staff blogs

distributed.net staff keep (relatively) up-to-date logs of their activities in .plan files. These were traditionally available via finger, but we've put them on the web for easier consumption.

2000-10-17

bovine [17-Oct-2000 @ 10:02]

Filed under: Uncategorized @ 10:02 +00:00

:: 17-Oct-2000 10:22 (Tuesday) ::

I’d also like to recommend that all paranoid users consider using a virus
scanning utility and ensuring that their systems are not infected with
any other viruses or worms. My wormfree utility only attempts to remove
the several worm variants that have been known to deploy our dnetc client.
However, there have been countless other worms and viruses in the past
that all replicate through similar techniques, so if you might have been
vulnerable to them (and potentially infected) as well. A pretty good free
resident virus scanner is Computer Associates’ InoculateIT product, which
is available for free download from http://antivirus.cai.com/

Additionally, it should be noted that there are indeed several new worm
variants that illegally deploy the distributed.net client and include
email addresses different than the bymer@inec.kiev.ua that I mentioned in
my original post. Some of these others include the email bymer@ukrpost.net
or ogr@gala.net. There is a more comprehensive list about the known
variants at http://www.distributed.net/trojans.html

bovine [17-Oct-2000 @ 09:38]

Filed under: Uncategorized @ 09:38 +00:00

:: 17-Oct-2000 10:00 (Tuesday) ::

I’ve updated my wormfree utility again to fix a number of other minor
issues. Previously it required a Win98+ or Win95 with IE4 desktop update
installed (now it should run on all Win95, Win98, Win98 SE, and WinME
systems). Additionally, there were rare cases where wormfree would perform
an access violation. It now also attempts to clean a few other no-impact
registry key locations. If you have used previous versions of my wormfree
utility and are really paranoid, you can try re-running this new one.
You can download this new version from:
http://www1.distributed.net/~bovine/wormfree.zip

A related issue is a recent security vulnerability that has been found in
all Win9x systems that would enable another user to access your file
shares, even if you have assigned a very complex password to it. Although
there are currently no worms that utilize this vulnerability, this reason
alone is sufficient to warrant not arbitrarily sharing potentially
vulnerable directories that contain things that get executed. Minimally
this means that you should not share any drive or directory that includes
your WINDOWS directory or your “Program Files”. If you really must use
file-sharing for collaboration, you should create a special folder someplace
on your hard drive, and share ONLY that folder itself (and possibly include
a password, with the understanding that no password or key is truly secure).
You can read about the Microsoft Security Bulletin at the following
location: http://www.microsoft.com/technet/security/bulletin/MS00-072.asp

2000-10-06

bovine [06-Oct-2000 @ 12:22]

Filed under: Uncategorized @ 12:22 +00:00

:: 06-Oct-2000 12:25 (Friday) ::

I’ve updated my wormfree utility with a few more heuristics and strategies
for helping to clean and secure Win9x machines from an infection of one
of these replicating worms. You can download this new version (both source
and compiled binary) from the same URL:
http://www1.distributed.net/~bovine/wormfree.zip

2000-09-24

bovine [24-Sep-2000 @ 13:16]

Filed under: Uncategorized @ 13:16 +00:00

:: 24-Sep-2000 13:19 (Sunday) ::

I have created a simple program that can be run on Win9x machines to
attempt to remove files associated with this most recent “MSINIT” worm,
as well as the VBS.Network and VBS.NetLog worms). You can download this
utility (with full source) from the following location:
http://www1.distributed.net/~bovine/wormfree.zip

bovine [24-Sep-2000 @ 12:29]

Filed under: Uncategorized @ 12:29 +00:00

:: 24-Sep-2000 12:51 (Sunday) ::

We have recently discovered that a new infectious worm has recently begun
circulating throughout the Internet and includes a hidden payload of our
dnetc.exe client. We have already discredited all stats credit for that
participant’s email address. As stated by our policies at
http://www.distributed.net/legal/policy.html and by our trojan horse
disclaimer at http://www.distributed.net/trojans.html, performing these
types of malicious activities are not condoned at all and these matters
are aggressively pursued by distributed.net.

This worm propagates by randomly selecting an arbitrary IP address and
attempting to connect to the “C” file share on that machine. If it is
successful in accessing that share, it will copy several files into the
remote machine’s “\WINDOWS\Start Menu\Programs\StartUp\” and
“\WINDOWS\SYSTEM\” directories:

+ MSxxx.EXE ~22016 bytes (size and filename varies slightly)
+ MSCLIENT.EXE 4096 bytes
+ INFO.DLL (text file log of other infected computers)
+ DNETC.EXE 186188 bytes (official release v2.8010-463-CTR-00071214)
+ DNETC.INI (containing the email address bymer@inec.kiev.ua)

Note that the presence of DNETC.EXE and DNETC.INI (but with another email
address) on a computer may potentially represent an authorized installation
of our client software, knowingly done by the owner of the machine, so it
not reasonable to indiscriminately delete all instances of those filenames
should you find them.

Please note that the MSxxx.EXE file will vary slightly and will contain
the first numerical component of your computer’s IP address and possibly
a few extra characters. For example, the following filenames have been
encountered: MS216.EXE, MSI216.EXE, MSI211.EXE. It has been discovered
that some instances of this worm’s file is secondarily infected with the
FunLove.4099 virus, so the filesize may be slightly larger that 22016
bytes if so.

Additionally, as a part of the infection, the following line may be added
to the remote computer’s \WINDOWS\WIN.INI file:

load=c:\windows\system\msxxx.exe (filename varies)

Once either of the first two EXEs have executed once, under the
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ registry key,
the following registry value may be added:

MSINIT=c:\windows\system\msxxx.exe (filename varies)

Since the worm also executes “dnetc.exe -hide -install”, there will also
be the addition of another registry value to automatically start the client
as well. Note that the existence of that other registry value in itself
may not necessarily imply an unauthorized installation of our software by
the worm, such as if the owner of the machine had legitimately installed
our client software.

The propagation of this worm is possible solely because many Win9x computer
owners unknowingly choose to share their entire hard drives un-passworded
and with full read/write control granted. Readers are encouraged to warn
others about the dangers of sharing directories (and full hard disks)
without strong passwords.

2000-09-18

bovine [18-Sep-2000 @ 00:42]

Filed under: Uncategorized @ 00:42 +00:00

:: 18-Sep-2000 00:58 (Monday) ::

There have been a couple of new utilities added to the third-party addons
page, including:

Ovine by Julius Welby. A python script that allows people (such as those
who use the email fetch@distributed.net gateway) to automatically swap
in other in-buffers when the client exhausts its current one.

PM by Spirin Timofey. A Win32 utility to process proxy console logs,
allowing you to monitor the buffer levels and last-update times of all
connecting clients.

You can find links to those utilities (and more) on our third-party addons
page at http://www.distributed.net/download/addon.html

I’ve also finished some minor reorganization of the text on the front
distributed.net web page, the ogr contest page, the rc5 contest page, and
the client download pages. Most of the changes I’ve made have been in
the interest in trying to improve the readability of the pages to someone
visiting those pages for the first time.

2000-09-16

bovine [16-Sep-2000 @ 15:10]

Filed under: Uncategorized @ 15:10 +00:00

:: 16-Sep-2000 15:19 (Saturday) ::

A new Java Log Visualizer version has been released, with the help of
Stanley Appel, who contributed a bunch of code to enable it to plot multiple
contests simultaneously in different colors. You can see a cute screenshot
at http://www1.distributed.net/~bovine/javavis14.png or you can download
it (along with full Java source) from the source page at
http://www.distributed.net/source/

2000-08-01

bovine [01-Aug-2000 @ 16:41]

Filed under: Uncategorized @ 16:41 +00:00

:: 01-Aug-2000 17:02 (Tuesday) ::

We trickled a small number of OGR-25 stubs yesterday on the public network
with various number of marks for testing purposes so that we could get
some public feedback about their completion times. For OGR-25, we’ve
settled on distributing so-called “6-stubs” (that is, a stub fragment
where the first 6 marks are specified by our servers). Such stubs will
be displayed by the client as “25/1-2-3-4-5-6”.

Although we generally tried to intersperse these experimental OGR-25 stubs
into the outgoing OGR-24 distribution to minimize giving too many to any
single person, we’ve learned this might not have necessarily been the
case. In any case, since our intended benchmarking use of these
experimental stubs is finished, if you see that your client is working on
a “25/” stub that does not have exactly 6 values after the slash then you
can feel free to discard your entire buff-in.ogr containing these
experimental OGR-25 stubs, if you like.

2000-07-31

bovine [31-Jul-2000 @ 11:57]

Filed under: Uncategorized @ 11:57 +00:00

:: 31-Jul-2000 12:17 (Monday) ::

Just thought I’d let it be known that we are now beginning to distribute
OGR-25 stubs right now. Although we have not yet fully received back
completed stubs for the first pass over OGR-24, it’s important for us to
allow a reasonable amount of time before reissuing OGR-24 stubs that we
have not yet received responses for.

It is important to note that there is nothing you need to explicitly do
to accommodate the OGR-25 stubs if your client has already been working
on OGR-24. Perhaps even more important to stress is the fact that you
should NOT intentionally dump or discard your existing OGR-24 buffers so
that you can begin working on OGR-25 sooner.

It’s also worth pointing out that due to the nature of the OGR project,
there will be a second complete pass over the OGR-24 stubs so that the
final nodecount data can be correlated between the two passes. Currently,
we’ve received back about 86.39% of the stubs necessary for the first
pass. However, since it’s not necessary to wait for the first pass to be
completed before starting the second pass, we’ve already finished partial
distribution of the second pass stubs and have received back 28.91% of
them so far.

Keep those clients running! And if you haven’t yet added your OGR client
benchmarks to our speed database, I encourage you to visit
http://www.distributed.net/speed/ today! Moo. ]:8)

2000-07-14

bovine [14-Jul-2000 @ 12:32]

Filed under: Uncategorized @ 12:32 +00:00

:: 14-Jul-2000 12:41 (Friday) ::

I’ve updated the client speed pages to all output more concise results by
averaging all data for a single CPU/MHz combination. Additionally, the
standard deviation and a percentage representation of the stddev relative
to the avg is also displayed, to allow the entries with particularly bogus
entries to be more easily spotted. Check it out and add your client’s
benchmarked speeds today! http://n0cgi.distributed.net/speed/

« Newer PostsOlder Posts »