BOINC Malware

Protecting devices from malware threats is crucial for maintaining both security and functionality. Recently, cybercriminals have exploited BOINC (Berkeley Open Infrastructure for Network Computing), a legitimate utility for distributed computing projects, to execute threatening activities on infected systems. Note that this isn't a vulnerability in BOINC itself; instead, the malware illegally installs BOINC to carry out its operations.

Installation and Execution

The malware loads BOINC onto users' devices without consent using a third-party payload. This method bypasses typical installation processes, ensuring that BOINC is installed surreptitiously. The binaries used are taken directly from the official BOINC installer 8.0.2, though the installer itself is not directly employed in the installation process.

Threatening Operations

Upon installation, the malware initiates several unsafe activities:

• Creation of Hidden Windows User: There are unconfirmed reports of a hidden Windows user being created, which could potentially facilitate further unauthorized access.
• Service Installation: Harmful software is installed as a service on the infected systems, although specific details such as the service name are currently undisclosed.
• File Distribution: Multiple copies of BOINC are downloaded to the 'C:\USERNAME\AppData\Roaming' folder and its subfolders, spreading its presence across the system.
• Executable Renaming: BOINC client executables are renamed to common system process names such as '.exe,' 'gupdate.exe,' 'SecurityHealthService.exe,' and 'trustedinstaller.exe.' This disguise aims to evade detection and blend in with legitimate processes.
• Creation of Fake Server: A fake BOINC server resembling the legitimate Rosetta@home server has been reported. Although its name remains undisclosed for security reasons, this server mimics a legitimate project to potentially deceive users and perform unauthorized actions.

Distribution and Impact

The distribution method of this malware remains unclear, with victims speculating it could be linked to connections to public Wi-Fi networks. The campaign appears to target users specifically in the United States, affecting approximately 7,000 Windows devices as reported by the fake project server.

Mitigation and Removal Advice

Researchers suggest the following steps to mitigate the impact of this malware:

• Task Scheduler Cleanup: Check and remove any entries in the Task Scheduler that execute code from the 'Roaming' folder. These entries may appear disguised as legitimate processes such as Mozilla or Google updates, or may simply consist of an underscore followed by numbers.
• File Deletion: Delete all unwanted files stored in the 'Roaming' folder and its subfolders. Users may need to terminate processes using the 'Task Manager' to ensure all unsafe files can be safely deleted.

By taking these precautions and remaining vigilant against suspicious activities and installations, users can help protect their devices from the impacts of threatening software like the BOINC malware.