Message boards :
Number crunching :
Do we have a Boinc virus?
Message board moderation
Previous · 1 . . . 4 · 5 · 6 · 7 · 8 · 9 · 10 . . . 27 · Next
Author | Message |
---|---|
trux Send message Joined: 6 Feb 01 Posts: 344 Credit: 1,127,051 RAC: 0 |
For some reason I think this topic needs to be limited. No idea who is reading this - could be some people out there that could take this information and make a lot of trouble for all of us.I am sorry, but nothing I wrote here is a secret or a surprising information to anyone at least basically computer litterate. Any kid (including my 12 years old daughter) playing with computers knows that she can rename executables and move them to whatever directories she wants. You do not need to be programmer or hacker to know it. And you can bet that people writing or assembling malware have at least such elementary knowledge of computer systems. trux BOINC software Freediving Team Czech Republic |
m.mitch Send message Joined: 27 Jun 01 Posts: 338 Credit: 127,769 RAC: 0 |
|
m.mitch Send message Joined: 27 Jun 01 Posts: 338 Credit: 127,769 RAC: 0 |
|
m.mitch Send message Joined: 27 Jun 01 Posts: 338 Credit: 127,769 RAC: 0 |
|
m.mitch Send message Joined: 27 Jun 01 Posts: 338 Credit: 127,769 RAC: 0 |
P.S. If someone else did this, Carsten would only know about it if he looked at his stats, which not everybody does.He definitely does - he changed the team from SETI Germany to his own one just few days ago. [snip] You're assuming he created the new team. If his details have been stolen, then there is more than enough doubt that he knew about the problem. And as for "this" being a crime, define "crime": Some bloke in Britain is sending data to some bloke in America all for the credit of some bloke in Canada who has a web site in German. The mix may not be quite right, but the problem of sovereignty is. And further still, it's really gratifying to see the presumption of innocence being applied so sweepingly (<- Sarcasm, for those how've suffered a humourectomy). Click here to join the #1 Aussie Alliance in SETI |
Fred G Send message Joined: 17 May 99 Posts: 185 Credit: 24,109,481 RAC: 0 |
By the way, it should be noted that if any of y'all do manage to get a copy of the infected wupdmgr1.exe, please send a copy to me or tell me how to get it. Matt I have a copy. All I need is where to send it. >Fred http://www.teamstarfire.org/ |
trux Send message Joined: 6 Feb 01 Posts: 344 Credit: 1,127,051 RAC: 0 |
And further still, it's really gratifying to see the presumption of innocence being applied so sweepinglyI already saw enough facts and communicated with Giese directly to create my opinion. It does not mean I am necessarily right, but personally I'd let it to the responsible officials to deal with it - whether it is Berkeley, security organizations, or law enforcment. trux BOINC software Freediving Team Czech Republic |
Lazy2 Send message Joined: 4 Sep 00 Posts: 14 Credit: 23,552,278 RAC: 0 |
Viruses are a good means to deliver an executable to an unsuspecting host. It is unfortunate that in this case BOINC was the executable. Fortunately computers were only violated and not damaged. I agree with trux that to hide the file is easy by just renaming it. Hopefully this whole episode can be resolved and we can move on without damage to the project. This is only a test... |
m.mitch Send message Joined: 27 Jun 01 Posts: 338 Credit: 127,769 RAC: 0 |
Okay, I take your word for that. That is, if wupdmgr1.exe is running from the system32 directory. The OP was never clear on that. Can Boinc.exe run (under whatever assumed name) from for instance Program Files, while the rest is under system32? C:\\Windows\\System32 is in the standard path, isn't it? Pop-up a dos window and type 'PATH'. See if you get it, I did. Mike PS: Sorry all, about the earlier post. I must've had bad mouse-key-stick or convulsions! Click here to join the #1 Aussie Alliance in SETI |
trux Send message Joined: 6 Feb 01 Posts: 344 Credit: 1,127,051 RAC: 0 |
Matt I have a copy. All I need is where to send it.Again, I'll disapoint you, but the wupdmgr1.exe file is apparently nothing else than plain and simple boinc.exe renamed to wupdmgr1.exe. The real trojan or worm spreading it, is quite probably in a different file. You should not start cleaning up the the guy's PC, before he makes complete backup to make sure the perpetrating file and its copies may be eventually found and analyzed. trux BOINC software Freediving Team Czech Republic |
m.mitch Send message Joined: 27 Jun 01 Posts: 338 Credit: 127,769 RAC: 0 |
And further still, it's really gratifying to see the presumption of innocence being applied so sweepinglyI already saw enough facts and communicated with Giese directly to create my opinion. It does not mean I am necessarily right, but personally I'd let it to the responsible officials to deal with it - whether it is Berkeley, security organizations, or law enforcment. I also hope someone can "fix" the problem. I just don't like the "feeding Frenzy" this bloke has found himself in. As far as I know, in Germany he's innocent until proved otherwise. Mike Click here to join the #1 Aussie Alliance in SETI |
Fred G Send message Joined: 17 May 99 Posts: 185 Credit: 24,109,481 RAC: 0 |
Matt I have a copy. All I need is where to send it.Again, I'll disapoint you, but the wupdmgr1.exe file is apparently nothing else than plain and simple boinc.exe renamed to wupdmgr1.exe. I figured that. I have the user holding off on removing anything. I'll see what he can do to make a backup copy. I believe everything is going to be in the system32 folder. http://www.teamstarfire.org/ |
trux Send message Joined: 6 Feb 01 Posts: 344 Credit: 1,127,051 RAC: 0 |
I believe everything is going to be in the system32 folder.Everything what concerns BOINC - yes. But the virus, worm or trojan is quite likely somewhere else (if it is still on the system at all). trux BOINC software Freediving Team Czech Republic |
Hans Dorn Send message Joined: 3 Apr 99 Posts: 2262 Credit: 26,448,570 RAC: 0 |
I believe everything is going to be in the system32 folder.Everything what concerns BOINC - yes. But the virus, worm or trojan is quite likely somewhere else (if it is still on the system at all). Carsten's RAC increased from 80'000 to 130'000 at around Jan-22, and then stayed at this level. This looks more like the result of someone scanning the web for vulnerable computers. (Backdoors or some security hole in XP) If there was a worm behind this one would expect his numbers to climb steadily or even exponentially. Regards Hans |
Toby Send message Joined: 26 Oct 00 Posts: 1005 Credit: 6,366,949 RAC: 0 |
... but what is especially necessary is building in a security mechanism that avoids unattended and stealth installations. Of course, it must not be only client based, since the crook can compile a modified client - it must include server - client security handshake with forced user input ... Well that is in direct opposition to one of the "features" of BOINC. The installer allows administrators to automatically install BOINC on hundreds of computers without individual attention to each one. I really don't think it is such a crisis. I don't think any of the big security companies are going to put BOINC on their "bad" list just because it was the payload of some other exploit. The same thing did happen with seti@home classic and I don't recall it being listed as malware anywhere. Of course there will be rumors here and there from un(der) informed people but those are already out there. Before seti classic shut down there were several very vocal people who didn't want to switch who claimed that BOINC was insecure and would lead to many exploits. Some people believed them, most didn't. A member of The Knights Who Say NI! For rankings, history graphs and more, check out: My BOINC stats site |
tekwyzrd Send message Joined: 21 Nov 01 Posts: 767 Credit: 30,009 RAC: 0 |
I believe everything is going to be in the system32 folder.Everything what concerns BOINC - yes. But the virus, worm or trojan is quite likely somewhere else (if it is still on the system at all). Not just XP I've seen the signs of people like that on my computer running SuSE 10.0 A sampling from the /var/log/messages entries: Dec 8 20:57:13 cerberex sshd[7998]: Invalid user admin from 83.175.213.242 Dec 8 20:57:18 cerberex sshd[8017]: Invalid user manager from 83.175.213.242 Dec 8 20:57:20 cerberex sshd[8025]: Invalid user ana from 83.175.213.242 Dec 8 20:57:22 cerberex sshd[8033]: Invalid user webadmin from 83.175.213.242 Dec 8 20:57:28 cerberex sshd[8057]: Invalid user tom from 83.175.213.242 approx. 1700 attempts in this sequence. most recently Jan 30 12:35:00 cerberex sshd[2624]: Invalid user rpcuser from 200.47.112.149 Jan 30 12:35:00 cerberex sshd[2624]: reverse mapping checking getaddrinfo for 200-47-112-149.comsat.net.ar failed - POSSIBLE BREAKIN ATTEMPT! Jan 30 12:35:02 cerberex sshd[2632]: Invalid user rpc from 200.47.112.149 Jan 30 12:35:02 cerberex sshd[2632]: reverse mapping checking getaddrinfo for 200-47-112-149.comsat.net.ar failed - POSSIBLE BREAKIN ATTEMPT! Jan 30 12:35:04 cerberex sshd[2640]: Invalid user gopher from 200.47.112.149 Jan 30 12:35:04 cerberex sshd[2640]: reverse mapping checking getaddrinfo for 200-47-112-149.comsat.net.ar failed - POSSIBLE BREAKIN ATTEMPT! 170 attempts in this sequence. I'm tired of it. Nothing travels faster than the speed of light with the possible exception of bad news, which obeys its own special laws. Douglas Adams (1952 - 2001) |
Kinguni Send message Joined: 15 Feb 00 Posts: 239 Credit: 9,043,007 RAC: 0 |
I believe everything is going to be in the system32 folder.Everything what concerns BOINC - yes. But the virus, worm or trojan is quite likely somewhere else (if it is still on the system at all). I have to agree with you to be honest, the only question being whether he did this himself, or if someone got his account information and did it for him. I don't think we are going to find a worm, virus or trojan on this computer. This would enter the realm of hacking. Join Team Starfire BOINC Chat |
Jack Gulley Send message Joined: 4 Mar 03 Posts: 423 Credit: 526,566 RAC: 0 |
One important bit of information that may not be in the files taken from the "infected" system or in any backups made, is the data and time of the initial infection. But this is easy to determine in this case. It may take a Command prompt window to get it. As it created a BOINC folder in the SYSTEM32 folder, the date of creation of that folder and/or any sub folders in it will be the date and time of infection. Important evidence in any case. Please have him check on his system and get the dates and times of creation of the BOINC folder and each of its subfolders, and send it to you. For documentation purposes it would also be desirable for him to get a screen shot of this information if possible. Then have him use that date in the Start - Search - Search For Files and Folders to set the Search option of Date and use the between dates to find all files Created on that date. This should show him all files created on his system that date. If he did not do too much on that day, it might locate the files that installed the program, if it has not already been deleted. The crime is called Theft of Services. Someone made use of what belongs to you for their own gain, and in the process caused you a loss of use or expense. |
John McLeod VII Send message Joined: 15 Jul 99 Posts: 24806 Credit: 790,712 RAC: 0 |
One important bit of information that may not be in the files taken from the "infected" system or in any backups made, is the data and time of the initial infection. But this is easy to determine in this case. It may take a Command prompt window to get it. As it created a BOINC folder in the SYSTEM32 folder, the date of creation of that folder and/or any sub folders in it will be the date and time of infection. Important evidence in any case. The host information on the web indicates a created time. BOINC WIKI |
Pepo Send message Joined: 5 Aug 99 Posts: 308 Credit: 418,019 RAC: 0 |
I don't think any of the big security companies are going to put BOINC on their "bad" list just because it was the payload of some other exploit.But this could happen. The same thing did happen with seti@home classic and I don't recall it being listed as malware anywhere. Not quite true. For instance, Kaspersky Lab calls it "Trusted riskware - not-a-virus:NetTool.Win32.Calc-SETI@Home". And many other might stuff it harder. Here is Kaspersky's list: http://www.viruslist.com/en/find?search_mode=full&words=seti Peter |
©2024 University of California
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.