Do we have a Boinc virus?


log in

Advanced search

Message boards : Number crunching : Do we have a Boinc virus?

Previous · 1 . . . 3 · 4 · 5 · 6 · 7 · 8 · 9 . . . 27 · Next
Author Message
Profile Matt Lebofsky
Volunteer moderator
Project administrator
Project developer
Project scientist
Avatar
Send message
Joined: 1 Mar 99
Posts: 1389
Credit: 74,079
RAC: 0
United States
Message 240694 - Posted: 1 Feb 2006, 16:01:59 UTC

For the record, it *does* look like there is the distinct possibility that a worm/virus is spreading around running BOINC under this guy's name (there are many hosts with his userid, all running windows, and with IP addresses all over the world). That's all the evidence we have, and there's really not much we can do.

As for PR, we're not going to make an announcement because, as I stated earlier, this would confuse more then calm. We don't have time to do any virus hunting. We'll let the security powers that be deal with this, and if/when any official report shows up on F-Secure or otherwise it will already have been dealt with. Any information we have at that point may be used to adjust credit accordingly. Key word: "may".

- Matt
____________
-- BOINC/SETI@home network/web/science/development person
-- "Any idiot can have a good idea. What is hard is to do it." - Jeanne-Claude

Profile Fred G
Avatar
Send message
Joined: 17 May 99
Posts: 185
Credit: 24,109,481
RAC: 0
United States
Message 240706 - Posted: 1 Feb 2006, 16:35:23 UTC - in response to Message 240694.

For the record, it *does* look like there is the distinct possibility that a worm/virus is spreading around running BOINC under this guy's name
- Matt

Thanks for the update Matt. I knew it had to be some type of a worm, virus or botnet. Things never added up no matter how many different explanations were theorized. You can hide the program but in the end a specific user has to get the credit! Thanks again!

>Fred
____________

http://www.teamstarfire.org/

Profile Geek@PlayProject donor
Volunteer tester
Avatar
Send message
Joined: 31 Jul 01
Posts: 2466
Credit: 85,749,282
RAC: 27,763
United States
Message 240713 - Posted: 1 Feb 2006, 16:49:04 UTC
Last modified: 1 Feb 2006, 16:58:54 UTC

I thought that I read yesterday that the guy who reported this originally from England said that it looked like a normal Microsoft Windows update when this happened. Maybe Microsoft would be interested?

[edit]You have to put forth some effort if you want to be at the top![/edit]


____________
Boinc....Boinc....Boinc....Boinc....

Profile Fred G
Avatar
Send message
Joined: 17 May 99
Posts: 185
Credit: 24,109,481
RAC: 0
United States
Message 240717 - Posted: 1 Feb 2006, 17:03:36 UTC - in response to Message 240713.

I thought that I read yesterday that the guy who reported this originally from England said that it looked like a normal Microsoft Windows update when this happened. Maybe Microsoft would be interested?

He is from Canada. Someone here theorized that it may have been a bogus MS update email because of the exe file name that was used, "wupdmgr1.exe". The user never verified whether he updated from an email or website. I'll try to clarify this with him.

>Fred

____________

http://www.teamstarfire.org/

Slavik
Avatar
Send message
Joined: 23 May 99
Posts: 1
Credit: 348,547
RAC: 0
United States
Message 240725 - Posted: 1 Feb 2006, 17:14:23 UTC - in response to Message 240694.
Last modified: 1 Feb 2006, 17:15:31 UTC

For the record, it *does* look like there is the distinct possibility that a worm/virus is spreading around running BOINC under this guy's name (there are many hosts with his userid, all running windows, and with IP addresses all over the world). That's all the evidence we have, and there's really not much we can do.

- Matt


For what it's worth, are these units at least legit?
Virus or no virus, if these units are legit, the results probably should not be discarded.

____________

Profile Matt Lebofsky
Volunteer moderator
Project administrator
Project developer
Project scientist
Avatar
Send message
Joined: 1 Mar 99
Posts: 1389
Credit: 74,079
RAC: 0
United States
Message 240735 - Posted: 1 Feb 2006, 17:25:02 UTC

By the way, it should be noted that if any of y'all do manage to get a copy of the infected wupdmgr1.exe, please send a copy to me or tell me how to get it. Don't worry, I don't work on any windows machines (just solaris, linux, and macs of course).

And yes.. if the results that are returned by these infected computers are validated, we keep the signals.

- Matt
____________
-- BOINC/SETI@home network/web/science/development person
-- "Any idiot can have a good idea. What is hard is to do it." - Jeanne-Claude

Profile Project III
Volunteer tester
Send message
Joined: 7 Oct 04
Posts: 106
Credit: 306,353
RAC: 0
United States
Message 240741 - Posted: 1 Feb 2006, 17:42:22 UTC

Matt-

My concern lies not in the safety of other people's computers. Those who know how to defend themselves against virii will be fine, and those who don't... well... just like you said in your blog...

Anyway, my concern lies in the implications this will have on the competition of SETI@home. I'm worried that the message is being sent out that making virii to boost your seti stats is acceptable, and that as a result people will openly continue to write more and more of them.

I started my team, SETI.USA, because I saw an opportunity to become the top team in the world, legitimately, and thought that it would be fun to try. However, all the fun is gone when people start resorting to means outside of the rules.

I realize it's still unknown whether Carsten is responsible, and I don't have any suggestions for resolving this. I just feel that this is a concern most of us have, and a concern that wasn't being recognized. Most of us have a lot of fun competing in SETI@home, but this takes most of the fun out of it.
____________
SETI.USA

Profile Fred G
Avatar
Send message
Joined: 17 May 99
Posts: 185
Credit: 24,109,481
RAC: 0
United States
Message 240742 - Posted: 1 Feb 2006, 17:42:49 UTC - in response to Message 240735.

By the way, it should be noted that if any of y'all do manage to get a copy of the infected wupdmgr1.exe, please send a copy to me or tell me how to get it.

I'll get a copy from him. As soon as I get it I'll let you know.

>Fred
____________

http://www.teamstarfire.org/

Profile Geek@PlayProject donor
Volunteer tester
Avatar
Send message
Joined: 31 Jul 01
Posts: 2466
Credit: 85,749,282
RAC: 27,763
United States
Message 240744 - Posted: 1 Feb 2006, 17:46:39 UTC - in response to Message 240741.

Matt-

My concern lies not in the safety of other people's computers. Those who know how to defend themselves against virii will be fine, and those who don't... well... just like you said in your blog...

Anyway, my concern lies in the implications this will have on the competition of SETI@home. I'm worried that the message is being sent out that making virii to boost your seti stats is acceptable, and that as a result people will openly continue to write more and more of them.

I started my team, SETI.USA, because I saw an opportunity to become the top team in the world, legitimately, and thought that it would be fun to try. However, all the fun is gone when people start resorting to means outside of the rules.

I realize it's still unknown whether Carsten is responsible, and I don't have any suggestions for resolving this. I just feel that this is a concern most of us have, and a concern that wasn't being recognized. Most of us have a lot of fun competing in SETI@home, but this takes most of the fun out of it.


I agree. The stats in Seti Classic became meaningless because of all the cheating. Is the same thing happening here? I hope not!


____________
Boinc....Boinc....Boinc....Boinc....

Profile Matt Lebofsky
Volunteer moderator
Project administrator
Project developer
Project scientist
Avatar
Send message
Joined: 1 Mar 99
Posts: 1389
Credit: 74,079
RAC: 0
United States
Message 240749 - Posted: 1 Feb 2006, 21:23:35 UTC

I agree. The stats in Seti Classic became meaningless because of all the cheating. Is the same thing happening here? I hope not!


I agree as well. Whatever happens I'll try to get a list of his "real" hosts versus his "hacked" hosts and adjust credit accordingly.

- Matt
____________
-- BOINC/SETI@home network/web/science/development person
-- "Any idiot can have a good idea. What is hard is to do it." - Jeanne-Claude

Profile Project III
Volunteer tester
Send message
Joined: 7 Oct 04
Posts: 106
Credit: 306,353
RAC: 0
United States
Message 240757 - Posted: 1 Feb 2006, 21:35:04 UTC - in response to Message 240749.

I'll try to get a list of his "real" hosts versus his "hacked" hosts and adjust credit accordingly.

- Matt


I was going to ask if you could do that, but I thought it might be too difficult. Thanks for your work, Matt.
____________
SETI.USA

Profile Geek@PlayProject donor
Volunteer tester
Avatar
Send message
Joined: 31 Jul 01
Posts: 2466
Credit: 85,749,282
RAC: 27,763
United States
Message 240764 - Posted: 1 Feb 2006, 21:45:38 UTC

I agree as well. Whatever happens I'll try to get a list of his "real" hosts versus his "hacked" hosts and adjust credit accordingly.

- Matt


Thanks Matt...it's nice to have you around to keep us in line!


____________
Boinc....Boinc....Boinc....Boinc....

Profile trux
Volunteer tester
Avatar
Send message
Joined: 6 Feb 01
Posts: 344
Credit: 1,127,051
RAC: 0
Czech Republic
Message 240782 - Posted: 1 Feb 2006, 23:33:54 UTC

As was already told by others, the damage of this incident caused to BOINC and to its projects may be huge, and what is even worse, we can be almost certain that this case will not stay isolate. When people see it is possible, there maybe be soon crowds of others trying to do the same. Some followers may use more primitive methods, like simple Trojans, or instalation scripts, other may invent even more sophisticated viruses.

If security antivirus/antimalware/firewall companies start banning BOINC, it may be too late to begin with the damage control. When I spoke about the damage control since the beginning, I did not necessarily mean PR or medialization of the case. The damage control means reporting it to the responsible authorities - i.e. CPAN, or other security organizations, maybe even law enforcement, but what is especially necessary is building in a security mechanism that avoids unattended and stealth installations. Of course, it must not be only client based, since the crook can compile a modified client - it must include server - client security handshake with forced user input - the most common and simplest is generating of slightly obfuscated code that cannot be OCR-ed and must be entered by a human. Such simple security mechanism will at least plug this hole, but more protection may be needed. As long as it is not included, security companies cannot be blamed if they start blocking BOINC.
____________
trux
BOINC software
Freediving Team
Czech Republic

kevint
Volunteer tester
Send message
Joined: 17 May 99
Posts: 414
Credit: 11,680,240
RAC: 0
United States
Message 240786 - Posted: 2 Feb 2006, 0:41:47 UTC - in response to Message 240749.

I agree. The stats in Seti Classic became meaningless because of all the cheating. Is the same thing happening here? I hope not!


I agree as well. Whatever happens I'll try to get a list of his "real" hosts versus his "hacked" hosts and adjust credit accordingly.

- Matt


Thanks for the update - I belive that if he is found quilty that his TOTAL credits be removed - including all credits he crunched while with any team he may have been with.
Just a personal feeling is all.

Profile Steve @ SETI.USA
Avatar
Send message
Joined: 5 Sep 04
Posts: 189
Credit: 1,016,797
RAC: 0
United States
Message 240788 - Posted: 2 Feb 2006, 1:04:30 UTC
Last modified: 2 Feb 2006, 1:05:44 UTC

I feel that, if he is found guilty, he should have all credit removed. Keep the signals, but remove all credit. I don't think anyone should waste time trying to be 'fair' with someone who would do this. If guilty, he should be made an example to others who would try the same thing.

Zero Tolerance!

Just my 2 pennies...
____________

http://www.setiusa.net

Profile Ageless
Avatar
Send message
Joined: 9 Jun 99
Posts: 12284
Credit: 2,575,375
RAC: 773
Netherlands
Message 240789 - Posted: 2 Feb 2006, 1:08:31 UTC - in response to Message 240782.

As was already told by others, the damage of this incident caused to BOINC and to its projects may be huge, and what is even worse, we can be almost certain that this case will not stay isolate.

Or maybe it can be. I have read the whole Starfire thread and have seen the pictures the person provided. There is NO BOINC. Whoever cleverly made this, has gotten setiathome_4.18.exe to run almost stand alone, probably with the wupdmgr1.exe only doing the up&downloads.

It won't hurt other projects as much, as no other project has the science application in Open Source. The threat of this thing may also be over soon if we can release Seti-Enhanced quickly enough. If SE takes over from 4.18, then all those "worms" will starve to death... until the person who made it updates it to SE, of course.

At least it's a wake up call for the BOINC/Seti developers.
____________
Jord

Fighting for the correct use of the apostrophe, together with Weird Al Yankovic

Profile trux
Volunteer tester
Avatar
Send message
Joined: 6 Feb 01
Posts: 344
Credit: 1,127,051
RAC: 0
Czech Republic
Message 240790 - Posted: 2 Feb 2006, 1:26:19 UTC - in response to Message 240789.
Last modified: 2 Feb 2006, 1:27:18 UTC

...There is NO BOINC. Whoever cleverly made this, has gotten setiathome_4.18.exe to run almost stand alone, probably with the wupdmgr1.exe only doing the up&downloads.
I hate to disapoint you, but you can rename boinc.exe to whatever you want. All it takes are as many keystrokes as the new name has. No rocket science, no Open Source programming.

It won't hurt other projects as much, as no other project has the science application in Open Source.
It has nothing to do with the openess of the project. You can simply take an available virus kit (there are plenty of them around) and change the payload or the download to whatever you want. It makes no difference if it is Open Source S@H or closed source Einstein@Home or whatever else.

____________
trux
BOINC software
Freediving Team
Czech Republic

Profile Ageless
Avatar
Send message
Joined: 9 Jun 99
Posts: 12284
Credit: 2,575,375
RAC: 773
Netherlands
Message 240795 - Posted: 2 Feb 2006, 1:46:38 UTC - in response to Message 240790.

I hate to disapoint you, but you can rename boinc.exe to whatever you want. All it takes are as many keystrokes as the new name has. No rocket science, no Open Source programming.

Okay, I take your word for that. That is, if wupdmgr1.exe is running from the system32 directory. The OP was never clear on that. Can Boinc.exe run (under whatever assumed name) from for instance Program Files, while the rest is under system32?


____________
Jord

Fighting for the correct use of the apostrophe, together with Weird Al Yankovic

Profile trux
Volunteer tester
Avatar
Send message
Joined: 6 Feb 01
Posts: 344
Credit: 1,127,051
RAC: 0
Czech Republic
Message 240808 - Posted: 2 Feb 2006, 2:11:47 UTC - in response to Message 240795.

Okay, I take your word for that. That is, if wupdmgr1.exe is running from the system32 directory. The OP was never clear on that. Can Boinc.exe run (under whatever assumed name) from for instance Program Files, while the rest is under system32?
You can run any executable in any location you wish. Boinc core searches the needed files in the subdirectory structure based on its location (just like many other programs). In this case the renamed boinc.exe and all BOINC subdirs were within system32

____________
trux
BOINC software
Freediving Team
Czech Republic

kevint
Volunteer tester
Send message
Joined: 17 May 99
Posts: 414
Credit: 11,680,240
RAC: 0
United States
Message 240812 - Posted: 2 Feb 2006, 2:25:11 UTC - in response to Message 240808.
Last modified: 2 Feb 2006, 2:25:36 UTC

Okay, I take your word for that. That is, if wupdmgr1.exe is running from the system32 directory. The OP was never clear on that. Can Boinc.exe run (under whatever assumed name) from for instance Program Files, while the rest is under system32?
You can run any executable in any location you wish. Boinc core searches the needed files in the subdirectory structure based on its location (just like many other programs). In this case the renamed boinc.exe and all BOINC subdirs were within system32


For some reason I think this topic needs to be limited. No idea who is reading this - could be some people out there that could take this information and make a lot of trouble for all of us.
It is just that some information should not be displayed in a public forum. Careful here.
____________

Previous · 1 . . . 3 · 4 · 5 · 6 · 7 · 8 · 9 . . . 27 · Next

Message boards : Number crunching : Do we have a Boinc virus?

Copyright © 2014 University of California