Trojan boinc installation by rogue member

Message boards : Number crunching : Trojan boinc installation by rogue member
Message board moderation

To post messages, you must log in.

AuthorMessage
Profile Saenger

Send message
Joined: 30 May 06
Posts: 5
Credit: 1,021
RAC: 0
Message 4567 - Posted: 20 Feb 2007, 18:18:42 UTC

I just found this post on the CPDN board:

The person in question is Wate, who is crunching (and abusing others) here as well. Is there anything been done about hin(her?
It recently came to the attention of boinc staff that a multi-project cruncher called Wate who occupied a very high position in the boinc and project stats had reached this exalted position by dishonest means.

In early June 2006 he appears to to have released onto the internet a link purporting to provide Windows updates including now for Vista. Some 1500 members of the public worldwide downloaded these \'updates\' which in fact consisted of a trojan application that downloaded boinc.exe and attached the person\'s computer to Wate\'s account, giving him the subsequent fraudulent credits.

About 90% of the people affected appear to have uninstalled or disabled the unwanted boinc installation, but some compromised computers are still running and crashing climate models. Boinc and project staff have no means of contacting the owners of these computers.

The problem came to light when an affected member of the public noticed the heavy drain on his laptop\'s battery, looked in Task Manager at the running processes, identified boinc and contacted a group of genuine boinc members in Italy.

Carl deleted Wate\'s cpdn credits last Friday. An unfortunate side-effect of this was that cpdn credits did not update over the weekend. This problem is now sorted. The managers of most of the other projects Wate was attached to have chosen a different course, altering his registration details.

Wate\'s method of hijacking computers via a dishonest download is one of the classic methods used by spammers.

Boinc staff, the ClimatePrediction programmers and your moderators stress that boinc and project software was never at fault, nor was there ever any breach of Windows XP or Vista security. The dishonest application was Wate\'s trojan. Boinc and project software were never infiltrated and remain secure.

How can we prevent our own computer being similarly compromised by frauds and spammers?

*Use legitimate software (it is said that half the illegal copies of Windows sold in China come with a virus pre-installed).

*Download updates for your operating system and other programmes via the tools on your computer, not through links in emails or links on web pages.

*Download new programmes only through links on websites you thoroughly trust, or type the address yourself.

*Keep your AV and firewall up-to-date and scan regularly. Install and use malware cleaners such as Spybot and Adaware.

*Look at Task Manager from time to time to see all the running processes on your computer. Right-click on the digital clock and select it. The processes whose names you don\'t recognise can be identified through a search engine. If you suspect a rogue application, download HijackThis and post your log there. You will be told what can be safely deleted.

*If your computer behaves unexpectedly, post on the forums.


Here is Wate:

http://www.boincstats.com/stats/boinc_user_graph.php?pr=bo&id=873722

http://climateapps2.oucs.ox.ac.uk/cpdnboinc/show_user.php?userid=188887

http://boinc.berkeley.edu/chart_list.php

http://burp.boinc.dk/forum_user_posts.php?userid=100 - appears to be the same member.

This thread can be used for discussion, reprobation and ridicule.


Grüße vom Sänger



Ceterum censeo, Predictor esse delendam!
ID: 4567 · Rating: 1 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile Janus
Volunteer moderator
Project administrator
Avatar

Send message
Joined: 16 Jun 04
Posts: 4563
Credit: 2,097,282
RAC: 0
Message 4576 - Posted: 22 Feb 2007, 18:49:34 UTC
Last modified: 22 Feb 2007, 18:55:37 UTC

BURP officials (that\'s me) do not comment on specific actions taken against specific accounts for specific reasons.

Generally, however, I can say that account misuse will lead to either a warning, temporary ban, permanent discontinuation of the account or a file to the police (based on how bad a case of misuse we are talking about).

With regards to the particular case I\'d like to stress the first paragraf in our rules and policies:
Run BURP only on authorized computers

Run BURP only on computers that you own, or for which you have obtained the owner\'s permission.
ID: 4576 · Rating: 2 · rate: Rate + / Rate - Report as offensive     Reply Quote
Misfit
Avatar

Send message
Joined: 27 Aug 05
Posts: 85
Credit: 660
RAC: 0
Message 4581 - Posted: 23 Feb 2007, 1:17:59 UTC - in response to Message 4576.  

BURP officials (that\'s me) do not comment on specific actions taken against specific accounts for specific reasons.

You couldn\'t read a more political response in SETI\'s Political thread. Wate\'s credits should be deleted so when the stats update he loses everything.
me@rescam.org
ID: 4581 · Rating: -9.99866855976E-13 · rate: Rate + / Rate - Report as offensive     Reply Quote
Nightbird

Send message
Joined: 19 Mar 05
Posts: 4
Credit: 0
RAC: 0
Message 4968 - Posted: 10 Mar 2007, 17:00:38 UTC - in response to Message 4576.  
Last modified: 10 Mar 2007, 17:07:24 UTC

BURP officials (that\'s me) do not comment on specific actions taken against specific accounts for specific reasons.

Generally, however, I can say that account misuse will lead to either a warning, temporary ban, permanent discontinuation of the account or a file to the police (based on how bad a case of misuse we are talking about).

With regards to the particular case I\'d like to stress the first paragraf in our rules and policies:
Run BURP only on authorized computers

Run BURP only on computers that you own, or for which you have obtained the owner\'s permission.

climateprediction.net : zeroed
Rosetta@home : zeroed
SIMAP : zeroed
Einstein@Home : zeroed
PrimeGrid : zeroed
uFluids : zeroed (the user was the first in the top participants list)

Burp : 117,210
Predictor@home : 117,373.72

ID: 4968 · Rating: 1 · rate: Rate + / Rate - Report as offensive     Reply Quote
Profile John Hunt
Avatar

Send message
Joined: 11 Sep 06
Posts: 33
Credit: 60,026
RAC: 0
Message 4987 - Posted: 13 Mar 2007, 8:18:18 UTC

Why has this not been actioned yet?
http://burp.boinc.dk/top_users.php?sort_by=total_credit

See Janus\' post 22 Feb - Wate was most definitely not running BURP on either
authorized computers or his own computers.




ID: 4987 · Rating: 2 · rate: Rate + / Rate - Report as offensive     Reply Quote
FreeLarry

Send message
Joined: 10 Oct 04
Posts: 42
Credit: 1,689,701
RAC: 0
Message 4991 - Posted: 13 Mar 2007, 20:02:54 UTC - in response to Message 4987.  

Why has this not been actioned yet?
http://burp.boinc.dk/top_users.php?sort_by=total_credit

See Janus\' post 22 Feb - Wate was most definitely not running BURP on either
authorized computers or his own computers.




Yes i know that it seems a big deal - but i think janus\'s time is being better spent getting the site fully operational currently than trying to remove one bad egg and messing things up even worse.

Larry
ID: 4991 · Rating: 0.999999999999 · rate: Rate + / Rate - Report as offensive     Reply Quote
Misfit
Avatar

Send message
Joined: 27 Aug 05
Posts: 85
Credit: 660
RAC: 0
Message 5091 - Posted: 25 Mar 2007, 2:15:56 UTC

http://burp.boinc.dk/show_user.php?userid=100 <-- just delete it and be done with it.
me@rescam.org
ID: 5091 · Rating: -2 · rate: Rate + / Rate - Report as offensive     Reply Quote

Message boards : Number crunching : Trojan boinc installation by rogue member