Klingt schon übel und schadet der ganzen Sache ungemein. Wer weiß was darüber nachgeladen wirdWhat is known at this moment.
BOINC is loaded to the users' devices without their consent using some third-party payloader.
BOINC itself is not compromised, the binaries of BOINC that are downloaded to the users' devices are taken from the official BOINC installer 8.0.2 (BOINC installer itself is not used).
UNCONFIRMED: hidden Windows user is created.
Malicious software is installed as a service (currently no information about the service name).
Several copies of BOINC are downloaded to the 'C:\USERNAME\AppData\Roaming folder' and to the several subfolders.
BOINC client executables are renamed to: '.exe', 'gupdate.exe', 'SecurityHealthService.exe', 'trustedinstaller.exe'.
Fake BOINC server is created that looks like Rosetta@home server (for security reasons we cannot publish the name of the server, but it's already reported to the registrar).
Some software is created as a BOINC application (since there are no tasks on that fake project server, it's impossible to get it and analyze).
Only Windows devices are affected (from the information on the fake project server I see that around 7'000 devices are compromised).
We do not currently know the way users got this malicious software of their devices. One of the affected users reported back to us that they started seeing this after they were connected to the Starbucks public wifi.
Currently we received reports from the US users only.
Antivirus software we have tested were not able to find and block malicious payloader.
Currently we don't know how to defeat this malware, but we're working on it.
More information will be published when we receive it.
