climateprediction.net (CPDN) home page
Thread 'Trojan boinc installation by rogue member'

Thread 'Trojan boinc installation by rogue member'

Message boards : Number crunching : Trojan boinc installation by rogue member
Message board moderation

To post messages, you must log in.

1 · 2 · 3 · Next

AuthorMessage
Profilemo.v
Volunteer moderator
Avatar

Send message
Joined: 29 Sep 04
Posts: 2363
Credit: 14,611,758
RAC: 0
Message 26940 - Posted: 20 Feb 2007, 12:49:00 UTC
Last modified: 20 Feb 2007, 13:06:18 UTC

It recently came to the attention of boinc staff that a multi-project cruncher called Wate who occupied a very high position in the boinc and project stats had reached this exalted position by dishonest means.

In early June 2006 he appears to to have released onto the internet a link purporting to provide Windows updates including now for Vista. Some 1500 members of the public worldwide downloaded these \'updates\' which in fact consisted of a trojan application that downloaded boinc.exe and attached the person\'s computer to Wate\'s account, giving him the subsequent fraudulent credits.

About 90% of the people affected appear to have uninstalled or disabled the unwanted boinc installation, but some compromised computers are still running and crashing climate models. Boinc and project staff have no means of contacting the owners of these computers.

The problem came to light when an affected member of the public noticed the heavy drain on his laptop\'s battery, looked in Task Manager at the running processes, identified boinc and contacted a group of genuine boinc members in Italy.

Carl deleted Wate\'s cpdn credits last Friday. An unfortunate side-effect of this was that cpdn credits did not update over the weekend. This problem is now sorted. The managers of most of the other projects Wate was attached to have chosen a different course, altering his registration details.

Wate\'s method of hijacking computers via a dishonest download is one of the classic methods used by spammers.

Boinc staff, the ClimatePrediction programmers and your moderators stress that boinc and project software was never at fault, nor was there ever any breach of Windows XP or Vista security. The dishonest application was Wate\'s trojan. Boinc and project software were never infiltrated and remain secure.

How can we prevent our own computer being similarly compromised by frauds and spammers?

*Use legitimate software (it is said that half the illegal copies of Windows sold in China come with a virus pre-installed).

*Download updates for your operating system and other programmes via the tools on your computer, not through links in emails or links on web pages.

*Download new programmes only through links on websites you thoroughly trust, or type the address yourself.

*Keep your AV and firewall up-to-date and scan regularly. Install and use malware cleaners such as Spybot and Adaware.

*Look at Task Manager from time to time to see all the running processes on your computer. Right-click on the digital clock and select it. The processes whose names you don\'t recognise can be identified through a search engine. If you suspect a rogue application, download HijackThis and post your log there. You will be told what can be safely deleted.

*If your computer behaves unexpectedly, post on the forums.


Here is Wate:

http://www.boincstats.com/stats/boinc_user_graph.php?pr=bo&id=873722

http://climateapps2.oucs.ox.ac.uk/cpdnboinc/show_user.php?userid=188887

http://boinc.berkeley.edu/chart_list.php

http://burp.boinc.dk/forum_user_posts.php?userid=100 - appears to be the same member.

This thread can be used for discussion, reprobation and ridicule.


Cpdn news
ID: 26940 · Report as offensive     Reply Quote
ProfileSaenger
Avatar

Send message
Joined: 1 Nov 04
Posts: 185
Credit: 4,166,063
RAC: 857
Message 26947 - Posted: 20 Feb 2007, 18:31:21 UTC
Last modified: 20 Feb 2007, 18:36:59 UTC

Thanks for this treatment of this phisher.
I quoted your post in the fora of the other projects he joined to start a discussion there, I hope you don\'t mind.

Here are the links to those threads:
Einstein
Rosetta
Simap
µFluids
Predictor
Burp
PrimeGrid
(BOINCstats)

Grüße vom Sänger
ID: 26947 · Report as offensive     Reply Quote
Profilemo.v
Volunteer moderator
Avatar

Send message
Joined: 29 Sep 04
Posts: 2363
Credit: 14,611,758
RAC: 0
Message 26948 - Posted: 20 Feb 2007, 19:29:23 UTC
Last modified: 20 Feb 2007, 19:34:24 UTC

Thanks for that, Sänger. I put the same post on the boinc_dev forum and said there that members were welcome to copy it to other message boards, but I forgot to say this here.

The opinion on cpdn is that it\'s best for everybody to know what\'s happening. I know, for example, that Rytis has scrambled Wate\'s registration details for PrimeGrid. It may be that Einstein don\'t deal with him until their database problems are fixed.


Cpdn news
ID: 26948 · Report as offensive     Reply Quote
old_user170894
Avatar

Send message
Joined: 3 Mar 06
Posts: 96
Credit: 353,185
RAC: 0
Message 26950 - Posted: 20 Feb 2007, 20:28:56 UTC - in response to Message 26948.  

Have authorities been contacted?
Will Wate be charged? Prosecuted? Persecuted?
Will he plead insanity and an all consuming lust for credits he just could not control?
Will he plead he is just a philanthropy facilitator harvesting unused CPU cycles out there in the wild and putting them to good use?
Who will be the first to identify and offer counselling for BOINC Credit Whore Syndrome?
My RAC sucks. Can I get a copy of his trojan?


ID: 26950 · Report as offensive     Reply Quote
old_user218256
Avatar

Send message
Joined: 9 Jan 07
Posts: 17
Credit: 165,916
RAC: 0
Message 26951 - Posted: 20 Feb 2007, 21:00:12 UTC - in response to Message 26950.  
Last modified: 20 Feb 2007, 21:01:02 UTC

Have authorities been contacted?
Will Wate be charged? Prosecuted? Persecuted?
Will he plead insanity and an all consuming lust for credits he just could not control?
Will he plead he is just a philanthropy facilitator harvesting unused CPU cycles out there in the wild and putting them to good use?
Who will be the first to identify and offer counselling for BOINC Credit Whore Syndrome?
My RAC sucks. Can I get a copy of his trojan?




He He !!! You must be joking:) .. yeah I\'d like some more RAC too( for
my Team - The Greenies..but not this way)

Chrissy

\"please save us.....\"




IainsstatspageforTGP
ID: 26951 · Report as offensive     Reply Quote
Profilemo.v
Volunteer moderator
Avatar

Send message
Joined: 29 Sep 04
Posts: 2363
Credit: 14,611,758
RAC: 0
Message 26953 - Posted: 20 Feb 2007, 21:26:10 UTC
Last modified: 20 Feb 2007, 21:27:51 UTC

You\'re welcome to persecute Wate verbally, virtuously and virtually here. Every time we mention his name, the post should after a few days come up in a Google search. By now he\'ll know that the game\'s up and you can be pretty sure he\'ll be watching. So I\'m telling him now that everybody at cpdn thinks he\'s a tosser. In addition, anyone who risks frying people\'s laptops, on which cpdn shouldn\'t be run without precautions, has no understanding of boinc or computers.

Unfortunately the original IP number he registered from was overwritten on the server by the IPs of subsequent contacts, and there will in his case have been hundreds if not thousands of these. Only the most recent IP contact number remains on the server.
Cpdn news
ID: 26953 · Report as offensive     Reply Quote
ProfileAnanas
Volunteer moderator

Send message
Joined: 31 Oct 04
Posts: 336
Credit: 3,316,482
RAC: 0
Message 26955 - Posted: 20 Feb 2007, 21:41:00 UTC - in response to Message 26940.  
Last modified: 20 Feb 2007, 21:43:56 UTC

.... Boinc and project staff have no means of contacting the owners of these computers.


They do have :-)

Make all computers on that account download an application that does nothing but open a message box with a short information and the OK button lead to an information page.

p.s.: please test the scheduler modification well, I do not need such an application ;-)
ID: 26955 · Report as offensive     Reply Quote
Profileold_user85254

Send message
Joined: 27 Jun 05
Posts: 74
Credit: 199,198
RAC: 0
Message 26956 - Posted: 20 Feb 2007, 22:04:17 UTC

... some compromised computers are still running and crashing climate models. Boinc and project staff have no means of contacting the owners of these computers. ...


As I understand it, cpdn can abort a job at a trickle-up.

On its own this would not be much use, as the client would simply download another client. I wonder how easy it would be to have a \'badlist\' of banned users so that the scheduler would simply refuse to issue more work to them. This might prove useful in other situations as well.

Just a thought. If anyone feels it is worth passing on, please repost on the BOINC forums.

I also like the earlier suggestion to produce a specialised app that puts out a message to the users, though this could backfire on the lines of shooting the messenger. It might actually be less helpful but less damaging to the project just to make the machines disengage by refusing them work.

River~~
ID: 26956 · Report as offensive     Reply Quote
Profileold_user85254

Send message
Joined: 27 Jun 05
Posts: 74
Credit: 199,198
RAC: 0
Message 26957 - Posted: 20 Feb 2007, 22:11:20 UTC - in response to Message 26947.  

Thanks for this treatment of this phisher.
I quoted your post in the fora of the other projects he joined to start a discussion there, ...


I have copied it across to LHC and LC.

Although (s)he was not active on those projects, in my view as many people as possible should know. I\'d encourage anyone who regulalry posts on other projects not mentioned already to spread the word there.

R~~
ID: 26957 · Report as offensive     Reply Quote
old_user170894
Avatar

Send message
Joined: 3 Mar 06
Posts: 96
Credit: 353,185
RAC: 0
Message 26958 - Posted: 20 Feb 2007, 22:37:50 UTC - in response to Message 26951.  

Have authorities been contacted?
Will Wate be charged? Prosecuted? Persecuted?
Will he plead insanity and an all consuming lust for credits he just could not control?
Will he plead he is just a philanthropy facilitator harvesting unused CPU cycles out there in the wild and putting them to good use?
Who will be the first to identify and offer counselling for BOINC Credit Whore Syndrome?
My RAC sucks. Can I get a copy of his trojan?




He He !!! You must be joking:) .. yeah I\'d like some more RAC too( for
my Team - The Greenies..but not this way)



Of course I\'m joking, lol.

I wish CPDN had contacted authorities first before taking any action. They\'ve alerted Wate and now he\'s more likely to foil any attempts to give him what he deserves. The cops can be very effective when the perpetrator doesn\'t know he\'s under suspicion. They may have found a way to draw him into the open and then slap the cuffs on him.

There are likely other people out there who have done same as Wate. Now they are alerted too. Would have been better to round up the lot rather than alert them.



ID: 26958 · Report as offensive     Reply Quote
Profileold_user197041
Avatar

Send message
Joined: 27 Aug 06
Posts: 26
Credit: 162,685
RAC: 0
Message 26960 - Posted: 20 Feb 2007, 23:32:02 UTC

I\'ve posted it at NanoHive and QMC and stickied it both places.
Kathryn :o)
The BOINC FAQ Service
The Unofficial BOINC Wiki
The Trac System
More BOINC information than you can shake a stick of RAM at.
ID: 26960 · Report as offensive     Reply Quote
Profilemo.v
Volunteer moderator
Avatar

Send message
Joined: 29 Sep 04
Posts: 2363
Credit: 14,611,758
RAC: 0
Message 26961 - Posted: 20 Feb 2007, 23:49:11 UTC

The whole business was first in the hands of the people at boinc and they then contacted the project admins via the boinc mailing list. At cpdn the mods knew about this over the weekend, but by Friday Carl already seems to have done something to stop all those computers trickling, as the last trickles were on 16 Feb. But some of the computers could still be crunching.

The only way you could probably determine whether big crunchers are using hijacked machines would be if the servers were set up to save all the IP numbers, rather than each contact IP number overwriting the previous one. It would have to identify anomalous behaviour eg any member with computers in more than one country. So the software would have to include identifying the origin of the IP numbers. Like the banks that can identify anomalous spending patterns.

As to whether continuously crashing workunits for months on end should trigger an email, a boinc message or a pop-up on-screen message....all of these ideas have been suggested before re legitimate but incompetent crunchers.

But if you want to track down an actual computer or an actual person, it\'s a different ball-game unless the police computer forensics department get involved. When for example one of our mods emailed @web.de which is a legit ISP to give them the IP numbers of spammers registered with them who had posted on our php forum, he got no response whatsoever. I contacted a UK hospital trust which I thought probably had a computer that was hijacked and being used by a spammer. No response even though I gave them my address and phone number. (A few organisations we\'ve contacted have responded.)

The investigation of anything like this is massively time-consuming. I don\'t think any police force in the world would be even remotely interested in devoting resources to this.

But I wouldn\'t be surprised if sooner or later, something like what I\'ve outlined in the second paragraph here is implemented in boinc.
Cpdn news
ID: 26961 · Report as offensive     Reply Quote
Jord
Avatar

Send message
Joined: 5 Aug 04
Posts: 250
Credit: 93,274
RAC: 0
Message 26962 - Posted: 21 Feb 2007, 0:02:05 UTC

You\'d need a pretty big database then to store all those IP addresses. Nothing said about people whose IP address changes on a daily/weekly basis as their ISP cycles IP addresses (or they are on plain dial up).

What is the biggest problem the projects out there have? Yup, database problems.
So I don\'t see it as a viable option and thus without the various IP addresses known, the admins can\'t send a specific program to the \'hijacked\' computers. It\'ll be sent to all. Not something I want to have popping up. ;-)
Jord.
ID: 26962 · Report as offensive     Reply Quote
Profilemo.v
Volunteer moderator
Avatar

Send message
Joined: 29 Sep 04
Posts: 2363
Credit: 14,611,758
RAC: 0
Message 26963 - Posted: 21 Feb 2007, 0:15:18 UTC
Last modified: 21 Feb 2007, 0:18:23 UTC

For Wate there would be a collection of thousands of IP numbers. As you say, avoiding this sort of usually irrelevant collection is why the servers overwrite the number at each contact.

It\'s also possible to deliberately hide your real IP number.
Cpdn news
ID: 26963 · Report as offensive     Reply Quote
m.mitch
Avatar

Send message
Joined: 10 Jan 06
Posts: 55
Credit: 2,526,479
RAC: 3,151
Message 26964 - Posted: 21 Feb 2007, 0:25:09 UTC - in response to Message 26940.  

This thread can be used for discussion, reprobation and ridicule.


I like this part so much I had to add something. Well done to the CPDN project staff. I hope the other projects can do the same thing and maintain a sense of cross project uniformity.



Click here to join the #1 Aussie Alliance on Climate Prediction
ID: 26964 · Report as offensive     Reply Quote
m.mitch
Avatar

Send message
Joined: 10 Jan 06
Posts: 55
Credit: 2,526,479
RAC: 3,151
Message 26965 - Posted: 21 Feb 2007, 0:35:24 UTC - in response to Message 26961.  

The only way you could probably determine whether big crunchers are using hijacked machines would be if the servers were set up to save all the IP numbers, rather than each contact IP number overwriting the previous one. It would have to identify anomalous behaviour eg any member with computers in more than one country. So the software would have to include identifying the origin of the IP numbers. Like the banks that can identify anomalous spending patterns.


Using the BOINC members country may be problematic. As an example one of our members resides in China and works all over South East Asia.

It would look horribly suspicious to see an Australian returning results from that demographic. Although this scenario may be easily overcome.

In any case, legitimate users would be much easier to contact.



Click here to join the #1 Aussie Alliance on Climate Prediction
ID: 26965 · Report as offensive     Reply Quote
Profilemo.v
Volunteer moderator
Avatar

Send message
Joined: 29 Sep 04
Posts: 2363
Credit: 14,611,758
RAC: 0
Message 26966 - Posted: 21 Feb 2007, 0:44:44 UTC

As Jorden says, nothing like this is going to happen any time soon!

This is nice - one of the Italians who investigated the problems of the hapless owner of the hijacked laptop and uncovered the scam has posted here:

http://boinc.berkeley.edu/dev/forum_thread.php?id=1571


Cpdn news
ID: 26966 · Report as offensive     Reply Quote
old_user94860
Avatar

Send message
Joined: 27 Aug 05
Posts: 35
Credit: 1,633
RAC: 0
Message 26967 - Posted: 21 Feb 2007, 3:22:53 UTC - in response to Message 26940.  

This thread can be used for discussion, reprobation and ridicule.

Do not blame Misfit! ;)
ID: 26967 · Report as offensive     Reply Quote
Profilemo.v
Volunteer moderator
Avatar

Send message
Joined: 29 Sep 04
Posts: 2363
Credit: 14,611,758
RAC: 0
Message 26969 - Posted: 21 Feb 2007, 6:06:02 UTC

The day you have not one but 1458 computers attached to cpdn, you will be misused, mistrusted and mistreated for all your past misfeasance, mischief and misdemeanours.

http://climateapps2.oucs.ox.ac.uk/cpdnboinc/hosts_user.php?userid=188887
Cpdn news
ID: 26969 · Report as offensive     Reply Quote
petrusbroder

Send message
Joined: 30 Apr 05
Posts: 1
Credit: 5,450,435
RAC: 0
Message 26970 - Posted: 21 Feb 2007, 6:17:38 UTC

Why not create an accound for \"the unknown crunchers\" and put the credits there?
I mean: the WUs are crunched, the science has profited, the right thing to do would be to remove the credits from Wate.
However, someone should have them, so create - in gratefulness and as a small compensation for those who crunched it - that account.

OTOH: there is nothing which prevents him to join again using a different name and different ISP and a different scam. And that is so sad ...
ID: 26970 · Report as offensive     Reply Quote
1 · 2 · 3 · Next

Message boards : Number crunching : Trojan boinc installation by rogue member

©2024 cpdn.org