Do we have a Boinc virus?


log in

Advanced search

Message boards : Number crunching : Do we have a Boinc virus?

Previous · 1 . . . 8 · 9 · 10 · 11 · 12 · 13 · 14 . . . 27 · Next
Author Message
Profile Webmaster Yoda
Volunteer tester
Avatar
Send message
Joined: 3 Apr 99
Posts: 52
Credit: 500,125
RAC: 0
Australia
Message 242074 - Posted: 4 Feb 2006, 5:55:48 UTC - in response to Message 242056.
Last modified: 4 Feb 2006, 6:02:33 UTC

Do you still want to stick to a single machine with a RAC of 760?


Easily done with a fast machine running optimised apps. My Athlon 64 3700+ has an RAC over 770 and my 3.4GHz Pentium 4 has an RAC over 1000. Dual core and dual processor machines can get RAC's over 2,000.

See http://setiweb.ssl.berkeley.edu/top_hosts.php

EDIT: There's something like 500 hosts with an RAC over 1,000
____________
*** Join the #1 Aussie Alliance on SETI ***

Profile Fuzzy Hollynoodles
Volunteer tester
Avatar
Send message
Joined: 3 Apr 99
Posts: 9659
Credit: 251,998
RAC: 0
Message 242085 - Posted: 4 Feb 2006, 6:04:51 UTC - in response to Message 242000.


...

I think it is time to put a warning on the main page of all projects asking Windows users to check their system32 dir for the presence of BOINC xml files and project subdirectories. [EDIT] Actually searching all drives for some typical boinc files (like client_state.xml) would be much better - we have no guarantee that it is always in the same location.[/EDIT] Or maybe even much simpler - adding a checker into the S@H application that would warn in case of multiple running BOINC instances, would be much better.

I will personally put such checker into my BOINC client, but that will cover just couple of users. It is much more important that if it is forced to all users with the standard official S@H applications - those who do not watch this forum, and do not use any optimized clients or applications.


I've just checked my whole harddisk for that exe file, and luckily I don't have it.

Yes, a feature that checks for the correct files in the correct directories would be nice, specially for those who don't keep an eye on their system.


____________
"I'm trying to maintain a shred of dignity in this world." - Me

Pepo
Volunteer tester
Avatar
Send message
Joined: 5 Aug 99
Posts: 308
Credit: 418,019
RAC: 0
Slovakia
Message 242174 - Posted: 4 Feb 2006, 11:53:47 UTC - in response to Message 242085.

Yes, a feature that checks for the correct files in the correct directories would be nice, specially for those who don't keep an eye on their system.

Only to check whether the known installation is complete would possibly not uncover some hidden installation somewhere deep in e.g. my grandma's My pictures folder tree (user name is not important, I only chose some random user and unexpected folder), but could notice some differend user's project attached to the host.

The Average CPU efficiency is also a very good indication whether some host's CPU is running some other payload except the known Boinc installation. In such case, the CPU efficiency would never exceed 0.4999 and Boinc could make a note if it for the owner, whether (s)he is sure the host is otherwise so busy.

Peter

Profile UBT - Halifax--lad
Volunteer tester
Avatar
Send message
Joined: 13 Dec 00
Posts: 433
Credit: 13,900
RAC: 0
United Kingdom
Message 242247 - Posted: 4 Feb 2006, 15:01:25 UTC

Surely the easiest way users can check is to simply look at what processes are running on there computer through CTRL-ALT-DEL or is there a way a program can be hidden prom the process menu on Task Manager
____________
Join us in Chat (see the forum) Click the Sig


Join UBT

Profile bartsob5
Volunteer tester
Avatar
Send message
Joined: 16 Jun 04
Posts: 10
Credit: 6,715
RAC: 0
Poland
Message 242253 - Posted: 4 Feb 2006, 15:10:41 UTC

but wouldn't it be much more safer and easier (for users) to add to BOINC special codes that would make it anuseful, when installed with different name than boinc.exe or in different location than drive:\\program files\\BOINC, or even more simply, and allowing everyone more free play (but not too much), drive:\\...\\...\\BOINC\\ ????
____________

Profile Fuzzy Hollynoodles
Volunteer tester
Avatar
Send message
Joined: 3 Apr 99
Posts: 9659
Credit: 251,998
RAC: 0
Message 242260 - Posted: 4 Feb 2006, 15:13:22 UTC - in response to Message 242174.

Yes, a feature that checks for the correct files in the correct directories would be nice, specially for those who don't keep an eye on their system.

Only to check whether the known installation is complete would possibly not uncover some hidden installation somewhere deep in e.g. my grandma's My pictures folder tree (user name is not important, I only chose some random user and unexpected folder), but could notice some differend user's project attached to the host.

The Average CPU efficiency is also a very good indication whether some host's CPU is running some other payload except the known Boinc installation. In such case, the CPU efficiency would never exceed 0.4999 and Boinc could make a note if it for the owner, whether (s)he is sure the host is otherwise so busy.

Peter


I was thinking of a program, that's able to check specific for e.g. the client_state.xml, if it's place in more than one directory, and where.

The wupdmgr1.exe can change name as soon as it's discovered with it's new name, and the directory can be changed also. A scan in the whole Windows directory would be appropriate. As I said earlier, I scanned my whole harddisk for both the wupdmgr1.exe and the client_state.xml and found only one instance of the client_state.xml in the right directory. But a total scan would be necessary.

Yes, you can get a good pointer in the CPU efficiency, and by exiting BOINC you should be able to tell if your computer becomes idle by watching the graphs, but again, how many of the average users, who ain't familiar with these functions, are aware of their computers being idle? I'll know it on my laptop, as the fan stops almost imidiately, but on a desktop computer, where you're used to the sound, how much will you notice? My old desktop computer weren't that noisy, and if it became idle, there was always a sound of the fan.

This situation is really sad. :-(


____________
"I'm trying to maintain a shred of dignity in this world." - Me

Profile skab
Avatar
Send message
Joined: 13 Mar 03
Posts: 18
Credit: 2,874,929
RAC: 0
United States
Message 242269 - Posted: 4 Feb 2006, 15:22:14 UTC

Bad news here, I had a mirror'd OS hard drive problem and had to switch to my F drive. Since then I've run accross the fact that the only file that needs to be changed is the BOINC manager file and the start-up shortcut. You don't have to do anything to the BOINC manager in the original installation, it'll still be there and look like everything is going fine, unless your checking your rac against a dialy stats sheet or your account you'll never know that the wu's are going someplace else. And the process's under the task manager will show exactly what it's supposed to also.
I think that maybe checking for duplicate files would be the thing to do although this still just helps those of us that know what we're looking for.
Is it possible to make it so the that all the programs have to be in one main folder to run?
____________

SETI, ONLY SETI, ALWAYS SETI!!

Profile bartsob5
Volunteer tester
Avatar
Send message
Joined: 16 Jun 04
Posts: 10
Credit: 6,715
RAC: 0
Poland
Message 242287 - Posted: 4 Feb 2006, 15:56:25 UTC - in response to Message 242269.

yeah, right! some unexperienced users, on many forums are asking:

"hey, guys! i've opened task manager, and i have one question... what is idle process (proces bezczynnoœci)? IT'S GETTING 100% OF MY CPU!"

so why are we talking about searching for some specific files like client_state.xml?


____________

Profile Michael Buckingham
Volunteer tester
Avatar
Send message
Joined: 21 Aug 99
Posts: 4508
Credit: 2,676,597
RAC: 0
United States
Message 242294 - Posted: 4 Feb 2006, 16:08:34 UTC - in response to Message 242247.

Surely the easiest way users can check is to simply look at what processes are running on there computer through CTRL-ALT-DEL or is there a way a program can be hidden prom the process menu on Task Manager


Yes you can hide processes from the Task Manager.

____________


http://www.mikesbawx.org/photo/

Profile trux
Volunteer tester
Avatar
Send message
Joined: 6 Feb 01
Posts: 344
Credit: 1,127,051
RAC: 0
Czech Republic
Message 242298 - Posted: 4 Feb 2006, 16:12:32 UTC
Last modified: 4 Feb 2006, 16:14:25 UTC

@ Fred_G: Fred, could you possibly send me the file sched_request.xml from the system32 dir of the infected machine? I am building in some protection into my core client, and need to verify some info in the file. Thanks!

If you are willing to do it, use please boinc -AT- truxoft -DOT- com
____________
trux
BOINC software
Freediving Team
Czech Republic

Alinator
Volunteer tester
Send message
Joined: 19 Apr 05
Posts: 4178
Credit: 4,647,982
RAC: 0
United States
Message 242300 - Posted: 4 Feb 2006, 16:13:05 UTC - in response to Message 242247.
Last modified: 4 Feb 2006, 16:16:04 UTC

Surely the easiest way users can check is to simply look at what processes are running on there computer through CTRL-ALT-DEL or is there a way a program can be hidden prom the process menu on Task Manager


Yes, it is possible to hide processes from task manager, even for the administrative account. That was one of the issues behind the recent SONY/BMG rootkit debacle.


Also, whereas it would be a good idea to have more robust internal security for BOINC and the related project apps, they aren't even digitally signed. I realize this would require buying a certificate which incurs an extra cost, but surely having the hashes for the executables posted prominently somewhere on the DL page (perhaps the version details?) would help.

In addition, I not sure it's a good idea for BOINC to start trying to "police" what's going on with host systems.

The simple reality is all computers are tools, regardless of whether it's a home PC or supercomputer, and not toasters. It is the *responsibility* of the owner and/or users to have at *least* a fundamental understanding of its function AND the risks and hazards of its use.

Alinator

Profile Matt Lebofsky
Volunteer moderator
Project administrator
Project developer
Project scientist
Avatar
Send message
Joined: 1 Mar 99
Posts: 1389
Credit: 74,079
RAC: 0
United States
Message 242323 - Posted: 4 Feb 2006, 17:15:55 UTC

Just so people don't get the wrong idea, I just deleted Carsten's account and team with his explicit permission. They should disappear off the charts shortly (as web pages fall out of cache).

None of the virus/worm clients have been able to upload/download work for days.

I don't have any evidence that he was the creator of this worm, and frankly it is not my responsibility to care, since any hacker activity involved is completely divorced from BOINC. For example, if somebody broke into your house and played a Steely Dan CD on your stereo, is Steely Dan guilty?

Nevertheless, as stated numerous times, it isn't great public relations to have our software running on hacked machines. Well, we did the best we could do and render it useless.

- Matt
____________
-- BOINC/SETI@home network/web/science/development person
-- "Any idiot can have a good idea. What is hard is to do it." - Jeanne-Claude

Profile Michael Buckingham
Volunteer tester
Avatar
Send message
Joined: 21 Aug 99
Posts: 4508
Credit: 2,676,597
RAC: 0
United States
Message 242329 - Posted: 4 Feb 2006, 17:21:21 UTC - in response to Message 242323.

Just so people don't get the wrong idea, I just deleted Carsten's account and team with his explicit permission. They should disappear off the charts shortly (as web pages fall out of cache).

None of the virus/worm clients have been able to upload/download work for days.

I don't have any evidence that he was the creator of this worm, and frankly it is not my responsibility to care, since any hacker activity involved is completely divorced from BOINC. For example, if somebody broke into your house and played a Steely Dan CD on your stereo, is Steely Dan guilty?

Nevertheless, as stated numerous times, it isn't great public relations to have our software running on hacked machines. Well, we did the best we could do and render it useless.

- Matt


He took the easy way out, I am sure he knew what was going on.

____________


http://www.mikesbawx.org/photo/

Profile Fuzzy Hollynoodles
Volunteer tester
Avatar
Send message
Joined: 3 Apr 99
Posts: 9659
Credit: 251,998
RAC: 0
Message 242330 - Posted: 4 Feb 2006, 17:22:08 UTC - in response to Message 242323.

Just so people don't get the wrong idea, I just deleted Carsten's account and team with his explicit permission. They should disappear off the charts shortly (as web pages fall out of cache).

None of the virus/worm clients have been able to upload/download work for days.

I don't have any evidence that he was the creator of this worm, and frankly it is not my responsibility to care, since any hacker activity involved is completely divorced from BOINC. ...


- Matt


Thanks Matt for the update. I think this solution is satisfactory for most here.



____________
"I'm trying to maintain a shred of dignity in this world." - Me

Alinator
Volunteer tester
Send message
Joined: 19 Apr 05
Posts: 4178
Credit: 4,647,982
RAC: 0
United States
Message 242344 - Posted: 4 Feb 2006, 17:29:01 UTC - in response to Message 242323.
Last modified: 4 Feb 2006, 17:29:59 UTC

Just so people don't get the wrong idea, I just deleted Carsten's account and team with his explicit permission. They should disappear off the charts shortly (as web pages fall out of cache).

None of the virus/worm clients have been able to upload/download work for days.

I don't have any evidence that he was the creator of this worm, and frankly it is not my responsibility to care, since any hacker activity involved is completely divorced from BOINC. For example, if somebody broke into your house and played a Steely Dan CD on your stereo, is Steely Dan guilty?

Nevertheless, as stated numerous times, it isn't great public relations to have our software running on hacked machines. Well, we did the best we could do and render it useless.

- Matt


FWIW, I think you folks handled the affair as quickly and thoroughly as possible given the circumstances.

As I mentioned before, I'm more concerned about the possibility this was an experiment to test the waters of the SAH community, with the goal being to compromise existing *valid* installations with a "rooted" BOINC/SETI package. You have to admit several hundred thousand hosts make a tempting target. ;-)

Alinator

Profile trux
Volunteer tester
Avatar
Send message
Joined: 6 Feb 01
Posts: 344
Credit: 1,127,051
RAC: 0
Czech Republic
Message 242365 - Posted: 4 Feb 2006, 17:59:27 UTC - in response to Message 242323.
Last modified: 4 Feb 2006, 18:01:17 UTC

Just so people don't get the wrong idea, I just deleted Carsten's account and team with his explicit permission. They should disappear off the charts shortly (as web pages fall out of cache).
That's nice, but I am afraid it does not quite solve the problem. There is no guarantee he (or the one who did it if it was not him; or anyone else) does not launch the virus (if it was a virus) with a new account ID, or even worse - with a randomly used account id's. I believe there is some work to be done, and some mechanism to be implemented to limit such possibilities.

Some ideas were already proposed, and there are surely other means available. So for example a handshake with the server during the host registration, requiring human confirmation is one possibility. For those admins who install hosts in bulk, it may be still done too, without limiting them too much, but keeping the human input anyway. Checking for multiple BOINC installations in RAM or on the disk, is another function that would help. A popup window once upon a longe time (i.e. randomly each few weeks) alerting the user that his computer runs BOINC, listing attached projects, user and team id's, would be another possibility, but I already see all the screeming users who install BOINC secretely on machines of friends, colleagues, or customers - that may be difficult to accept for many. There are certainly many other possibilities, and I think BOINC should definitely keep the security in mind.

Btw, another question - will be the 5-6 milions of credit that Giese made for SETI.Germany until recently, also deduced?

____________
trux
BOINC software
Freediving Team
Czech Republic

Profile Michael Buckingham
Volunteer tester
Avatar
Send message
Joined: 21 Aug 99
Posts: 4508
Credit: 2,676,597
RAC: 0
United States
Message 242377 - Posted: 4 Feb 2006, 18:10:58 UTC - in response to Message 242365.


Btw, another question - will be the 5-6 milions of credit that Giese made for SETI.Germany until recently, also deduced?


I hope, because it borders on cheating.

____________


http://www.mikesbawx.org/photo/

Profile trux
Volunteer tester
Avatar
Send message
Joined: 6 Feb 01
Posts: 344
Credit: 1,127,051
RAC: 0
Czech Republic
Message 242378 - Posted: 4 Feb 2006, 18:16:26 UTC - in response to Message 241838.
Last modified: 4 Feb 2006, 18:22:23 UTC

When Nez started rocketing up the charts there was some concern expressed on the boards. He was checked out and even posted several times to clear up the problem. Turns out there was no problem. He has properly earned his number 1 ranking.
Well, Giese is done, so why not reharshing this case :) I searched the forum archive, but found only a single post of NEZ - in Cafe, regarding the Babe of the Day. No comment to the incredible RAC he has. Theoretically, it could be done by couple of hunderds of high performance machines (or maybe couple of supercomouters) running 24/7, but practically several thousands machines seem to be more probable. That's surely possible for a huge company or a well organized group of individuals, but I'd be interested how Nez explained it. Can you point us to the post he made, and that turned it into "no problem" as you wrote? I'd be definitely interested in reading it, but did not find anything.

____________
trux
BOINC software
Freediving Team
Czech Republic

Profile trux
Volunteer tester
Avatar
Send message
Joined: 6 Feb 01
Posts: 344
Credit: 1,127,051
RAC: 0
Czech Republic
Message 242388 - Posted: 4 Feb 2006, 18:30:45 UTC
Last modified: 4 Feb 2006, 18:37:12 UTC

Another easy way of cheating was discussed long time ago on our team forum, when some new projects appeared, with description in foreign languages that nobody understood. We were speculating that there is nothing easier than creating a bogus project, just forwarding S@H WU's and then resending the completeed results to the S@H server under own user or team ID.

There are people who are stupid enough and joining every single new BOINC project in the very moment it appears, without verifying what it actually does, or without making research of the organization or individuals behind the project. Personally I will never run any project that does not come with the source code, or at least, that is not managed by some organization with reliable reputation.

I bet that we were not the first ones who came to that idea, and consider it quite possible that some of the many new projects we have in BOINC, may already use this method to cummulate huge credit amounts.

EDIT: for the very same reason, be also careful with istalling 3rd party BOINC clients and project applications, unless they come with the source code where you can recompile it yourself to verify there is no surprise hidden in it.
____________
trux
BOINC software
Freediving Team
Czech Republic

Profile Fuzzy Hollynoodles
Volunteer tester
Avatar
Send message
Joined: 3 Apr 99
Posts: 9659
Credit: 251,998
RAC: 0
Message 242390 - Posted: 4 Feb 2006, 18:35:30 UTC - in response to Message 242378.

When Nez started rocketing up the charts there was some concern expressed on the boards. He was checked out and even posted several times to clear up the problem. Turns out there was no problem. He has properly earned his number 1 ranking.
Well, Giese is done, so why not reharshing this case :) I searched the forum archive, but found only a single post of NEZ - in Cafe, regarding the Babe of the Day. No comment to the incredible RAC he has. ...


No, he never answered Misfits question in the BOTD thread.


____________
"I'm trying to maintain a shred of dignity in this world." - Me

Previous · 1 . . . 8 · 9 · 10 · 11 · 12 · 13 · 14 . . . 27 · Next

Message boards : Number crunching : Do we have a Boinc virus?

Copyright © 2014 University of California