Probably bad news on the PHF!!!

[Scraper]

I've got an e-mail adres that gets his blocks from the Phantom Flusher. He is the only one flushing to that adres. My own adres is not known to him.

D.Net can use this one to check hostnames, it's all from him

 

[lordugh]

I suspect this trojan rc5 situation is going to get worse before it gets better, i mean in volume of blocks, I believe the blocks are legit (as in real rc5 blocks) and they will increase in number. any thoughts on blocks per day when dnet solves the PhF problem? I bet 2.5m+. Probably someone put it onto a major ftp inside an app.

This sucks.

I guess its *good* that we arent the only effected team.

 

[ViRGE]

Humm, this is bad news indeed.:| We've done all we can on our part, so all that's left is for Dnet to at least respond, and in the meantime, appease the victims of the PhF.

PS Gizmo, read Bovines .plan, the one from May 5th explains your situation.http://n0cgi.distributed.net/cgi/planarc.cgi?user=bovine&plan=2000-05-05.05:13

 

[The Magicman]

About htat isolatable IP's thingie.
I stopped flushing blocks in mid may and I'm receiving some blocks from PhF, so all connections (that have taken place since mid may are from PhF's systems)

 

[bphantom]

BoberFett, exactly. In a varied sort of way you proofed my point. I stated my point as if a large amount of random machines have been trojanized and disregarded the possibility a large corporate network could be doing this (I still hope for this!). After all Jmman got a nasty email from a @home user. I know the trojan effect (continuing to increase its rate) doesn't seem right when we all have leveled off, but this is the second instance of someone having a client installed with a TA member's email address listed.

What if D.Net has already realized this could very well be a trojan.. (Russ, this would not be good if D.Net had to eat their words and have to restate that it is a trojan ) Ok, what do you do now? Hmm, problem! As I said if my previous post, Nugget's stats are still being trojanized. Sure D.Net can say "Hey, we show a large amount of blocks coming from 204.209.128.157 (Mika's), and a variety of IP's." I know if they said that to me, I would know everything other then Mika's would be suspicious. D.Net still can't remove the trojan client from the infected machine, which means they will continue to crack until they are noticed or the user reformats the machine. Being able to gather the IP's and hostnames of the infected machines is still all that can be done. Hmmmm... Now there is the possible idea of sending the IP and date stamp to an ISP and requesting they forward a URL to the user because they have been trojan'ed (LOTSA WORK!).

It's possible D.Net could add a feature to the client which if a flag is sent from D.Net's pproxies, the client would kill itself.... Sure that could work, but if I was the PhF I would just grab an older version. I know I personally would not run a client with this feature (to much control given).

I'm personally tired of all the PhF postings. PhF is here. D.Net has commented it is not a trojan, which makes my personal stats liability disappear...

BTW... Blocks retaining each IP is a very interesting idea, but it still doesn't tell D.Net the contact info of the user is behind that machine. A trail yes, not much more then that.

Brad..

 

[bphantom]

I need to stop making big replies.. I'm condensing what I said in my two posts to: Whether or not it is a trojan, D.Net still does not have the ability to remove the client from the infected machines. They would require an email address of the owner of the infected machine, be in contact with the owner of the email address that was used (to find out possible IP's the legit owners machines go through). This is simply way to much work involved and if I was one of the volunteer staff I would be going "Sh*t, how do we clean up this mess WITHOUT killing off the legitimate, but infected, user profiles."

Brad..

 

[BoberFett]

Brad

D.net can't remove the trojan, and it can't be immediately traced to the source, but there may be a common thread between machines that have been infected that can lead to that source. That's the important part, to stop the spread.

It's not that things like this are just an annoyance, they seriously jeoparize the future of distributed computing. In the minds of the public it could appear that it's nothing more than a virus. If D.net is going to take distributed computing forward, they need to pay more attention to these issues rather than blowing them off as they seem to have done in this case.

 

[Xede]

In regards to the original discussion of the PhF, DNET said they were confident it was not a trojan, right? As I understood it, there were two pieces of information from which they could have drawn this conclusion:

1) The amount of blocks submitted from the PhF did not increase exponentially and out of control--rather, it ramped up smoothly to ~25K for each befneficiary and flattened out. This *could* be accomplished with some kind of smart trojan, or one that reports back to a central location for instructions or human guidance, but it does not look like a regular trojan, which just spreads itself indescriminately.

2) I assume that DNET looked at the IPs for the big ~25k block recipients, and saw that the blocks were coming from a single coherent cluster of IPs (such as from a large corporation/organization), rather than the huge number of random IPs they would have found if the PhF was using a trojan on thousands of individual computers. They never did release any actual information about the IPs used for the various victims of the PhF, so I don't know whether this is true.

It seems to me like any recent activity is from a new PhF imitator (possibly using a trojan) rather than the original PhF. It will be intersting to see whether BKehoe http://stats.distributed.net/rc5-64/psummary.php3?id=238280, who turned in almost 31K blocks yesterday, will turn in even more blocks today, or level out. Perhaps DNet could take a look at his IP addresses along with those from a few of the earlier PhF recipients.

 

[Lord Demios]

Well, one somewhat quick solution, is to get an email off to the ISP's that have KNOWN IP's not in a user's group. (Like some random IP instead of the 4 or 5 subnets I use) Then you send an email to the ISP asking that they post on their New's servers and maybe an email explaining that users should do a search for dnetc.exe on their machine. If found contact d.net for a way to remove it.

You could check the time date stamp, ask the user what they were doing when it happened, and so on. Not very useful but it might get some info. This mess is going to be a lot of work no mater how we look at it.

LD

 

[Moose]

WE have continued to investigate this over time. At first glance this problem did not look like a trojan. But over time we have grown more and more concerned about this. WE continue to do all we can to try and find the source, but there simply has not been any one peice of evidence that says ahh thats what has caused this. we have talked to people who have had their the client installed on their computer. They give no indication of any one item that could lead to the install of the client.

We have checked and checked IPs. Looked for open shares. We see no pattern in it this.

In no way do we hold the emails of persons effect by this as responisble for the installation of these clients.

We will continue to monitor the situation and try to find an answer but currently we have none.

Please understand we will tell you if we find an answer.

Hope that helps you understand the situation.

Thanks
moose

PS
the virus detection is an outdated .dat file. update your dat file for McAfee. we have corrected them several times in the past.

 

[Russ]

<< The amount of blocks submitted from the PhF did not increase exponentially and out of control--rather, it ramped up smoothly to ~25K for each befneficiary and flattened out >>



True for each recipient, but overall block production is continuing to grow at an alarming rate; particularly in light of the fact that members of other teams are reporting the same phenomenon. This still strongly indicates some type of trojan.

Russ, NCNE

 

[ViRGE]

Thanks for the reply Moose! It's great to hear that you guys know what's up and are trying to do something about it. If you need any help from us, just drop us a line, and we'll do what we can.

 

[bphantom]

Thanks Moose! I continue to have faith in you guys, even if annoying problems like this occur.

Brad..

 

[GizmoNL]

Isn't it possible to remove the whole show-by-host idea and instead send the ID of the windows Logged-on user? This info is easily extracted from the windows registry, and the people participating in this race probbably have no objection against this. If the flusher can see all these users flushing for him/her, he/she can make contact with the user that's not a member of his/her personal team, and help the victim to remove the client, this will also make stats more exciting, since subteams get a competition of their own.

 

[Russ]

GizmoNL,

The problem with that idea is that there are a whole lot of jittery IS guys with corporate herds that would have palsy fits if they knew the client was digging that deep.

Russ, NCNE

 

[KingHam]

I doubt that this is a trojan. It sounds more like this PhF fellow just compromised a few hundred machines on the @Home network. It wouldn't be that difficult since most people using @Home don't even know that their system is completely unsecure. All it would take is a lot of time and that's what most of these script kiddies have the most off.

KingHam

 

[JHutch]

Thanks for the heads up, Moose! I know you guys are doing what you can. (And my competitive nature breathes a sigh of relief that my account is not in jeopardy!)

Anyway, if you guys want any help tracking down leads, matching IP numbers, let us know. We all have a very vested interest in keeping DNet from getting a black eye from the PhF!

JHutch

 

[JonB]

How about a compliment to DNet and their client!

If this is a trojan problem (and it does look that way, doesn't it?) that is running on hundreds and hundreds of unsuspecting computers, isn't it just absolutely amazing that only TWO people have been concerned enough after detecting the client to contact someone? The e-mail address is right there in the INI file, not hidden in any way.

It obviously lives up to the claim of running quietly in the background, doesn't it? Hardly a PR bonanza, but nice to know.

 

[ItsmeDPC]

Crazy stuff happening around here, I'm kinda worried. I have recieved a number of WU's and well I do not want to be banned, so I'll keep track of this thread.

 

[ItsmeDPC]

Double post, damn those lags!

 

[DJ_D]

A possible explanation of the leveling out of trojan blocks could be that somebody is distributing a trojan program, but after so many are distributed with a certain e-mail address the person changes the trojan to infect another e-mail address or takes the trojan program offline.

Future contests or perhaps clients should not allow somebody to crack under another persons e-mail address. A simple password would go a long way. Not being able to use other people's e-mail address would limit trojans because they couldn't hide so well.

 

[RaySun2Be]

Dag Nabbit, I was afraid of this!

KingHam, it would have to be more than a few hundred @HOME users, unless you were talking per person. I'm getting ~29K blocks a day from the PhF myself.

I wonder if I'll have hate mail when I get back home.


I may create a new email and switch to OGR just so I don't have to deal with MR. PhF.

 

[Viztech]

Strange, but I think my extras are dropping lately.

No hate mail yet...

viz

 

[Orange Kid]

I wonder how PhF set the priority,OGR RC5?
This could be the ultimate tracking device?

 

[ViRGE]

We'll find out tomorrow...