I just found this post on the CPDN board:

The person in question is Wate, who is crunching (and abusing others) here as well. Is there anything been done about hin(her?

It recently came to the attention of boinc staff that a multi-project cruncher called Wate who occupied a very high position in the boinc and project stats had reached this exalted position by dishonest means.

In early June 2006 he appears to to have released onto the internet a link purporting to provide Windows updates including now for Vista. Some 1500 members of the public worldwide downloaded these 'updates' which in fact consisted of a trojan application that downloaded boinc.exe and attached the person's computer to Wate's account, giving him the subsequent fraudulent credits.

About 90% of the people affected appear to have uninstalled or disabled the unwanted boinc installation, but some compromised computers are still running and crashing climate models. Boinc and project staff have no means of contacting the owners of these computers.

The problem came to light when an affected member of the public noticed the heavy drain on his laptop's battery, looked in Task Manager at the running processes, identified boinc and contacted a group of genuine boinc members in Italy.

Carl deleted Wate's cpdn credits last Friday. An unfortunate side-effect of this was that cpdn credits did not update over the weekend. This problem is now sorted. The managers of most of the other projects Wate was attached to have chosen a different course, altering his registration details.

Wate's method of hijacking computers via a dishonest download is one of the classic methods used by spammers.

Boinc staff, the ClimatePrediction programmers and your moderators stress that boinc and project software was never at fault, nor was there ever any breach of Windows XP or Vista security. The dishonest application was Wate's trojan. Boinc and project software were never infiltrated and remain secure.

How can we prevent our own computer being similarly compromised by frauds and spammers?

*Use legitimate software (it is said that half the illegal copies of Windows sold in China come with a virus pre-installed).

*Download updates for your operating system and other programmes via the tools on your computer, not through links in emails or links on web pages.

*Download new programmes only through links on websites you thoroughly trust, or type the address yourself.

*Keep your AV and firewall up-to-date and scan regularly. Install and use malware cleaners such as Spybot and Adaware.

*Look at Task Manager from time to time to see all the running processes on your computer. Right-click on the digital clock and select it. The processes whose names you don't recognise can be identified through a search engine. If you suspect a rogue application, download HijackThis and post your log there. You will be told what can be safely deleted.

*If your computer behaves unexpectedly, post on the forums.


Here is Wate:

http://www.boincstats.com/stats/boinc_user_graph.php?pr=bo&id=873722

http://climateapps2.oucs.ox.ac.uk/cpdnboinc/show_user.php?userid=188887

http://boinc.berkeley.edu/chart_list.php

http://burp.boinc.dk/forum_user_posts.php?userid=100 - appears to be the same member.

This thread can be used for discussion, reprobation and ridicule.

---

Grüße vom Sänger

Thanks for the heads up!

---

Very many thanks to Saenger!

---

... some compromised computers are still running and crashing climate models. Boinc and project staff have no means of contacting the owners of these computers. ...

As I understand it, cpdn can abort a job at a trickle-up.

On its own this would not be much use, as the client would simply download another client. I wonder how easy it would be to have a 'badlist' of banned users so that the scheduler would simply refuse to issue more work to them. This might prove useful in other situations as well.

Just a thought. If anyone feels it is worth passing on, please repost on the BOINC forums.

And I too would like to join in the thanks to Saenger for re-posting this.

I have copied it across to LHC and LC.

River~~

---

Since projects have the ip#s of the machines that are running the project under his name, they can contact the ISPs and ask the ISPs to forward a message to the owners of those ISP accounts being used. While they won't give out their email addresses to Boinc or the projects, they should be willing to pass on that information to those affected, getting them to remove the client, or sign themselves up and join a team of their own choosing.

Seti was recently credited as being able to help track down a stolen laptop; so DC projects can be used to help identify systems being used on those projects.

---

Since projects have the ip#s of the machines that are running the project under his name, they can contact the ISPs and ask the ISPs to forward a message to the owners of those ISP accounts being used. While they won't give out their email addresses to Boinc or the projects, they should be willing to pass on that information to those affected, getting them to remove the client, or sign themselves up and join a team of their own choosing.

Seti was recently credited as being able to help track down a stolen laptop; so DC projects can be used to help identify systems being used on those projects.

Usually the IPs change quite often, some even daily, as most users are not on a permanent connection, quite a lot probably even on dial-in. To store all of them in some enormous data base would probably put a lot os stress to the data servers.

The stolen puter was another matter. This was a single event with a single user, nothing to put a global drag net over every user.

they can contact the ISPs and ask the ISPs to forward a message to the owners of those ISP accounts being used.

I moderate a couple of forums. At times there have been abusers, and I have tried to remedy the problem via the perps ISP. Frankly, I have never found an ISP prepared to take action against one of their customers, unless of course, they stop paying their bills.

Theoretically, from an IP address and an accurate date/time, server logs should be able to resolve a DHCP address to an end point.

---

Wave upon wave of demented avengers march cheerfully out of obscurity into the dream.

Not through to an end-point... but through to a specific user's account. Yep. And the ISPs keep such logs and run other statistics over them. Timestamp, IP addr, account name, and perhaps duration... the files aren't unmanageably huge.

---

Add this signature to your EMail:
Running Microsoft's "System Idle Process" will never help cure cancer, AIDS nor Alzheimer's. But running Rosetta@home just might!
https://boinc.bakerlab.org/rosetta/

....Frankly, I have never found an ISP prepared to take action against one of their customers, unless of course, they stop paying their bills....

Never a truer word said....

A few years ago I was on the receiving end of a torrent of spam from a US based spammer, 300+ spam emails PER DAY!!!! His ISP point blank refused to do anything to stop him from doing this - they were/are well known for harbouring spammers and offered accounts which they guaranteed would never be suspended, for any reason....

His spam stopped abruptly when his email address database, ahem, "somehow" got poisoned with the email addresses of the CEO and other high-ups at his ISP <EVIL CACKLE>.


TTFN - Pete.

---

During the Nimda outbreak, most ISPs in the 24.x.x.x range seemed interested in Nimda infection reports so they could contact their clients and get the problem taken care of. And since I had someone in my area bring their machine in for cleaning that was told of their infection by our ISP, I got the impression that my communications with the security team bore fruit. With my experience, ISPs are willing to pass on information about infected machines to their clients. I wasn't after their email address, contact info, or trying to get them kicked off the ISP.. just get the machines cleaned up.

---

....trying to get them kicked off the ISP.. just get the machines cleaned up.

All I was doing was asking the ISP concerned to enforce their own anti-spam policy, which they flatly refused to do.... :-(


TTFN - Pete.

---

....trying to get them kicked off the ISP.. just get the machines cleaned up.

All I was doing was asking the ISP concerned to enforce their own anti-spam policy, which they flatly refused to do.... :-(


TTFN - Pete.

In all fairness Pete, the ISP you mentioned was one that made money out of harbouring people who are 'wittingly' abusing others, ie spammers.

ISP's that make money out of offering customer service to folk who have been unwittingly have been caught in a scam will react differently.

My response would have been to start a DOS attacl on the ISP, but the approach "someone" actually tried, effectively a DOS attack on their executive is rather neat. If you <ahem> happen to identify the "someone" give them my congratulations ;-)

Rosetta Admin should remove all of Wate's credits. That way when the stats update he loses everything.

---

me@rescam.org

Rosetta Admin should remove all of Wate's credits. That way when the stats update he loses everything.

I wonder if any admin here reads this topic.

ClimatPrediction : 3,631,651 credits -> zeroed
Einstein@home : 2,463,297.43 credits -> zeroed
PrimeGrid : + 930,000 credits -> zeroed
Simap : 94,494 credits -> zeroed

---

did it.

did it.

Thanks David