiple CPIDs and some CPIDs represent multiple "users". And of course, many "users" have more than one machine crunching. On any given project, 15-48% of RAC is earned by Gridcoiners crunchers. That's the competition they'd have to "out-weigh" to capture the majority of GRC. Roughly one twelfth of GRC is distributed to folding@home crunchers, so this person would have to fold as well to capture that portion of the GRC.

Selling that much GRC would also further crash the price, making any GRC they earned even more useless. Current 24hr trading volume is 55k GRC/day, so this person's earnings would represent a nearly half of the pre-existing trading volume, all in the sell direction. And there are questions around that trading volume, it's not unheard of for exchanges to fake their trading volume, somebody with more knowledge than me on the trading side could speak to it.

If somebody had that much computing power (and network access), there are much, much more profitable ways to leverage it. Granted, if they are running that much BOINC, they may as well claim their GRC as well because at that point it's free money. But clearly such a person has motivations aside from purely profit.
ID: 114204 · Report as offensive     Reply Quote
ProfileDave
Help desk expert

Send message
Joined: 28 Jun 10
Posts: 2703
United Kingdom
Message 114206 - Posted: 30 Jun 2024, 18:58:22 UTC - in response to Message 114204.  

Thanks. I now know rather more about gridcoin than I did!
ID: 114206 · Report as offensive     Reply Quote
Grumpy Swede
Avatar

Send message
Joined: 30 Mar 20
Posts: 419
Sweden
Message 114221 - Posted: 5 Jul 2024, 0:01:17 UTC

Any news on the forensic analysis of this malware? Any malware reverse engineering (MRE) going on?
If this is still spreading, and not dealt with, wouldn't be time now to post a warning about this malware on the different projects forum pages?
ID: 114221 · Report as offensive     Reply Quote
nickfurthermore

Send message
Joined: 5 Jul 24
Posts: 1
United States
Message 114225 - Posted: 5 Jul 2024, 20:41:31 UTC - in response to Message 114221.  

I am just seeing this on a machine today 2024-07-05 that a friend brought over for me to look at. I can see the behavior that @Vitalii Koshura posted earlier. I do see the task in the windows scheduled task as mentioned as well. I did a Windows Defender Scan of the files and it did not flag any of the files as malicious.
ID: 114225 · Report as offensive     Reply Quote
Vitalii Koshura

Send message
Joined: 26 Apr 22
Posts: 6
Message 114226 - Posted: 5 Jul 2024, 21:35:41 UTC

Small update:

Malicious server is not reachable anymore.
That server was not configured properly, and thus no real malware was installed from it using BOINC.
Because the server was not configured properly, there was no chance to get the potential payload to analyze the behavior.
I got a report several days ago that Windows Defender started to recognize the initial malicious payloader (that was used to upload BOINC to the end machines) that was installed on a hidden partition.
I know nothing about the ways this malware reached the end users machines, since the reports I received have nothing in common.

For me the whole incident looks like a work of a lamer.
ID: 114226 · Report as offensive     Reply Quote
Vitalii Koshura

Send message
Joined: 26 Apr 22
Posts: 6
Message 114227 - Posted: 5 Jul 2024, 21:37:11 UTC - in response to Message 114225.  
Last modified: 5 Jul 2024, 21:51:28 UTC

I am just seeing this on a machine today 2024-07-05 that a friend brought over for me to look at. I can see the behavior that @Vitalii Koshura posted earlier. I do see the task in the windows scheduled task as mentioned as well. I did a Windows Defender Scan of the files and it did not flag any of the files as malicious.


I'm sorry to hear that your friend haы received that malware as well.
Try to do full system scan, it should help (at least, I received once the report that the malware was found on a hidden partition).
ID: 114227 · Report as offensive     Reply Quote
syu

Send message
Joined: 9 Jul 24
Posts: 3
United States
Message 114238 - Posted: 9 Jul 2024, 3:36:50 UTC - in response to Message 114191.  

Recently, my computer began experiencing disruptions characterized by a PowerShell window that intermittently popped up and closed rapidly. This was not only annoying but also interrupted my workflow by abruptly affecting active windows. Based on the help of this thread, I was able to delete the malware in this order:
1. I deleted the BOINC program in task managers first
2. Proceeded to deleting the task scheduler
3. The files in the AppData/Roaming folder.

I waited 15 minutes to see if the program ran again and I'm happy to report that it hasn't so I think the malware has been handled. If not, I will update you here.

My account of the BOINC malware identification, hopefully it will help with investigating the source:

Identifying the Malware: I meticulously observed my Task Manager to identify the source during these pop-ups. I discovered that each appearance was associated with the execution of a BOINC application, which terminated just as quickly.

Evasion of Detection: To attempt a resolution, I installed and ran Malwarebytes, a reputable antivirus software, which unfortunately failed to detect any malicious activity. This suggests that the malware is capable of evading detection by standard antivirus tools.

Disguise Tactics: Further investigation revealed that the malware was disguised under innocuous file names like "Licensing Validator Updater," which camouflaged it among legitimate system processes.

Given the novelty of this malware a Google search wasn't enough to provide me with more detail. I also shared some of the file logs with ChatGPT to see if it understands what it's executing and it was unable to detect any foul play and said something like:

"Based on the content of the log you provided, it doesn't indicate that this is a virus. BOINC (Berkeley Open Infrastructure for Network Computing) is a legitimate platform that allows people to contribute their computer's unused processing power to scientific research projects. It's widely used for purposes such as disease research, climate change predictions, and astrophysics simulations."

The next question that led me to was how did it even get installed on my computer. Investigating more log files in the folder I noticed that although BOINC is a Berkeley project, it was referencing Rosetta and even have a http://rosettahome.cn/rosettahome/ url in some of the files that made it more suspicious.

I uncovered a file named "daily_xfer_history.xml" in the malware's directory. This file recorded extensive data uploads and downloads, clearly outlining unauthorized network activity. For instance, on one day, the log showed an upload of over 1.1 million units and a download of 181,511 units.

This is when I found this thread and started taking actions to remove it.

Connection to JetBlue Inflight Internet: The creation date of the malware's folder coincided with the day I accessed JetBlue's free inflight Internet on 6/24/24 flying out of JFK, suggesting a potential point of infection. It was the start of my vacation and I rarely used my computer for the week I was there. On the flight back home on JetBlue I noticed that my computer was considerably slower and attributed it to the WiFi, but most likely could've been the malware executing tasks.

System Information: My system runs on Windows 11 OS.
ID: 114238 · Report as offensive     Reply Quote
Grumpy Swede
Avatar

Send message
Joined: 30 Mar 20
Posts: 419
Sweden
Message 114239 - Posted: 9 Jul 2024, 5:03:29 UTC - in response to Message 114238.  
Last modified: 9 Jul 2024, 5:34:30 UTC

To Mods: If you need to hide this, for security or privacy reasons, at least fwd it to someone at BOINC, if they haven't already found the same information.

@syu

I take it that you normally do not run any projects under BOINC (the legitimate program) on your computer(s), or have it installed?

Anyhow, some data on rosettahome.cn, which really looks suspicious:

Whois Record for RosettaHome.cn

Domain Profile
Registrar Status
Dates 15 days old
Created on 2024-06-23
Expires on 2025-06-23

Name Servers NS1.HE.NET (has 64,374 domains)
NS2.HE.NET (has 64,374 domains)

IP Address 104.200.73.68 is hosted on a dedicated server


IP Location United States - California - Los Angeles - Crowncloud Us Llc
ASN United States AS8100 ASN-QUADRANET-GLOBAL, US (registered Oct 22, 2009)
Hosting History 1 change on 2 unique name servers over 0 year
Whois Record ( last updated on 2024-07-09 )
Domain Name: rosettahome.cn
ROID: 20240623s10001s58769039-cn
Domain Status: clientTransferProhibited
Registrant: cristian ratti
Registrant Contact Email:
Sponsoring Registrar: DYNADOTCHINA LLC
Name Server: ns2.he.net
Name Server: ns1.he.net
Registration Time: 2024-06-23 19:36:49
Expiration Time: 2025-06-23 19:36:49
DNSSEC: unsigned


Edit, added:

rosettahome.cn
Abuse issues with rosettahome.cn?
Abusive contact email(s):

43577893@protonmail.com
Technical Contact
Administrative Contact
Registrant
Name: cristian ratti

Email: 43577893@protonmail.com
ID: 114239 · Report as offensive     Reply Quote
syu

Send message
Joined: 9 Jul 24
Posts: 3
United States
Message 114241 - Posted: 9 Jul 2024, 13:58:31 UTC - in response to Message 114239.  

Correct, I did not install BOINC on my computer. Never heard about it till I had to investigate the cause of the command window popping up and closing.
ID: 114241 · Report as offensive     Reply Quote
ProfileDavid Anderson
Volunteer moderator
Project administrator
Project developer
Avatar

Send message
Joined: 10 Sep 05
Posts: 726
Message 114285 - Posted: 19 Jul 2024, 1:21:21 UTC

A computer security company called Huntress released an analysis of how this malware works.

It confirms that this attack is not due to any vulnerability in BOINC.

The report doesn't describe how to remove the malware.
ID: 114285 · Report as offensive     Reply Quote
syu

Send message
Joined: 9 Jul 24
Posts: 3
United States
Message 114291 - Posted: 19 Jul 2024, 16:44:45 UTC - in response to Message 114285.  

Thank you @David Anderson for sharing the report. I came back to this forum because I identified a more malicious attack than the fake BOINC install and that is the PowerShell execution (documented in Huntress) and forced proxy connection, that was not documented in the report.

I found the update.js file in my downloads folder, most likely I clicked it thinking it was a legitimate Chrome update.

After deleting the BOINC files as outlined previously, the command window stopped popping up, but I still noticed substantial Internet data usage on my computer coming from my OS system and some unusual browsing experience, such as having to go through extensive human security checks via Cloudflare when accessing basic websites or just not being able to access websites.

I noticed that my internet kept connecting to a manual proxy setup despite hundreds of attempts to turn that setting off in system settings. I am not a computer engineer, so I thought maybe it was a default setting so didn't think much about it until yesterday when I tried to log into my Bank of America account. My account got locked on my computer and then received a call from the security department at BofA saying that my computer has malware on it so they had to reset my account and issued a new username and password which I can access via mobile banking but not my computer until the threat has been taken care of. That confirmed my proxy suspicions and dug in.

Long story short, I downloaded GridinSoft Antimalware since MalwareBytes was unable to detect anything and sure enough the malicious registry edits that overrides the proxy settings and a suspicious BCILauncher.exe launcher was flagged. Initially deleting the proxy setting registries didn't work and it kept reappearing, so I turned off the Internet to block the connection, deleted the BCILauncher.exe registry first, then deleted the proxy registries and it did not come back. The persistent proxy settings haven't returned, but I'm still monitoring it.

Here is the registry key file path to identify if there is a proxy override key:

BCILauncher Key:
Path: Computer\HKU\DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce\BCILauncher

Proxy Enable Key:
Path: Computer\HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
Value: "1" (This means the proxy is enabled)

Proxy Server Key:
Path: Computer\HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
Value: https=localhost:5311 (This sets the localhost and the port number as the proxy server, the port can vary, i've seen it as a 5 digit value as well)

To identify when this program was downloaded to help with examining malicious files and folders that you did not install or download, open Task Scheduler on windows, find a task that says "wfgmzebrocxts". Examine the action:
Action: Start a program
Details: conhost --headless powershell -ep bypass Azurewfgmzebrocxts

When you click edit, you will see when it was set to start the schedule - for my case mine started on 5/9/24 and it was set to run every 3 minutes. Delete this task after you inspect it. I easily found the update.js file in my downloads folder and sure enough it was downloaded on 5/9/24. If you do more digging, this is a known trojan virus. It's important to note that the BOINC files and task schedule did not appear until around the end of June for me, so my theory is that those files were uploaded onto my computer at a later data possibly using the proxy connection.
ID: 114291 · Report as offensive     Reply Quote
PR3

Send message
Joined: 20 Jul 24
Posts: 1
Message 114304 - Posted: 20 Jul 2024, 20:00:58 UTC - in response to Message 114291.  
Last modified: 20 Jul 2024, 20:42:55 UTC

Thank you all for the information in this thread. I, too, found unwanted BOINC clients running on my Windows 11 PC, evidently starting around June 23-24, and I followed the steps described earlier in this thread to delete the malicious BOINC files, processes, and scheduler entries. The malicious BOINC clients did not return.

Approximately one week after doing this, I started noticing other anomalies: namely, the same forced proxy connections and PowerShell executions that were described in this thread. In addition, my anti-virus software had quarantined / removed an update.js file in my Downloads folder and was showing blocked threats of a severe nature (several attempts to install various types of FormBook malware, for example) multiple times every day. While it was good to see these threats getting blocked, I had no idea if any other threats were getting by the anti-virus software undetected.

At the time I couldn't find any information online to indicate whether or not this second group of symptoms was related to the first, but the whole experience became concerning enough to me a few days ago that I wiped my hard drive and installed a fresh copy of Windows. That certainly wasn't my first preference, but it does seem to have resolved the issues, and although the inconvenience was significant, at this point I'd say that it was worth it.

The nagging question, of course, is whether any of this malware actually captured my personal data to use for malicious purposes while it ran on my computer. So far, I see no evidence of compromised online accounts. I am monitoring everything closely and will continue to do so for the foreseeable future, and I will continue to follow this thread and the other related links for new information.

Thanks again.
ID: 114304 · Report as offensive     Reply Quote
ProfileDavid Anderson
Volunteer moderator
Project administrator
Project developer
Avatar

Send message
Joined: 10 Sep 05
Posts: 726
Message 114314 - Posted: 22 Jul 2024, 1:50:12 UTC

An analyst at Huntress send me the following instructions for removing the malware. I hope they are useful.

---------------------
Several things will be needed to remove the malware.

1) Delete the malicious scheduled tasks and services. The names of the tasks should follow the patterns outlined in the blog post, but they will all vary slightly so we can't say exactly what they will be called. Look for recently created tasks executing binaries named as described (example "SecurityHealthService.exe") in our blog post or executing encoded or obfuscated powershell with conhost.exe. Example Task Names: Google_Maintenance_Worker, System_Health_Service_12345534359, Enable-StorageBusDisk. These may appear to be similar to legitimate tasks/services so be careful not to remove the legitimate ones.

2) Some of the commands in the scheduled tasks may use powershell to "get-content" stored in directories such as "c:\users\\appdata\local\Microsoft\[random_word]". Examine this directory for suspicious files such as "Enable-StorageBusDisk.log" matching the name of the scheduled task that executes the powershell command.

3) Audit the "c:\users\\appdata\roaming\" directory for related files and subdirectories (e.g. a folder called" Secure Transaction Systems") and remove any suspicious files. Look specifically for BOINC.exe (and renamed versions of it) and remove all related files in the directory.

4) Look for an "update.js" file in the Downloads directory and remove if found.

This isn't guaranteed to remove the threat and all changes made to the system, as we don't know what all has happened exactly on each machine, as that will vary slightly. The tactics used may change as a result of the blog post as well. But this should be a good guide to get started removing at least the persistence associated with the malware campaign. As long as there is not an active network connection to the malicious server from either powershell or BOINC software, the threat should be reduced greatly. The best method to guarantee the threat is completely removed is to reinstall the operating system or restore from a known good backup copy whenever possible.
ID: 114314 · Report as offensive     Reply Quote
JoseByron

Send message
Joined: 19 Aug 24
Posts: 1
United States
Message 114469 - Posted: 19 Aug 2024, 19:31:29 UTC - in response to Message 114314.  

I initially experienced substantial slowdown in my machine around late June or early July of this year, for a few days, but couldn't find anything specific and after a couple of days of being turned off, it seemed to go away.
Sometime in early August, my Webroot antivirus reported BOINC as malware and removed it automatically, something which has not happened in the 20+ years I have used it.

So the good news is it was removed by Webroot Secure Anywhere without any serious consequences; it seems to have been within the update from 7/5/24: "boinc_8.0.2_windows_x86_64.exe"; bad news is, I can't use it now. I suppose I could try an old version but don't have one handy right now.

Regards,
JBG
ID: 114469 · Report as offensive     Reply Quote
1 · 2 · Next

Message boards : News : Windows malware reported

Copyright © 2024 University of California.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation.