Do we have a Boinc virus?


log in

Advanced search

Message boards : Number crunching : Do we have a Boinc virus?

Previous · 1 · 2 · 3 · 4 · 5 · 6 . . . 27 · Next
Author Message
Profile Lee Carre
Volunteer tester
Send message
Joined: 21 Apr 00
Posts: 1459
Credit: 58,485
RAC: 0
Channel Islands
Message 240314 - Posted: 31 Jan 2006, 16:04:58 UTC - in response to Message 240310.

if i had to make a suggestion, i'd say inform all the right places about what boinc is, before they make their own assumptions, that would be a good path towards damage control
That begins to sound better, but is still not sufficent. What we need is publicly showing and punishing such cheaters - having Black Boards on the official BOINC and project web sites, where such people will be displayed, accounts and credits removed, and their credits removed from all their present and former teams too. If such people are legally persecuted, it also needs to be shown there - so that it serves as a sufficinet deterrent for other potential followers. If people are fired because of illegally installing BOINC in their jobs, it should be shown there too.

agreed, but not just for seti, the stats sites need to be informed

i use boincstats as my personal "stats service" choice, and when there was a user from rosetta, claiming a HUGE amount of credit (like TC of a few zillion!) it was obvious, and there was not way they could have got that much in just a few days/weeks

as it was obviously messing up the stats, willy (the boincstats admin) bannded/removed his stats from the site, and informed the rosetta projects admins of the situation
so come colaboration between projects needs to happen, so that a user doesn't just commit his deeds elsewhere, "public" needs to be BOINC wide (stats sites included), not just public on one project (not everyone does SETI)

Profile Fuzzy Hollynoodles
Volunteer tester
Avatar
Send message
Joined: 3 Apr 99
Posts: 9659
Credit: 251,998
RAC: 0
Message 240334 - Posted: 31 Jan 2006, 16:55:59 UTC - in response to Message 240258.

Hmm, very interesting and very dangerous for the project and for the community!!! Can someone of the people here having direct wire to Rom or others at Berkeley assure that they are aware of it, and taking the necessary steps to avoid banning BOINC by antimalware, antivirus and firewall software and before it makes news in some IT magazines?

I know the user ID quite well - I noticed him when he, as the leader of SETI Germany with increible RAC of ~70k (now it is even more) left the team and created his own one just few weeks ago. I found it very strange, but since there were others leaving the team shortly after (including some well known forum members), I thought there were some internal conflicts behind it (we just seem to have one at CNT too).

I find it very important that some officials make the necessary steps to avoid more damage. I hate to tell it, but this is a criminal activity, and the author of the act desires to be investigated by the police. I hope for him that he is innocent and it was just some stupid friend of the victim who installed it manually (though it definitely does not look like).


I've mailed Rom and Matt with a link to this thread.



____________
"I'm trying to maintain a shred of dignity in this world." - Me

Profile Michael Buckingham
Volunteer tester
Avatar
Send message
Joined: 21 Aug 99
Posts: 4508
Credit: 2,676,597
RAC: 0
United States
Message 240341 - Posted: 31 Jan 2006, 17:15:03 UTC - in response to Message 240310.

if i had to make a suggestion, i'd say inform all the right places about what boinc is, before they make their own assumptions, that would be a good path towards damage control
That begins to sound better, but is still not sufficent. What we need is publicly showing and punishing such cheaters - having Black Boards on the official BOINC and project web sites, where such people will be displayed, accounts and credits removed, and their credits removed from all their present and former teams too. If such people are legally persecuted, it also needs to be shown there - so that it serves as a sufficinet deterrent for other potential followers. If people are fired because of illegally installing BOINC in their jobs, it should be shown there too.


Agree!

____________


http://www.mikesbawx.org/photo/

Profile Michael Buckingham
Volunteer tester
Avatar
Send message
Joined: 21 Aug 99
Posts: 4508
Credit: 2,676,597
RAC: 0
United States
Message 240342 - Posted: 31 Jan 2006, 17:18:44 UTC - in response to Message 240300.

it's the same as with guns, guns don't kill people, people kill people
Explain to the Gestapo it was not you who killed H. Heidrich even if it is apparent your gun was used.

different issue, my point was that the gun acting alone (if that's possible for an inanimate object) doesn't kill someone, it needs to be fired by a person

what you're talking about is ownership, have you heard of zombie or bot networks, these are mostly computers of unaware users conducting a DDoS attack, just beacuse john doe owns one of these infected computers, doesn't mean he's responsible

just beacuse my car might have been used in a robbery, doesn't mean i was there, it just means my car was, because it was probably stolen

please take a look at an idiotic article on TMP in which the blatent problems with the implied "security" of the system is made apparent, the main quote from the original article being...
In fact, with TPM, your bank wouldn’t even need to ask for your username and password -- it would know you simply by the identification on your machine.

and the comment to that...
Since when is "your computer" the same as "you"?



i wouldn't try to explain, the Gestapo usually just did what they wanted, right or wrong, because they were power hungry and unreasonable, so if they wanted to kill me they would anyway

however, (i'd hope) the officials in charge of security today (national security and the like) would be more reasonable, and if something controversial makes sense, then they'd at least listen



I believe what others are saying here is that we are not going after the gun, but rather the person who pulled the trigger.

In this case, SOMOONE may have infected many machines with a trojan who's payload was SETI that logs in and claims credit with the OFFENDERS account number.

Just because we want to go after the guy, does not mean we want to go after the unsuspecting public whose computer was merely compromised by an unknown (Unknown only to the public because S@H folks know who he is).
____________


http://www.mikesbawx.org/photo/

Profile trux
Volunteer tester
Avatar
Send message
Joined: 6 Feb 01
Posts: 344
Credit: 1,127,051
RAC: 0
Czech Republic
Message 240350 - Posted: 31 Jan 2006, 17:29:53 UTC

I wrote to Carsten Giese and had a brief reply telling just that he does not know how to write viruses. There was no word of explanation of the appearance of his BOINC account in computers of other people, in his answer though. And of course, you do not need to know how to write viruses if you use a widely available kit and just replace the content.
____________
trux
BOINC software
Freediving Team
Czech Republic

Profile Fred G
Avatar
Send message
Joined: 17 May 99
Posts: 185
Credit: 24,109,481
RAC: 0
United States
Message 240354 - Posted: 31 Jan 2006, 17:37:19 UTC
Last modified: 31 Jan 2006, 17:38:41 UTC

We have to remember that this is being installed on computers without the knowledge and permission of the owners. Even though Boinc and SETI are not responsible they are the focus of this exploit. Users that don't know about the projects will associate the projects as a virus or trojan. The purpose of this thread was to get some input from the forum members to see if they came to the same conclusion we came to at Team Starfire and to let the powers to be at Boinc and Seti know about this user. The main thing now is to get him shutdown and hopefully they will find the carrier of this exploit and stop it.

>Fred
____________

http://www.teamstarfire.org/

Profile Mr.Pernod
Volunteer tester
Avatar
Send message
Joined: 8 Feb 04
Posts: 350
Credit: 1,015,988
RAC: 0
Netherlands
Message 240357 - Posted: 31 Jan 2006, 17:49:06 UTC

Just my simple opinion here.
I think a lot of these "problems" can be prevented by the users themselves.
If only they would stop running executable slideshows and such they downloaded from a p2p-network while being logged into their windows machine as administrator or poweruser...

Astro
Volunteer tester
Avatar
Send message
Joined: 16 Apr 02
Posts: 8026
Credit: 600,015
RAC: 0
Message 240361 - Posted: 31 Jan 2006, 17:59:09 UTC

If someone maliciously used Carstens' account, I wonder how they got his "key" and/or password?

Profile Lee Carre
Volunteer tester
Send message
Joined: 21 Apr 00
Posts: 1459
Credit: 58,485
RAC: 0
Channel Islands
Message 240362 - Posted: 31 Jan 2006, 18:00:43 UTC - in response to Message 240357.

Just my simple opinion here.
I think a lot of these "problems" can be prevented by the users themselves.
If only they would stop running executable slideshows and such they downloaded from a p2p-network while being logged into their windows machine as administrator or poweruser...

true, and i totally agree with prevention before cure, but the fact of the situation is that it's already happened and most users are unaware of security issues, how they can be infected, and how they can prevent infection

so i agree that damange control needs to be done, by informing all the major "security companies" about BOINC and what it does (and that it isn't bad)
which will help a lot, also emailing a few of the major "process information" sites will help too, as this is where a lot of users will get info about a suspected file

Profile Lee Carre
Volunteer tester
Send message
Joined: 21 Apr 00
Posts: 1459
Credit: 58,485
RAC: 0
Channel Islands
Message 240363 - Posted: 31 Jan 2006, 18:02:12 UTC - in response to Message 240361.

If someone maliciously used Carstens' account, I wonder how they got his "key" and/or password?

must have, i don't know of any other way to attach

Profile Scarecrow
Avatar
Send message
Joined: 15 Jul 00
Posts: 4400
Credit: 460,921
RAC: 96
United States
Message 240364 - Posted: 31 Jan 2006, 18:09:37 UTC

While it's positively, absolutely not Seti/Boinc/Berkeley's fault, the Boinc folks will almost certainly need to get ahead of it if in nothing else other than the PR side of things.
The angry crowds (the ones with the torches and pitchforks) will loudly proclaim that Boinc and it's projects are reaping the rewards of the illicit activity so why should they try to curtail it?
So if in fact the genie is out of the bottle, a low profile, or no response, from the boinc camp will likely help feed that mindset, even if steps are taken internally to correct and prevent the problem.

Profile Mr.Pernod
Volunteer tester
Avatar
Send message
Joined: 8 Feb 04
Posts: 350
Credit: 1,015,988
RAC: 0
Netherlands
Message 240365 - Posted: 31 Jan 2006, 18:13:30 UTC - in response to Message 240361.
Last modified: 31 Jan 2006, 18:15:25 UTC

If someone maliciously used Carstens' account, I wonder how they got his "key" and/or password?

someone with access to the harddisk of his networked computer/laptop at work/client.
an unhappy client with a packet sniffer.
any of the multitude of rampant keyloggers out there.

otoh, why didn't he come to the boards/helpdesk when he last checked his machines? (or did he)

Aurora Borealis
Volunteer tester
Avatar
Send message
Joined: 14 Jan 01
Posts: 3027
Credit: 5,217,266
RAC: 1,449
Canada
Message 240366 - Posted: 31 Jan 2006, 18:20:10 UTC - in response to Message 240363.

If someone maliciously used Carstens' account, I wonder how they got his "key" and/or password?

must have, i don't know of any other way to attach

I see keys in the help desk often. Noobs don't know better.
____________

Boinc V7.2.42
Win7 i5 3.33G 4GB, GTX470

Profile Matt Lebofsky
Volunteer moderator
Project administrator
Project developer
Project scientist
Avatar
Send message
Joined: 1 Mar 99
Posts: 1391
Credit: 74,079
RAC: 10
United States
Message 240370 - Posted: 31 Jan 2006, 18:30:25 UTC

Not sure exactly what's going on here, or if there's even anything to be worried about. But back in Classic there was at least one time when a virus circulated around the internet that, among other things, would download SETI@home and start crunching workunits for random users. So we've been there, done that.

No amount of PR (before or after) can protect us from the lack of understanding by the general public about how the internet works, who is responsible for what, who is at fault, etc. Frankly, I think preemptive PR might cause more confusion than quell any panic.

People always freak out about the security of BOINC. Yet there they are surfing the web every day, which is far, far less secure.

- Matt
____________
-- BOINC/SETI@home network/web/science/development person
-- "Any idiot can have a good idea. What is hard is to do it." - Jeanne-Claude

Profile Byron Leigh Hatch @ team Carl SaganProject donor
Volunteer tester
Avatar
Send message
Joined: 5 Jul 99
Posts: 3623
Credit: 11,949,660
RAC: 238
Message 240371 - Posted: 31 Jan 2006, 18:33:19 UTC - in response to Message 240370.

Not sure exactly what's going on here, or if there's even anything to be worried about. But back in Classic there was at least one time when a virus circulated around the internet that, among other things, would download SETI@home and start crunching workunits for random users. So we've been there, done that.

No amount of PR (before or after) can protect us from the lack of understanding by the general public about how the internet works, who is responsible for what, who is at fault, etc. Frankly, I think preemptive PR might cause more confusion than quell any panic.

People always freak out about the security of BOINC. Yet there they are surfing the web every day, which is far, far less secure.

- Matt


Matt ... thanks for your post and info




____________

Astro
Volunteer tester
Avatar
Send message
Joined: 16 Apr 02
Posts: 8026
Credit: 600,015
RAC: 0
Message 240375 - Posted: 31 Jan 2006, 18:36:55 UTC - in response to Message 240366.

If someone maliciously used Carstens' account, I wonder how they got his "key" and/or password?

must have, i don't know of any other way to attach

I see keys in the help desk often. Noobs don't know better.

True enough. Carsten isn't a noob though

Profile Michael Buckingham
Volunteer tester
Avatar
Send message
Joined: 21 Aug 99
Posts: 4508
Credit: 2,676,597
RAC: 0
United States
Message 240379 - Posted: 31 Jan 2006, 18:49:35 UTC - in response to Message 240361.

If someone maliciously used Carstens' account, I wonder how they got his "key" and/or password?


Or better yet, why why? whats the point? Why not rack up your own credits :)

____________


http://www.mikesbawx.org/photo/

Profile Michael Buckingham
Volunteer tester
Avatar
Send message
Joined: 21 Aug 99
Posts: 4508
Credit: 2,676,597
RAC: 0
United States
Message 240380 - Posted: 31 Jan 2006, 18:50:49 UTC - in response to Message 240375.

If someone maliciously used Carstens' account, I wonder how they got his "key" and/or password?

must have, i don't know of any other way to attach

I see keys in the help desk often. Noobs don't know better.

True enough. Carsten isn't a noob though


Unless Carston is doing it for himself..DUH?

____________


http://www.mikesbawx.org/photo/

Profile Fred G
Avatar
Send message
Joined: 17 May 99
Posts: 185
Credit: 24,109,481
RAC: 0
United States
Message 240398 - Posted: 31 Jan 2006, 20:01:18 UTC - in response to Message 240361.

If someone maliciously used Carstens' account, I wonder how they got his "key" and/or password?
If someone maliciously got mine I think I would notice something was wrong. RAC's don't grow like that for nothing.

____________

http://www.teamstarfire.org/

Profile Fred G
Avatar
Send message
Joined: 17 May 99
Posts: 185
Credit: 24,109,481
RAC: 0
United States
Message 240407 - Posted: 31 Jan 2006, 20:09:58 UTC

It looks like its a modified Worm called "Hadra" that's being used. http://www.f-secure.com/v-descs/hadra.shtml

Member of SETI Distributed Network

The worm installs and activates the SETI (Search for Extraterrestrial Intelligence) software to affected computer (see more information about SETI at http://setiathome.berkeley.edu).

The SETI software is downloaded by worm to Windows directory with MSSETI.EXE name from following FTP sites:


ftp://ftp.cdrom.com/pub/setiathome/setiathome-3.03.i386-winnt-cmdline.exe
ftp://ftp.let.uu.nl/pub/software/winnt/setiathome-3.03.i386-winnt-cmdline.exe
ftp://ftp.cdrom.com/.2/setiathome/setiathome-3.03.i386-winnt-cmdline.exe
ftp://alien.ssl.berkeley.edu/pub/setiathome-3.03.i386-winnt-cmdline.exe
ftp://setidata.ssl.berkeley.edu/pub/setiathome-3.03.i386-winnt-cmdline.exe

The worm also creates in Windows directory the following files:

USER_INFO.SAH and VERSION.SAH with SETI specific information MSSETI.PIF, RUN_MSSETI.VBS, MSSETI.BAT to run SETI program

and registers RUN_MSSETI.VBS file in Registry auto-run keys:


HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
msseti = WScript.exe %WinDir%\\run_msseti.vbs"


HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices
msseti = WScript.exe %WinDir%\\run_msseti.vbs"

The USER_INFO.SAH file contains user specific information about SETI user, the worm writes following IDs to there:


id=2199938
key=1603033966
email_addr=gl_storm@seznam.cz
name=GL_STORM
country=Czech Republic



____________

http://www.teamstarfire.org/

Previous · 1 · 2 · 3 · 4 · 5 · 6 . . . 27 · Next

Message boards : Number crunching : Do we have a Boinc virus?

Copyright © 2014 University of California