It recently came to the attention of boinc staff that a multi-project cruncher called Wate who occupied a very high position in the boinc and project stats had reached this exalted position by dishonest means.

In early June 2006 he appears to to have released onto the internet a link purporting to provide Windows updates including now for Vista. Some 1500 members of the public worldwide downloaded these \'updates\' which in fact consisted of a trojan application that downloaded boinc.exe and attached the person\'s computer to Wate\'s account, giving him the subsequent fraudulent credits.

About 90% of the people affected appear to have uninstalled or disabled the unwanted boinc installation, but some compromised computers are still running and crashing climate models. Boinc and project staff have no means of contacting the owners of these computers.

The problem came to light when an affected member of the public noticed the heavy drain on his laptop\'s battery, looked in Task Manager at the running processes, identified boinc and contacted a group of genuine boinc members in Italy.

Carl deleted Wate\'s cpdn credits last Friday. An unfortunate side-effect of this was that cpdn credits did not update over the weekend. This problem is now sorted. The managers of most of the other projects Wate was attached to have chosen a different course, altering his registration details.

Wate\'s method of hijacking computers via a dishonest download is one of the classic methods used by spammers.

Boinc staff, the ClimatePrediction programmers and your moderators stress that boinc and project software was never at fault, nor was there ever any breach of Windows XP or Vista security. The dishonest application was Wate\'s trojan. Boinc and project software were never infiltrated and remain secure.

How can we prevent our own computer being similarly compromised by frauds and spammers?

*Use legitimate software (it is said that half the illegal copies of Windows sold in China come with a virus pre-installed).

*Download updates for your operating system and other programmes via the tools on your computer, not through links in emails or links on web pages.

*Download new programmes only through links on websites you thoroughly trust, or type the address yourself.

*Keep your AV and firewall up-to-date and scan regularly. Install and use malware cleaners such as Spybot and Adaware.

*Look at Task Manager from time to time to see all the running processes on your computer. Right-click on the digital clock and select it. The processes whose names you don\'t recognise can be identified through a search engine. If you suspect a rogue application, download HijackThis and post your log there. You will be told what can be safely deleted.

*If your computer behaves unexpectedly, post on the forums.


Here is Wate:

http://www.boincstats.com/stats/boinc_user_graph.php?pr=bo&id=873722

http://climateapps2.oucs.ox.ac.uk/cpdnboinc/show_user.php?userid=188887

http://boinc.berkeley.edu/chart_list.php

http://burp.boinc.dk/forum_user_posts.php?userid=100 - appears to be the same member.

This thread can be used for discussion, reprobation and ridicule.

---

Cpdn news

Thanks for this treatment of this phisher.
I quoted your post in the fora of the other projects he joined to start a discussion there, I hope you don\'t mind.

Here are the links to those threads:
Einstein
Rosetta
Simap
µFluids
Predictor
Burp
PrimeGrid
(BOINCstats)

---

Grüße vom Sänger

Thanks for that, Sänger. I put the same post on the boinc_dev forum and said there that members were welcome to copy it to other message boards, but I forgot to say this here.

The opinion on cpdn is that it\'s best for everybody to know what\'s happening. I know, for example, that Rytis has scrambled Wate\'s registration details for PrimeGrid. It may be that Einstein don\'t deal with him until their database problems are fixed.

---

Cpdn news

Have authorities been contacted?
Will Wate be charged? Prosecuted? Persecuted?
Will he plead insanity and an all consuming lust for credits he just could not control?
Will he plead he is just a philanthropy facilitator harvesting unused CPU cycles out there in the wild and putting them to good use?
Who will be the first to identify and offer counselling for BOINC Credit Whore Syndrome?
My RAC sucks. Can I get a copy of his trojan?

---

Have authorities been contacted?
Will Wate be charged? Prosecuted? Persecuted?
Will he plead insanity and an all consuming lust for credits he just could not control?
Will he plead he is just a philanthropy facilitator harvesting unused CPU cycles out there in the wild and putting them to good use?
Who will be the first to identify and offer counselling for BOINC Credit Whore Syndrome?
My RAC sucks. Can I get a copy of his trojan?

He He !!! You must be joking:) .. yeah I\'d like some more RAC too( for
my Team - The Greenies..but not this way)

Chrissy

\"please save us.....\"

---

IainsstatspageforTGP

You\'re welcome to persecute Wate verbally, virtuously and virtually here. Every time we mention his name, the post should after a few days come up in a Google search. By now he\'ll know that the game\'s up and you can be pretty sure he\'ll be watching. So I\'m telling him now that everybody at cpdn thinks he\'s a tosser. In addition, anyone who risks frying people\'s laptops, on which cpdn shouldn\'t be run without precautions, has no understanding of boinc or computers.

Unfortunately the original IP number he registered from was overwritten on the server by the IPs of subsequent contacts, and there will in his case have been hundreds if not thousands of these. Only the most recent IP contact number remains on the server.

---

Cpdn news

.... Boinc and project staff have no means of contacting the owners of these computers.

They do have :-)

Make all computers on that account download an application that does nothing but open a message box with a short information and the OK button lead to an information page.

p.s.: please test the scheduler modification well, I do not need such an application ;-)

... some compromised computers are still running and crashing climate models. Boinc and project staff have no means of contacting the owners of these computers. ...

As I understand it, cpdn can abort a job at a trickle-up.

On its own this would not be much use, as the client would simply download another client. I wonder how easy it would be to have a \'badlist\' of banned users so that the scheduler would simply refuse to issue more work to them. This might prove useful in other situations as well.

Just a thought. If anyone feels it is worth passing on, please repost on the BOINC forums.

I also like the earlier suggestion to produce a specialised app that puts out a message to the users, though this could backfire on the lines of shooting the messenger. It might actually be less helpful but less damaging to the project just to make the machines disengage by refusing them work.

River~~

---

Thanks for this treatment of this phisher.
I quoted your post in the fora of the other projects he joined to start a discussion there, ...

I have copied it across to LHC and LC.

Although (s)he was not active on those projects, in my view as many people as possible should know. I\'d encourage anyone who regulalry posts on other projects not mentioned already to spread the word there.

R~~

Have authorities been contacted?
Will Wate be charged? Prosecuted? Persecuted?
Will he plead insanity and an all consuming lust for credits he just could not control?
Will he plead he is just a philanthropy facilitator harvesting unused CPU cycles out there in the wild and putting them to good use?
Who will be the first to identify and offer counselling for BOINC Credit Whore Syndrome?
My RAC sucks. Can I get a copy of his trojan?

He He !!! You must be joking:) .. yeah I\'d like some more RAC too( for
my Team - The Greenies..but not this way)

Of course I\'m joking, lol.

I wish CPDN had contacted authorities first before taking any action. They\'ve alerted Wate and now he\'s more likely to foil any attempts to give him what he deserves. The cops can be very effective when the perpetrator doesn\'t know he\'s under suspicion. They may have found a way to draw him into the open and then slap the cuffs on him.

There are likely other people out there who have done same as Wate. Now they are alerted too. Would have been better to round up the lot rather than alert them.

---

I\'ve posted it at NanoHive and QMC and stickied it both places.

---

Kathryn :o)
The BOINC FAQ Service
The Unofficial BOINC Wiki
The Trac System
More BOINC information than you can shake a stick of RAM at.

The whole business was first in the hands of the people at boinc and they then contacted the project admins via the boinc mailing list. At cpdn the mods knew about this over the weekend, but by Friday Carl already seems to have done something to stop all those computers trickling, as the last trickles were on 16 Feb. But some of the computers could still be crunching.

The only way you could probably determine whether big crunchers are using hijacked machines would be if the servers were set up to save all the IP numbers, rather than each contact IP number overwriting the previous one. It would have to identify anomalous behaviour eg any member with computers in more than one country. So the software would have to include identifying the origin of the IP numbers. Like the banks that can identify anomalous spending patterns.

As to whether continuously crashing workunits for months on end should trigger an email, a boinc message or a pop-up on-screen message....all of these ideas have been suggested before re legitimate but incompetent crunchers.

But if you want to track down an actual computer or an actual person, it\'s a different ball-game unless the police computer forensics department get involved. When for example one of our mods emailed @web.de which is a legit ISP to give them the IP numbers of spammers registered with them who had posted on our php forum, he got no response whatsoever. I contacted a UK hospital trust which I thought probably had a computer that was hijacked and being used by a spammer. No response even though I gave them my address and phone number. (A few organisations we\'ve contacted have responded.)

The investigation of anything like this is massively time-consuming. I don\'t think any police force in the world would be even remotely interested in devoting resources to this.

But I wouldn\'t be surprised if sooner or later, something like what I\'ve outlined in the second paragraph here is implemented in boinc.

---

Cpdn news

You\'d need a pretty big database then to store all those IP addresses. Nothing said about people whose IP address changes on a daily/weekly basis as their ISP cycles IP addresses (or they are on plain dial up).

What is the biggest problem the projects out there have? Yup, database problems.
So I don\'t see it as a viable option and thus without the various IP addresses known, the admins can\'t send a specific program to the \'hijacked\' computers. It\'ll be sent to all. Not something I want to have popping up. ;-)

---

Jord.

For Wate there would be a collection of thousands of IP numbers. As you say, avoiding this sort of usually irrelevant collection is why the servers overwrite the number at each contact.

It\'s also possible to deliberately hide your real IP number.

---

Cpdn news

This thread can be used for discussion, reprobation and ridicule.

I like this part so much I had to add something. Well done to the CPDN project staff. I hope the other projects can do the same thing and maintain a sense of cross project uniformity.

---

Click here to join the #1 Aussie Alliance on Climate Prediction

The only way you could probably determine whether big crunchers are using hijacked machines would be if the servers were set up to save all the IP numbers, rather than each contact IP number overwriting the previous one. It would have to identify anomalous behaviour eg any member with computers in more than one country. So the software would have to include identifying the origin of the IP numbers. Like the banks that can identify anomalous spending patterns.

Using the BOINC members country may be problematic. As an example one of our members resides in China and works all over South East Asia.

It would look horribly suspicious to see an Australian returning results from that demographic. Although this scenario may be easily overcome.

In any case, legitimate users would be much easier to contact.

---

Click here to join the #1 Aussie Alliance on Climate Prediction

As Jorden says, nothing like this is going to happen any time soon!

This is nice - one of the Italians who investigated the problems of the hapless owner of the hijacked laptop and uncovered the scam has posted here:

http://boinc.berkeley.edu/dev/forum_thread.php?id=1571

---

Cpdn news

This thread can be used for discussion, reprobation and ridicule.

Do not blame Misfit! ;)

---

The day you have not one but 1458 computers attached to cpdn, you will be misused, mistrusted and mistreated for all your past misfeasance, mischief and misdemeanours.

http://climateapps2.oucs.ox.ac.uk/cpdnboinc/hosts_user.php?userid=188887

---

Cpdn news

Why not create an accound for \"the unknown crunchers\" and put the credits there?
I mean: the WUs are crunched, the science has profited, the right thing to do would be to remove the credits from Wate.
However, someone should have them, so create - in gratefulness and as a small compensation for those who crunched it - that account.

OTOH: there is nothing which prevents him to join again using a different name and different ISP and a different scam. And that is so sad ...

---