Counter Spy detected spyware in Boinc

Message boards : Number crunching : Counter Spy detected spyware in Boinc

To post messages, you must log in.

AuthorMessage
yoner
Avatar

Send message
Joined: 17 Sep 05
Posts: 10
Credit: 2,581,874
RAC: 0
Message 11969 - Posted: 13 Mar 2006, 6:01:29 UTC

Last night when CounterSpy ran, it detected spyware in the Boinc directory.

C:Program FilesBOINCzlib1.dll
is infected with Partypoker Misc.

more info:

Threat: PartyPoker


Alias:

Threat type: Misc - Anything (other than a document) not in another category, perhaps because it falls into mulitple categories, such as a tool suite.

Advice: Keep

Threat risk: Low Risk
Low risk threats should not harm your machine or compromise your privacy and security unless they have been installed without your knowledge and consent. A low risk threat may be a program, network tool, or system utility that you knowingly and deliberately installed and that you wish to keep.Although some low risk programs may track online habits -- as provided for in a privacy policy or End User License Agreement (EULA) -- or display advertising within the applications themselves, these programs have only vague, minimal or negligible effects on your privacy. Low risk threats may also be cookies, which can be used to track your online activities, though without identifying you personally.

Description:

Author: NULL

Author URL:

Author description:

File Signatures:
process: partypokersetup.exe: MD5 Hash: d4fa65957c5d69b2c41...
process: partygaming.exe: MD5 Hash: 6719f55809d22f886f1...
process: runapp.exe: MD5 Hash: c3ed9f87d8753783a0e...


....

Is it possible that the hash on this file happened to be the same, or is something very strange going on with Scientific Research???


ID: 11969 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile Dimitris Hatzopoulos

Send message
Joined: 5 Jan 06
Posts: 336
Credit: 80,939
RAC: 0
Message 11974 - Posted: 13 Mar 2006, 6:58:35 UTC

Hmmm, I'm pretty sure it's a "false positive", one can't tell unless we know how CounterSpy works.

BOINC is open-source software which anyone can inspect and/or compile for himself and I think it's safe to say that BOINC has no affiliation with Partypoker.
Best UFO Resources
Wikipedia R@h
How-To: Join Distributed Computing projects that benefit humanity
ID: 11974 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile KSMarksPsych
Avatar

Send message
Joined: 15 Oct 05
Posts: 199
Credit: 22,337
RAC: 0
Message 11981 - Posted: 13 Mar 2006, 15:11:55 UTC
Last modified: 13 Mar 2006, 15:12:34 UTC

FWIW, the same thing was reported on Einstein...

This thread.

Unless you are the same person with two different screen names, then it's not the same thing... :)

Kathryn

[edit]added a very important word to clarify[/edit]
Kathryn :o)
The BOINC FAQ Service
The Unofficial BOINC Wiki
The Trac System
More BOINC information than you can shake a stick of RAM at.
ID: 11981 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile Keith E. Laidig
Volunteer moderator
Project developer
Avatar

Send message
Joined: 1 Jul 05
Posts: 154
Credit: 117,189,961
RAC: 0
Message 11988 - Posted: 13 Mar 2006, 18:36:37 UTC
Last modified: 13 Mar 2006, 18:38:19 UTC

Folks,

zlib1.dll is the dynamic library for file compression used by R@H on the Windows platform. It is supposed to be there.

I don't know if E@H uses the Zlib compression algorithm (or if PartyPoker.net does, for that matter).

ID: 11988 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Bob Guy

Send message
Joined: 7 Oct 05
Posts: 39
Credit: 24,895
RAC: 0
Message 12120 - Posted: 17 Mar 2006, 1:52:22 UTC

Looking around in other Boinc threads led me to this explanation of the problem and a possible solution.

It is possible (they say) that any of the graphics displayed on the forum pages can be made to contain a process whereby certain malware can be put into your computer without your knowledge or permission. These graphics include any pictures in the text area and the signatures and avatars. This apparently has to do with vulnerabilities in the code used to create and display the forums.

The solution is to go to your forum preferences (from Boinc manager or from the front page of the project) and turn off the display of forum (text area) graphics and avatars and signatures. I really don't know if the graphics can do this but I've turned mine off just to be safe.

Regarding the zlib1.dll:
I believe that if you delete the zlib1 a Boinc project that requires it will download a new one. Or, you can get a new (clean) one directly from Microsoft or from the zlib project here - look for 'zlib compiled DLL, version 1.2.3' download somewhere near the middle of the page. You can get a new zlib1.dll and copy it to your Boinc folder. The file from zlib.net is the exact same file but has a different date than the one from Boinc.
ID: 12120 · Rating: 1 · rate: Rate + / Rate - Report as offensive    Reply Quote
The Pirate
Avatar

Send message
Joined: 22 Sep 05
Posts: 20
Credit: 7,090,933
RAC: 0
Message 12298 - Posted: 19 Mar 2006, 22:08:33 UTC

Get Webroot's SpySweeper. It's the best one out there.

ID: 12298 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile Fuzzy Hollynoodles
Avatar

Send message
Joined: 7 Oct 05
Posts: 234
Credit: 15,020
RAC: 0
Message 12443 - Posted: 21 Mar 2006, 16:51:37 UTC
Last modified: 21 Mar 2006, 16:55:21 UTC

Yes, and this was discussed over at Seti also http://setiathome.berkeley.edu/forum_thread.php?id=29085

Rom Walton, who actually is the very person, who's developing BOINC, answered there in the second post in the thread, that this is a part of BOINC and he has built the zlib1.dll himself.

But read the whole thread yourselves.

Geeeze!


[b]"I'm trying to maintain a shred of dignity in this world." - Me[/b]

ID: 12443 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Aurora Borealis

Send message
Joined: 7 Oct 05
Posts: 15
Credit: 352,300
RAC: 0
Message 12445 - Posted: 21 Mar 2006, 17:34:10 UTC - in response to Message 12120.  



Regarding the zlib1.dll:
I believe that if you delete the zlib1 a Boinc project that requires it will download a new one. Or, you can get a new (clean) one directly from Microsoft or from the zlib project here - look for 'zlib compiled DLL, version 1.2.3' download somewhere near the middle of the page. You can get a new zlib1.dll and copy it to your Boinc folder. The file from zlib.net is the exact same file but has a different date than the one from Boinc.

I would not suggest, this since the Boinc programmers have compiled their own zlib1.dll for a reason and the Microsoft version may cause some incompatibility.

I personally have three programs on my computer using this DLL each is a different size indicating that they have been changed slightly to fit the programs requirement.

My system is not infected with anything, and probably neither is yours. It is quite common for these 'Protection' programs to have fouls positive.
Example: for more than a year Adaware insisted that Spybot SD was spyware.

Questions? Answers are in the BOINC Wiki.

Boinc V6.12.41
Win 7 i5 GPU Nvidia 470
ID: 12445 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Bob Guy

Send message
Joined: 7 Oct 05
Posts: 39
Credit: 24,895
RAC: 0
Message 12559 - Posted: 23 Mar 2006, 8:36:49 UTC - in response to Message 12445.  

I would not suggest, this since the Boinc programmers have compiled their own zlib1.dll for a reason and the Microsoft version may cause some incompatibility.



If you do a binary file compare (fc /b at a command prompt) with the Boinc file and the one from zlib.net you will find that they are identical.

The reason I've suggested this is that if you suspect that your file might be compromised then this method might help to remove your suspicions or prove that your copy of zlib1 is legitimate.

I would hope that all files that call themselves 'zlib1.dll' are functionally the same even if the compiled code might be slightly different. According to the license all compiled versions MUST be functionally identical or MUST have a different name.

As to a different Microsoft version: you may be correct - I've long time ago stopped trusting Microsoft code.
ID: 12559 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile Fuzzy Hollynoodles
Avatar

Send message
Joined: 7 Oct 05
Posts: 234
Credit: 15,020
RAC: 0
Message 12572 - Posted: 23 Mar 2006, 16:06:26 UTC - in response to Message 12559.  

I would not suggest, this since the Boinc programmers have compiled their own zlib1.dll for a reason and the Microsoft version may cause some incompatibility.



If you do a binary file compare (fc /b at a command prompt) with the Boinc file and the one from zlib.net you will find that they are identical.

The reason I've suggested this is that if you suspect that your file might be compromised then this method might help to remove your suspicions or prove that your copy of zlib1 is legitimate.

I would hope that all files that call themselves 'zlib1.dll' are functionally the same even if the compiled code might be slightly different. According to the license all compiled versions MUST be functionally identical or MUST have a different name.

As to a different Microsoft version: you may be correct - I've long time ago stopped trusting Microsoft code.



Will you trust the developer/programmer himself? http://setiathome.berkeley.edu/forum_thread.php?id=29085#263203


And another developer? http://setiathome.berkeley.edu/forum_thread.php?id=29085#267204


[b]"I'm trying to maintain a shred of dignity in this world." - Me[/b]

ID: 12572 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Bob Guy

Send message
Joined: 7 Oct 05
Posts: 39
Credit: 24,895
RAC: 0
Message 12599 - Posted: 24 Mar 2006, 3:53:46 UTC - in response to Message 12572.  


Will you trust the developer/programmer himself?


Of course I trust the developers! But, the very first thing I did when I heard of this concern was to compare the zlib.net version, which I know to be good, with the Boinc version just to be sure.

I've compiled various versions of the zip libraries for my own use in my own code so I have some experience there. I believe it is a false positive, but it wouldn't be the first time that some bad code got put into a computer by a virus or worm. It's better to check everything carefully and be suspicious than to just ignore it.
ID: 12599 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote

Message boards : Number crunching : Counter Spy detected spyware in Boinc



©2024 University of Washington
https://www.bakerlab.org