Pages: [1]
PovAddict
BAM!ID: 115
Joined: 2006-05-10
Posts: 1013
Credits: 5,785,239
World-rank: 76,273

2017-03-01 21:26:37

Hi,

A user on IRC reports that he suddenly found BOINC installed on his Windows PC. boincmgr.exe is missing, but all other files are installed normally, which is quite suspicious (attempt to hide?). I helped him find the daemon logs, and it says:

01-Mar-2017 18:28:31 [---] Contacting account manager at https://bam.boincstats.com/
01-Mar-2017 18:28:34 [---] Account manager: BAM! User: 204272, kikipope
01-Mar-2017 18:28:34 [---] Account manager: BAM! Host: 695330

It seems this user has over 2600 computers attached to VGTU@Home.

It would be nice if a BAM admin could check if there is an unusual number of computers from different IPs/locations connecting to this same user account, to give more evidence that kikipope is possibly installing BOINC into computers they don't own.
Not running BOINC anymore for several reasons...
PovAddict
BAM!ID: 115
Joined: 2006-05-10
Posts: 1013
Credits: 5,785,239
World-rank: 76,273

2017-03-01 22:14:53

We found the evil installer. It installs BOINC, adds acct_mgr_login.xml and acct_mgr_url.xml, deletes registry keys so it doesn't appear in Add/Remove Programs, deletes boincmgr.exe, runs powercfg to disable automatic sleep/hibernate, adds adware to IE and Firefox, and disables some malware-download protections from Firefox. Evil stuff.
Not running BOINC anymore for several reasons...
Customminer
BAM!ID: 162552
Joined: 2014-03-02
Posts: 9
Credits: 16,336,967
World-rank: 37,750

2017-03-01 23:53:59

More details of this user:
https://gridcoinstats.eu/cpid.php?a=view&id=2bebcc51ce6b307d8410ba59a9072039
http://www.gridresearchcorp.com/gridcoin/?cpid_dashboard&CPID=2bebcc51ce6b307d8410ba59a9072039

With the above pages you can track all transactions.
[BOINCstats] Willy
 
Forum moderator - Administrator - Developer - Tester - Translator
BAM!ID: 1
Joined: 2006-01-09
Posts: 9419
Credits: 350,105,499
World-rank: 4,518

2017-03-06 14:12:44

This user has 4000+ hosts in his account. However, he disabled use of BAM! which is actually a little too clever as this stops the host from connecting to BAM! but doesn't detach anything. The last host connected on March 4th. The reconnect time was set to the maximum so some host may yet connect to BAM!.

I have taken control of the account and set all projects on all hosts to detach.

Some of the hosts may never contact BAM! again because of the previous way BAM! handled being disabled.

I have changed BAM! so that disabling BAM! still lets the host connect once a day to BAM!. It's then up to the user to remove BAM! completely.

Please do not PM, IM or email me for support (they will go unread/ignored). Use the forum for support.
Sid Celery
BAM!ID: 85904
Joined: 2010-06-01
Posts: 38
Credits: 65,700,242
World-rank: 14,304

2017-03-07 19:15:29

PovAddict wrote:
We found the evil installer. It installs BOINC, adds acct_mgr_login.xml and acct_mgr_url.xml, deletes registry keys so it doesn't appear in Add/Remove Programs, deletes boincmgr.exe, runs powercfg to disable automatic sleep/hibernate, adds adware to IE and Firefox, and disables some malware-download protections from Firefox. Evil stuff.

Wow!
Customminer
BAM!ID: 162552
Joined: 2014-03-02
Posts: 9
Credits: 16,336,967
World-rank: 37,750

2017-03-12 14:41:41

KIKIPope is still actively utilizing his botnet to earn GRC: https://gridcoinstats.eu/cpid.php?a=view&id=2bebcc51ce6b307d8410ba59a9072039

Mainly the following two projects:
Cosmology@home
Lhc@home Classic
Pages: [1]

Index :: BAM! Bug Report :: Malware installing BOINC; BAM account to ban?
Reason: