Do we have a Boinc virus?

Message boards : Number crunching : Do we have a Boinc virus?
Message board moderation

To post messages, you must log in.

1 · 2 · 3 · 4 . . . 27 · Next

AuthorMessage
Profile Fred G
Avatar

Send message
Joined: 17 May 99
Posts: 185
Credit: 24,109,481
RAC: 0
United States
Message 240169 - Posted: 31 Jan 2006, 6:01:01 UTC
Last modified: 31 Jan 2006, 6:06:14 UTC

Something interesting came up on Team Starfire. A Non Seti member had a problem with "setiathome_4.18_windows_intelx86.exe" running in the background and couldn't get rid of it. After doing a lot of searching we found that it was hidden in his system32 folder and the exe was renamed to "wupdmgr1.exe" Someone went to a lot of trouble to hide everything. We found out the user that is getting the credits and his stats are very interesting. http://setiathome.berkeley.edu/team_display.php?teamid=122736 A one user team and ranked 10th in the world. What do you think?

edit: had the wrong url posted.

>Fred

http://www.teamstarfire.org/
ID: 240169 · Report as offensive
Profile Shadowcats
Volunteer tester

Send message
Joined: 22 Sep 03
Posts: 36
Credit: 173,101
RAC: 0
Australia
Message 240170 - Posted: 31 Jan 2006, 6:05:33 UTC

Ummm can't see
This user has chosen not to show information about their computers.
:(

G'day from.....
ID: 240170 · Report as offensive
Profile Fred G
Avatar

Send message
Joined: 17 May 99
Posts: 185
Credit: 24,109,481
RAC: 0
United States
Message 240171 - Posted: 31 Jan 2006, 6:07:06 UTC - in response to Message 240170.  

Ummm can't see
This user has chosen not to show information about their computers.
:(

Try it now. I had the wrong URL posted.

http://www.teamstarfire.org/
ID: 240171 · Report as offensive
Profile Shadowcats
Volunteer tester

Send message
Joined: 22 Sep 03
Posts: 36
Credit: 173,101
RAC: 0
Australia
Message 240174 - Posted: 31 Jan 2006, 6:16:57 UTC

Yup see it now thanks but he/she has compys hidden
so who knows how many they have would be an idea if
someone could find this out
something doesn't add up to me i did read the Team Starfire thread
very interesting.

G'day from.....
ID: 240174 · Report as offensive
Profile Prognatus

Send message
Joined: 6 Jul 99
Posts: 1600
Credit: 391,546
RAC: 0
Norway
Message 240175 - Posted: 31 Jan 2006, 6:17:39 UTC

Did he download BOINC from download.com or directly from Berkeley?

ID: 240175 · Report as offensive
Profile Fred G
Avatar

Send message
Joined: 17 May 99
Posts: 185
Credit: 24,109,481
RAC: 0
United States
Message 240176 - Posted: 31 Jan 2006, 6:20:35 UTC - in response to Message 240175.  

Did he download BOINC from download.com or directly from Berkeley?

He didn't even know what Boinc or Seti was. He just noticed the files were using his CPU time.


http://www.teamstarfire.org/
ID: 240176 · Report as offensive
Profile Kinguni
Volunteer tester
Avatar

Send message
Joined: 15 Feb 00
Posts: 239
Credit: 9,043,007
RAC: 0
Canada
Message 240177 - Posted: 31 Jan 2006, 6:21:32 UTC - in response to Message 240175.  

Did he download BOINC from download.com or directly from Berkeley?


He didn't download it at all. It installed without his permission under a different name, made to look like it's the Windows Update service.
Join Team Starfire
BOINC Chat

ID: 240177 · Report as offensive
Profile Shadowcats
Volunteer tester

Send message
Joined: 22 Sep 03
Posts: 36
Credit: 173,101
RAC: 0
Australia
Message 240180 - Posted: 31 Jan 2006, 6:25:30 UTC

Reading the Starfire thread has he actually asked his brother
if he installed it and didn't want him knowing about it?
just a thought........
G'day from.....
ID: 240180 · Report as offensive
Profile Misfit
Volunteer tester
Avatar

Send message
Joined: 21 Jun 01
Posts: 21804
Credit: 2,815,091
RAC: 0
United States
Message 240184 - Posted: 31 Jan 2006, 6:28:53 UTC
Last modified: 31 Jan 2006, 6:38:20 UTC

Interesting process name - wupdmgr.exe

According to Boinc Stats he has 13 hosts, and more info.

Here are his computers on CPDN.
ID: 240184 · Report as offensive
Profile Prognatus

Send message
Joined: 6 Jul 99
Posts: 1600
Credit: 391,546
RAC: 0
Norway
Message 240185 - Posted: 31 Jan 2006, 6:30:32 UTC - in response to Message 240177.  
Last modified: 31 Jan 2006, 6:40:40 UTC

He didn't download it at all. It installed without his permission under a different name, made to look like it's the Windows Update service.
Did he get an email from "Microsoft" with a link to "Windows Update"?
If so, he probably got a virus. Microsoft doesn't send out emails like that. A friend of mine followed such a link and had to reformat his entire drive to get rid of the virus.

ID: 240185 · Report as offensive
Profile Fred G
Avatar

Send message
Joined: 17 May 99
Posts: 185
Credit: 24,109,481
RAC: 0
United States
Message 240186 - Posted: 31 Jan 2006, 6:30:54 UTC - in response to Message 240180.  

Reading the Starfire thread has he actually asked his brother
if he installed it and didn't want him knowing about it?
just a thought........

I think he would have recognized the name if it was his brother. He is from Canada and the account is in Germany.

http://www.teamstarfire.org/
ID: 240186 · Report as offensive
Profile Fred G
Avatar

Send message
Joined: 17 May 99
Posts: 185
Credit: 24,109,481
RAC: 0
United States
Message 240187 - Posted: 31 Jan 2006, 6:31:55 UTC - in response to Message 240184.  
Last modified: 31 Jan 2006, 6:38:20 UTC

Interesting process name - wupdmgr.exe

I see what you mean!

http://www.teamstarfire.org/
ID: 240187 · Report as offensive
Profile Fred G
Avatar

Send message
Joined: 17 May 99
Posts: 185
Credit: 24,109,481
RAC: 0
United States
Message 240203 - Posted: 31 Jan 2006, 6:58:13 UTC - in response to Message 240184.  

Interesting process name - wupdmgr.exe

According to Boinc Stats he has 13 hosts, and more info.

Here are his computers on CPDN.


Nice work Misfit! For 13 host that's a nice RAC, 121,566 and today was a bad day.

http://www.teamstarfire.org/
ID: 240203 · Report as offensive
Profile Paul D. Buck
Volunteer tester

Send message
Joined: 19 Jul 00
Posts: 3898
Credit: 1,158,042
RAC: 0
United States
Message 240218 - Posted: 31 Jan 2006, 8:27:04 UTC

Very interesting ... quite an exploit ... :(

I wonder if this would be a good canditate for: Total Credit => 0 ...
ID: 240218 · Report as offensive
Profile MikeSW17
Volunteer tester

Send message
Joined: 3 Apr 99
Posts: 1603
Credit: 2,700,523
RAC: 0
United Kingdom
Message 240223 - Posted: 31 Jan 2006, 8:52:15 UTC

The subject of Virii always elicits a very emotional and often panic reaction.

Before taking this discussion further, It is very important to note that BOINC itself hasn't any virus characterics, but, like any program, it can be the payload carried by a true virus or other exploit.

Whatever the outcome of this issue, BOINC is entirely blameless.



ID: 240223 · Report as offensive
Profile Paul D. Buck
Volunteer tester

Send message
Joined: 19 Jul 00
Posts: 3898
Credit: 1,158,042
RAC: 0
United States
Message 240224 - Posted: 31 Jan 2006, 9:00:45 UTC - in response to Message 240223.  

The subject of Virii always elicits a very emotional and often panic reaction.

Before taking this discussion further, It is very important to note that BOINC itself hasn't any virus characterics, but, like any program, it can be the payload carried by a true virus or other exploit.

Whatever the outcome of this issue, BOINC is entirely blameless.

Oh, sure... no argument there ...
ID: 240224 · Report as offensive
Profile Kinguni
Volunteer tester
Avatar

Send message
Joined: 15 Feb 00
Posts: 239
Credit: 9,043,007
RAC: 0
Canada
Message 240227 - Posted: 31 Jan 2006, 9:11:49 UTC - in response to Message 240223.  

It is very important to note that BOINC itself hasn't any virus characterics, but, like any program, it can be the payload carried by a true virus or other exploit.

Whatever the outcome of this issue, BOINC is entirely blameless.



Of course. This was done by more than one user with classic SETI as well.
Join Team Starfire
BOINC Chat

ID: 240227 · Report as offensive
Profile Mr.Pernod
Volunteer tester
Avatar

Send message
Joined: 8 Feb 04
Posts: 350
Credit: 1,015,988
RAC: 0
Netherlands
Message 240235 - Posted: 31 Jan 2006, 10:17:58 UTC

Seen the same thing happening with FaH.
Some people find it usefull to make programs like FaH or SETI part of selfextracting/installing archives distributed via p2p networks.
So it is most like it was just a simple p2p-download (which the 'victim' most likely will not admit too) that installed SETI.
ID: 240235 · Report as offensive
Profile Crunch3r
Volunteer tester
Avatar

Send message
Joined: 15 Apr 99
Posts: 1546
Credit: 3,438,823
RAC: 0
Germany
Message 240237 - Posted: 31 Jan 2006, 10:37:11 UTC - in response to Message 240218.  

Very interesting ... quite an exploit ... :(

I wonder if this would be a good canditate for: Total Credit => 0 ...


I agree with you Paul.
Furthermore i would consider deleting the accout as an option.




Join BOINC United now!
ID: 240237 · Report as offensive
Jack Gulley

Send message
Joined: 4 Mar 03
Posts: 423
Credit: 526,566
RAC: 0
United States
Message 240241 - Posted: 31 Jan 2006, 11:15:19 UTC

If the Berkeley staff are not already all over this one, they should be, before the press is. Computer ID's in that account might allow them to find the IP addresses being used, and maybe track back to some of the system owners. And at least tell us how many different systems are being used and are "infected" this way. It would take at least 100 and maybe 300 systems or more to generate that kind of average credit.

The team was setup January 1, 2006 but he had over 5 million credits then. Based on his credit history he has been at this for four months or longer, holds second place in BOINC/Seti rank, and has not been detected?

ID: 240241 · Report as offensive
1 · 2 · 3 · 4 . . . 27 · Next

Message boards : Number crunching : Do we have a Boinc virus?


 
©2024 University of California
 
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.