Trojan in Folding@home?

[TallCoolOne]

I've been running the folding@home software under windows for a few weeks now, and thankfully, I also have Norton Internet Security running as well. A few days ago Norton stopped a program from sending the last 6 digits of my bank account number to 171.64.122.143:8080 - this turns out to be an IP address at Stanford University. After a little investigation I also found a program called REBOOT.EXE in my startup folder (the EXE file was actually in that folder, not just a shortcut). I'm not sure if that EXE was related to the folding@home installation though. After deleting that file and stopping f@h, I restarted f@h which then _immediately_ tried again to broadcast my bank account information. Has anyone else encountered this kind of problem with f@h? I'm currently on TeamAnandtech but will no longer be taking part as long as f@h seems to be compromising my system.

Chris_Fifield

 

[GLeeM]

Hi TallCoolOne
Hopefully someone who knows for sure will eventually respond.
I would guess that reboot.exe and the bank account problem are not related.
I did a search and reboot.exe trojan has been around for awhile.

I wonder if the data that F@H was trying to send just happened to, against all odds, include the same numbers as your bank account?!

bump

 

[n0cmonkey]

Run a full virus scan.

 

[Hyperfocal]

It seems very unlikely that there is a major security flaw in F@H.

You might want to post your questions and concerns on the Folding Community Forums.

The people from Stanford including Vijay Pande read and post to that forum.

 

[TAandy]

I had that a long time ago with Norton Personal Firewall. It seemed to be just a coincidence of numbers that were being sent back. As to REBOOT.EXE, that's a new one!!

 

[Rattledagger]

It's a long time since tried folding@home, but from my very old install it looks like either the result or wu can contain info like this:
1 CH3 -26.230531 -26.594386 39.692270 7 2

Finding some part of your bank-account or your date of birth or something as part of a result should therefore not be unexpected.

Of course, since you've very likely has a virus, it can be this that screws things up, but in folding@home to make sure take a look at http://vspx27.stanford.edu/psummary.html
Since 171.64.122.143 is one of the folding-servers, there shouldn't be any security-risk to return a result back here after you've crunched it.

 

[GLeeM]

I found this at http://forum.misec.net/board/Trojans/1072222157

Re: Trojan Infected Reboot.exe
« Reply #13 on: Jan 3rd, 2004, 11:02am

--------------------------------------------------------------------------------
Greetings to everyone! A couple days ago Norton found a trojan on my system and quarantined Reboot.exe, which was in the startup folder. Then I updated the AV sigs and it still could not repair so I had Norton delete it. It was only then that I thought to Google it and I found this forum and registered to post my $0.02.
I am currently scanning my system for anything named reboot and so far all it's found is reboot.lgc in C:\windows\applog. I will be glad to post any new info I find out about it.
Thanks to each and all for the great tips and info about this little trojan dilemna.

Edit:
If reboot.exe does like it says, it was not in the startup folder the last time you restarted your computer. Otherwise it would just keep rebooting! (Hold down shift key when windows starts to not start progs in startup folder) Have you restarted your computer since starting F@H?

 

[Insidious]

Nothing like that on my comps......

hope ya get it straightened out.

-Sid

 

[BlackMountainCow]

Sounds pretty bad what u wrote but somehow I just don't think that this is really built into F@H. I guess it was a bad coincidence with that reboot.exe trojan and just bad luck that there occured numbers that were the same as your bank account ones. Cause if that really was the case, you could get Stanford into really big trouble by making that public ... and I guess that an institution like Stanford just cannot afford such thing to happen! So they just don't do it! (I hope! )

 

[n0cmonkey]

Originally posted by: BlackMountainCow
Sounds pretty bad what u wrote but somehow I just don't think that this is really built into F@H. I guess it was a bad coincidence with that reboot.exe trojan and just bad luck that there occured numbers that were the same as your bank account ones. Cause if that really was the case, you could get Stanford into really big trouble by making that public ... and I guess that an institution like Stanford just cannot afford such thing to happen! So they just don't do it! (I hope! )

Personally I'd stop doing DC all together if something like that happened... I'd be more willing to bet on amazing coincidences at the moment though. You'd think someone else would have seen this already...

 

[Kaylya]

Reminds me of the time when the girl next to me in a high school programming class had a random number generator that wasn't working properly and kept spitting out the exact sequence of numbers that was my password for the school's network.

 

[n0cmonkey]

Originally posted by: Kaylya
Reminds me of the time when the girl next to me in a high school programming class had a random number generator that wasn't working properly and kept spitting out the exact sequence of numbers that was my password for the school's network.

Now *THAT* is funny!

 

[TallCoolOne]

Hey guys, thanks for all the comments. It may be right about the WU unit just happening to contain numbers from my bank account, after all it was only 6 digits of it, not the whole thing. I think I'll follow n0cmonkey's advice and stop distributed computing for now, and delete the current work unit. I'll restart later after I finish building my new Athlon 64 system. Then I'll try f@h under 64-bit Linux!

 

[LANMAN]

Originally posted by: TallCoolOne
Hey guys, thanks for all the comments. It may be right about the WU unit just happening to contain numbers from my bank account, after all it was only 6 digits of it, not the whole thing. I think I'll follow n0cmonkey's advice and stop distributed computing for now, and delete the current work unit. I'll restart later after I finish building my new Athlon 64 system. Then I'll try f@h under 64-bit Linux!

Definitely post your results on that 64-bit Linux system.

--LANMAN

 

[r0tt3n1]

It is very, very unlikely that the F@H client installed that reboot.exe thing. I have never heard of such a thing, and have scoured the official forums and found nothing of the sort.
Seems that the F@H client was trying to return a queued work unit. Every time the F@H client is started, it tries to send queued work units, if any, adn it also tries to send queued units periodically as the client is running. There have been several outages this past week at Stanford, many of us have had queued units that were returned at a later time as a new unit was crunching.
The size of the unit being returned is likely a 6 digit number in KB. Some Gromacs are over 1 meg, making them a 7 digit number in KB, but it seems likely that the number was the size of the file(work unit) and happened to be part of your bank account number.
If you can, please contact a site admin at the official forums. They can lay to rest any worries you may have.
Sorry to hear of your troubles, hope you will fold for TA again soon!

 

[GLeeM]

Great support TeAm AnandTech!! What a TeAm!!

TallCoolOne do you have a firewall running all the time? I wonder where the hole in your security is? You should check your allowed programs in your firewall, otherwise you may get that trojan again.

Like r0tt3n1 said: "Sorry to hear of your troubles, hope you will fold for TA again soon!"

Good Luck

 

[TallCoolOne]

Well, I think my security is very good. I've never before had a major problem with a virus, I'm just that careful. I run Norton Internet Security which includes a software firewall, a Linksys router with hardware firewall, and I'm selective regarding the software I install on my system and allow to access the internet. Norton even blocks ActiveX controls for me, and incidentally, I use Netscape rather than IE because of all of the security exploits that I've seen reported about that browser. So, with all of these measures I've taken it came as surprise to me to see something transmitting my bank account info! Norton did report the IP as that Stanford one, so perhaps it was mistaking WU data for something it wasn't.

 

[Rattledagger]

Well, if you run seti@home they're reporting your time as second.123456 there the 2 last digits seems to be 25, 50, 75 or 00 so if you happens to have a bank-account containing either of these the probability to also get the 4 previous is very high...
Even AFAIK the wu-name in seti@home has a random 5 or 6-digit-part, so the probability than someone partizipating in seti@home catch part of their bank-account should be 99% or more. My guess it's the same for folding@home.

 

[mikecel79]

Originally posted by: TallCoolOne
Well, I think my security is very good. I've never before had a major problem with a virus, I'm just that careful. I run Norton Internet Security which includes a software firewall, a Linksys router with hardware firewall, and I'm selective regarding the software I install on my system and allow to access the internet. Norton even blocks ActiveX controls for me, and incidentally, I use Netscape rather than IE because of all of the security exploits that I've seen reported about that browser. So, with all of these measures I've taken it came as surprise to me to see something transmitting my bank account info! Norton did report the IP as that Stanford one, so perhaps it was mistaking WU data for something it wasn't.

I have to ask. How does Norton know what your Bank Account number is? Did you enter in this information? Or did Norton come up and say that this is transmitting data that is the same as your bank account or just report that this number appears to look like A bank account number? If Norton were storing my bank account info I'd be more scared of that.

 

[CXGJarrod]

Ok. Some things to consider.

Yes, that IP address does belong to the Stanford network, but there are some other things to consider.

According to:
http://ws.arin.net/cgi-bin/whois.pl?queryinput=171.64.122.143

They own the net range 171.64.0.0 - 171.67.255.255. That is a hell of a lot of Ip addresses (over 65,000). (Or more - its been a while since networking classes) This IP address might not even have anything to do with Folding @ home. Stanford might have a rooted computer or server that is sending and recieving this info via the reboot.exe file. You might try the security contact at security@stanford.edu if you feel that this might be more than a WU that has the last 6 digits of your bank account. They might have a hacked machine on their network and wouldnt you want to know if a machine was sending/recieving bank info? Has this reboot.exe tried to contact the net again?

 

[Rattledagger]

From seti@home, 13. September 2001

Spurious error messages from Norton Personal Firewall
We have received problem reports from SETI@home users running Norton Personal Firewall (NPF). NPF checks outgoing HTTP requests for character strings, such as parts of your credit card numbers.

SETI@home uses HTTP to download work units and upload results. Each result consists of about 5,000 characters, mostly numbers. Any short sequence of digits occurs occasionally in result files.

If you have configured NPF to check for several 4-digit sequences, there is significant chance that at least one of these sequences will randomly occur in a result file. NPF will then tell you that SETI@home is uploading one of your credit card numbers. This is not the case.
We recommend that SETI@home users configure NPF to check for longer digit sequences (8-12 digits). This will greatly reduce the incidence of spurious error messages.

CXGJarrod, since this is folding@home, to make sure there's nothing wrong going on he can just look on the list of projects/ip-addresses. If the wu he has crunched is one of the wu given out from the machine using this ip-address there shouldn't be any problem.


(fixing links)