Do we have a Boinc virus?

Message boards : Number crunching : Do we have a Boinc virus?
Message board moderation

To post messages, you must log in.

Previous · 1 . . . 4 · 5 · 6 · 7 · 8 · 9 · 10 . . . 27 · Next

AuthorMessage
Profile trux
Volunteer tester
Avatar

Send message
Joined: 6 Feb 01
Posts: 344
Credit: 1,127,051
RAC: 0
Czech Republic
Message 240821 - Posted: 2 Feb 2006, 2:44:08 UTC - in response to Message 240812.  
Last modified: 2 Feb 2006, 2:46:43 UTC

For some reason I think this topic needs to be limited. No idea who is reading this - could be some people out there that could take this information and make a lot of trouble for all of us.
It is just that some information should not be displayed in a public forum. Careful here.
I am sorry, but nothing I wrote here is a secret or a surprising information to anyone at least basically computer litterate. Any kid (including my 12 years old daughter) playing with computers knows that she can rename executables and move them to whatever directories she wants. You do not need to be programmer or hacker to know it. And you can bet that people writing or assembling malware have at least such elementary knowledge of computer systems.

trux
BOINC software
Freediving Team
Czech Republic
ID: 240821 · Report as offensive
Profile m.mitch
Volunteer tester
Avatar

Send message
Joined: 27 Jun 01
Posts: 338
Credit: 127,769
RAC: 0
Australia
Message 240826 - Posted: 2 Feb 2006, 2:49:41 UTC - in response to Message 240567.  
Last modified: 2 Feb 2006, 3:12:11 UTC

ID: 240826 · Report as offensive
Profile m.mitch
Volunteer tester
Avatar

Send message
Joined: 27 Jun 01
Posts: 338
Credit: 127,769
RAC: 0
Australia
Message 240827 - Posted: 2 Feb 2006, 2:49:51 UTC - in response to Message 240567.  
Last modified: 2 Feb 2006, 3:13:00 UTC

ID: 240827 · Report as offensive
Profile m.mitch
Volunteer tester
Avatar

Send message
Joined: 27 Jun 01
Posts: 338
Credit: 127,769
RAC: 0
Australia
Message 240828 - Posted: 2 Feb 2006, 2:49:52 UTC - in response to Message 240567.  
Last modified: 2 Feb 2006, 3:13:26 UTC

ID: 240828 · Report as offensive
Profile m.mitch
Volunteer tester
Avatar

Send message
Joined: 27 Jun 01
Posts: 338
Credit: 127,769
RAC: 0
Australia
Message 240829 - Posted: 2 Feb 2006, 2:49:53 UTC - in response to Message 240567.  

P.S. If someone else did this, Carsten would only know about it if he looked at his stats, which not everybody does.
He definitely does - he changed the team from SETI Germany to his own one just few days ago. [snip]


You're assuming he created the new team. If his details have been stolen, then there is more than enough doubt that he knew about the problem.

And as for "this" being a crime, define "crime": Some bloke in Britain is sending data to some bloke in America all for the credit of some bloke in Canada who has a web site in German. The mix may not be quite right, but the problem of sovereignty is.

And further still, it's really gratifying to see the presumption of innocence being applied so sweepingly (<- Sarcasm, for those how've suffered a humourectomy).



Click here to join the #1 Aussie Alliance in SETI
ID: 240829 · Report as offensive
Profile Fred G
Avatar

Send message
Joined: 17 May 99
Posts: 185
Credit: 24,109,481
RAC: 0
United States
Message 240837 - Posted: 2 Feb 2006, 3:02:54 UTC - in response to Message 240735.  

By the way, it should be noted that if any of y'all do manage to get a copy of the infected wupdmgr1.exe, please send a copy to me or tell me how to get it.


Matt I have a copy. All I need is where to send it.

>Fred


http://www.teamstarfire.org/
ID: 240837 · Report as offensive
Profile trux
Volunteer tester
Avatar

Send message
Joined: 6 Feb 01
Posts: 344
Credit: 1,127,051
RAC: 0
Czech Republic
Message 240838 - Posted: 2 Feb 2006, 3:03:17 UTC - in response to Message 240829.  

And further still, it's really gratifying to see the presumption of innocence being applied so sweepingly
I already saw enough facts and communicated with Giese directly to create my opinion. It does not mean I am necessarily right, but personally I'd let it to the responsible officials to deal with it - whether it is Berkeley, security organizations, or law enforcment.

trux
BOINC software
Freediving Team
Czech Republic
ID: 240838 · Report as offensive
Profile Lazy2
Avatar

Send message
Joined: 4 Sep 00
Posts: 14
Credit: 23,552,278
RAC: 0
United States
Message 240840 - Posted: 2 Feb 2006, 3:06:17 UTC

Viruses are a good means to deliver an executable to an unsuspecting host. It is unfortunate that in this case BOINC was the executable. Fortunately computers were only violated and not damaged. I agree with trux that to hide the file is easy by just renaming it. Hopefully this whole episode can be resolved and we can move on without damage to the project.
This is only a test...

ID: 240840 · Report as offensive
Profile m.mitch
Volunteer tester
Avatar

Send message
Joined: 27 Jun 01
Posts: 338
Credit: 127,769
RAC: 0
Australia
Message 240847 - Posted: 2 Feb 2006, 3:18:20 UTC - in response to Message 240795.  

Okay, I take your word for that. That is, if wupdmgr1.exe is running from the system32 directory. The OP was never clear on that. Can Boinc.exe run (under whatever assumed name) from for instance Program Files, while the rest is under system32?


C:\\Windows\\System32 is in the standard path, isn't it?
Pop-up a dos window and type 'PATH'. See if you get it, I did.

Mike

PS: Sorry all, about the earlier post. I must've had bad mouse-key-stick or convulsions!


Click here to join the #1 Aussie Alliance in SETI
ID: 240847 · Report as offensive
Profile trux
Volunteer tester
Avatar

Send message
Joined: 6 Feb 01
Posts: 344
Credit: 1,127,051
RAC: 0
Czech Republic
Message 240848 - Posted: 2 Feb 2006, 3:19:31 UTC - in response to Message 240837.  
Last modified: 2 Feb 2006, 3:21:57 UTC

Matt I have a copy. All I need is where to send it.
Again, I'll disapoint you, but the wupdmgr1.exe file is apparently nothing else than plain and simple boinc.exe renamed to wupdmgr1.exe. The real trojan or worm spreading it, is quite probably in a different file. You should not start cleaning up the the guy's PC, before he makes complete backup to make sure the perpetrating file and its copies may be eventually found and analyzed.

trux
BOINC software
Freediving Team
Czech Republic
ID: 240848 · Report as offensive
Profile m.mitch
Volunteer tester
Avatar

Send message
Joined: 27 Jun 01
Posts: 338
Credit: 127,769
RAC: 0
Australia
Message 240853 - Posted: 2 Feb 2006, 3:23:04 UTC - in response to Message 240838.  

And further still, it's really gratifying to see the presumption of innocence being applied so sweepingly
I already saw enough facts and communicated with Giese directly to create my opinion. It does not mean I am necessarily right, but personally I'd let it to the responsible officials to deal with it - whether it is Berkeley, security organizations, or law enforcment.


I also hope someone can "fix" the problem. I just don't like the "feeding Frenzy" this bloke has found himself in. As far as I know, in Germany he's innocent until proved otherwise.

Mike



Click here to join the #1 Aussie Alliance in SETI
ID: 240853 · Report as offensive
Profile Fred G
Avatar

Send message
Joined: 17 May 99
Posts: 185
Credit: 24,109,481
RAC: 0
United States
Message 240859 - Posted: 2 Feb 2006, 3:33:27 UTC - in response to Message 240848.  

Matt I have a copy. All I need is where to send it.
Again, I'll disapoint you, but the wupdmgr1.exe file is apparently nothing else than plain and simple boinc.exe renamed to wupdmgr1.exe.

I figured that. I have the user holding off on removing anything. I'll see what he can do to make a backup copy. I believe everything is going to be in the system32 folder.

http://www.teamstarfire.org/
ID: 240859 · Report as offensive
Profile trux
Volunteer tester
Avatar

Send message
Joined: 6 Feb 01
Posts: 344
Credit: 1,127,051
RAC: 0
Czech Republic
Message 240876 - Posted: 2 Feb 2006, 4:09:24 UTC - in response to Message 240859.  

I believe everything is going to be in the system32 folder.
Everything what concerns BOINC - yes. But the virus, worm or trojan is quite likely somewhere else (if it is still on the system at all).

trux
BOINC software
Freediving Team
Czech Republic
ID: 240876 · Report as offensive
Hans Dorn
Volunteer developer
Volunteer tester
Avatar

Send message
Joined: 3 Apr 99
Posts: 2262
Credit: 26,448,570
RAC: 0
Germany
Message 240887 - Posted: 2 Feb 2006, 4:19:29 UTC - in response to Message 240876.  
Last modified: 2 Feb 2006, 4:20:01 UTC

I believe everything is going to be in the system32 folder.
Everything what concerns BOINC - yes. But the virus, worm or trojan is quite likely somewhere else (if it is still on the system at all).


Carsten's RAC increased from 80'000 to 130'000 at around Jan-22, and then stayed at this level.

This looks more like the result of someone scanning the web for vulnerable computers. (Backdoors or some security hole in XP)

If there was a worm behind this one would expect his numbers to climb steadily or even exponentially.

Regards Hans



ID: 240887 · Report as offensive
Profile Toby
Volunteer tester
Avatar

Send message
Joined: 26 Oct 00
Posts: 1005
Credit: 6,366,949
RAC: 0
United States
Message 240935 - Posted: 2 Feb 2006, 5:09:57 UTC - in response to Message 240782.  

... but what is especially necessary is building in a security mechanism that avoids unattended and stealth installations. Of course, it must not be only client based, since the crook can compile a modified client - it must include server - client security handshake with forced user input ...


Well that is in direct opposition to one of the "features" of BOINC. The installer allows administrators to automatically install BOINC on hundreds of computers without individual attention to each one.

I really don't think it is such a crisis. I don't think any of the big security companies are going to put BOINC on their "bad" list just because it was the payload of some other exploit. The same thing did happen with seti@home classic and I don't recall it being listed as malware anywhere. Of course there will be rumors here and there from un(der) informed people but those are already out there. Before seti classic shut down there were several very vocal people who didn't want to switch who claimed that BOINC was insecure and would lead to many exploits. Some people believed them, most didn't.
A member of The Knights Who Say NI!
For rankings, history graphs and more, check out:
My BOINC stats site
ID: 240935 · Report as offensive
Profile tekwyzrd
Volunteer tester
Avatar

Send message
Joined: 21 Nov 01
Posts: 767
Credit: 30,009
RAC: 0
United States
Message 240971 - Posted: 2 Feb 2006, 8:01:17 UTC - in response to Message 240887.  
Last modified: 2 Feb 2006, 8:05:35 UTC

I believe everything is going to be in the system32 folder.
Everything what concerns BOINC - yes. But the virus, worm or trojan is quite likely somewhere else (if it is still on the system at all).


Carsten's RAC increased from 80'000 to 130'000 at around Jan-22, and then stayed at this level.

This looks more like the result of someone scanning the web for vulnerable computers. (Backdoors or some security hole in XP)

If there was a worm behind this one would expect his numbers to climb steadily or even exponentially.

Regards Hans


Not just XP
I've seen the signs of people like that on my computer running SuSE 10.0

A sampling from the /var/log/messages entries:

Dec 8 20:57:13 cerberex sshd[7998]: Invalid user admin from 83.175.213.242
Dec 8 20:57:18 cerberex sshd[8017]: Invalid user manager from 83.175.213.242
Dec 8 20:57:20 cerberex sshd[8025]: Invalid user ana from 83.175.213.242
Dec 8 20:57:22 cerberex sshd[8033]: Invalid user webadmin from 83.175.213.242
Dec 8 20:57:28 cerberex sshd[8057]: Invalid user tom from 83.175.213.242

approx. 1700 attempts in this sequence.

most recently

Jan 30 12:35:00 cerberex sshd[2624]: Invalid user rpcuser from 200.47.112.149
Jan 30 12:35:00 cerberex sshd[2624]: reverse mapping checking getaddrinfo for 200-47-112-149.comsat.net.ar failed - POSSIBLE BREAKIN ATTEMPT!
Jan 30 12:35:02 cerberex sshd[2632]: Invalid user rpc from 200.47.112.149
Jan 30 12:35:02 cerberex sshd[2632]: reverse mapping checking getaddrinfo for 200-47-112-149.comsat.net.ar failed - POSSIBLE BREAKIN ATTEMPT!
Jan 30 12:35:04 cerberex sshd[2640]: Invalid user gopher from 200.47.112.149
Jan 30 12:35:04 cerberex sshd[2640]: reverse mapping checking getaddrinfo for 200-47-112-149.comsat.net.ar failed - POSSIBLE BREAKIN ATTEMPT!

170 attempts in this sequence.

I'm tired of it.
Nothing travels faster than the speed of light with the possible exception of bad news, which obeys its own special laws.
Douglas Adams (1952 - 2001)
ID: 240971 · Report as offensive
Profile Kinguni
Volunteer tester
Avatar

Send message
Joined: 15 Feb 00
Posts: 239
Credit: 9,043,007
RAC: 0
Canada
Message 240975 - Posted: 2 Feb 2006, 8:36:12 UTC - in response to Message 240887.  

I believe everything is going to be in the system32 folder.
Everything what concerns BOINC - yes. But the virus, worm or trojan is quite likely somewhere else (if it is still on the system at all).


Carsten's RAC increased from 80'000 to 130'000 at around Jan-22, and then stayed at this level.

This looks more like the result of someone scanning the web for vulnerable computers. (Backdoors or some security hole in XP)

If there was a worm behind this one would expect his numbers to climb steadily or even exponentially.

Regards Hans




I have to agree with you to be honest, the only question being whether he did this himself, or if someone got his account information and did it for him. I don't think we are going to find a worm, virus or trojan on this computer. This would enter the realm of hacking.
Join Team Starfire
BOINC Chat

ID: 240975 · Report as offensive
Jack Gulley

Send message
Joined: 4 Mar 03
Posts: 423
Credit: 526,566
RAC: 0
United States
Message 240992 - Posted: 2 Feb 2006, 10:04:10 UTC

One important bit of information that may not be in the files taken from the "infected" system or in any backups made, is the data and time of the initial infection. But this is easy to determine in this case. It may take a Command prompt window to get it. As it created a BOINC folder in the SYSTEM32 folder, the date of creation of that folder and/or any sub folders in it will be the date and time of infection. Important evidence in any case.

Please have him check on his system and get the dates and times of creation of the BOINC folder and each of its subfolders, and send it to you. For documentation purposes it would also be desirable for him to get a screen shot of this information if possible.

Then have him use that date in the Start - Search - Search For Files and Folders to set the Search option of Date and use the between dates to find all files Created on that date. This should show him all files created on his system that date. If he did not do too much on that day, it might locate the files that installed the program, if it has not already been deleted.

The crime is called Theft of Services. Someone made use of what belongs to you for their own gain, and in the process caused you a loss of use or expense.
ID: 240992 · Report as offensive
John McLeod VII
Volunteer developer
Volunteer tester
Avatar

Send message
Joined: 15 Jul 99
Posts: 24806
Credit: 790,712
RAC: 0
United States
Message 241081 - Posted: 2 Feb 2006, 17:08:22 UTC - in response to Message 240992.  

One important bit of information that may not be in the files taken from the "infected" system or in any backups made, is the data and time of the initial infection. But this is easy to determine in this case. It may take a Command prompt window to get it. As it created a BOINC folder in the SYSTEM32 folder, the date of creation of that folder and/or any sub folders in it will be the date and time of infection. Important evidence in any case.

Please have him check on his system and get the dates and times of creation of the BOINC folder and each of its subfolders, and send it to you. For documentation purposes it would also be desirable for him to get a screen shot of this information if possible.

Then have him use that date in the Start - Search - Search For Files and Folders to set the Search option of Date and use the between dates to find all files Created on that date. This should show him all files created on his system that date. If he did not do too much on that day, it might locate the files that installed the program, if it has not already been deleted.

The crime is called Theft of Services. Someone made use of what belongs to you for their own gain, and in the process caused you a loss of use or expense.

The host information on the web indicates a created time.


BOINC WIKI
ID: 241081 · Report as offensive
Pepo
Volunteer tester
Avatar

Send message
Joined: 5 Aug 99
Posts: 308
Credit: 418,019
RAC: 0
Slovakia
Message 241095 - Posted: 2 Feb 2006, 17:23:05 UTC - in response to Message 240935.  

I don't think any of the big security companies are going to put BOINC on their "bad" list just because it was the payload of some other exploit.
But this could happen.
The same thing did happen with seti@home classic and I don't recall it being listed as malware anywhere.

Not quite true. For instance, Kaspersky Lab calls it "Trusted riskware - not-a-virus:NetTool.Win32.Calc-SETI@Home". And many other might stuff it harder. Here is Kaspersky's list: http://www.viruslist.com/en/find?search_mode=full&words=seti

Peter
ID: 241095 · Report as offensive
Previous · 1 . . . 4 · 5 · 6 · 7 · 8 · 9 · 10 . . . 27 · Next

Message boards : Number crunching : Do we have a Boinc virus?


 
©2024 University of California
 
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.