Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bitcoin Miners Bundled With PUPs In Legitimate Applications Backed By EULA

Posted by timothy on from the informed-consent-it-ain't dept.

hypnosec writes "Bitcoin miners are being integrated with third party potentially unwanted programs (PUPs) that come bundled with legitimate applications. These miners surreptitiously carry out Bitcoin mining operations on the user's system consuming valuable CPU time without explicitly asking for user's consent. Malwarebytes, the company which found evidence of these miners, first came across such an instance of a Bitcoin miner when one of the users of its software requested for assistance on November 22 through a forum post. The user revealed that 'jh1d.exe' was taking up over 50 percent of the CPU resource and even after manual deletion the executable was re-appearing. Malwarebytes dug deeper into this and found traces of a miner 'jhProtominer,' a popular mining software that runs via the command line". However, it seems that the company behind the application has a specific clause 3 in EULA that talks about mathematical calculations similar to Bitcoin mining operation. This means that the company behind the software can and will install Bitcoin miners and use system resources to perform operations as required to mine Bitcoins and keep the rewards for themselves."

14 of 194 comments (clear)

  1. Free Software by Anonymous Coward · · Score: 5, Insightful

    This is why you should use free software from a reputable source, such as Debian GNU/Linux.

    1. Re:Free Software by Runaway1956 · · Score: 5, Insightful

      Agreed - but you can't convince the unwashed masses. It's great having a "trusted repository" from which to pull almost all your applications. It's even better that you can browse the source code before compiling, to be halfway sure that the software does what it claims, and nothing "extra".

      Admittedly, I'm not qualified to really examine all that source code, but I can and do browse through it from time to time.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    2. Re:Free Software by gutnor · · Score: 3, Insightful

      The vast majority of the software use would not be able to read the source at all.

      What they can do is asked other people that can if the software is ok or not. At that stage it does not matter if the code is open source or not. If the community, like malware listing site or others, has vetted the software, it is as good guarantee as they will ever have. Having the source code just make our job easier when trying to help guys with problem.

  2. Incorrect by Frosty+Piss · · Score: 5, Insightful

    Bitcoin miners are being integrated with third party potentially unwanted programs (PUPs) that come bundled with legitimate applications. ... However, it seems that the company behind the application has a specific clause 3 in EULA that talks about mathematical calculations similar to Bitcoin mining operation. This means that the company behind the software can and will install Bitcoin miners and use system resources to perform operations as required to mine Bitcoins and keep the rewards for themselves

    Incorrect.

    Software that includes "PUPs" from the original software producer is not "legitimate". Any company with a EULA such as the one described is not a "legitimate" software company.

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:Incorrect by mysidia · · Score: 4, Insightful

      Software that includes "PUPs" from the original software producer is not "legitimate". Any company with a EULA such as the one described is not a "legitimate" software company.

      I agree with you about it not being "legitimate"; HOWEVER, certain major vendors have a conflicting opinion; including the operators of sites such as Download.com and Sourcforge.net.

      The trouble is; they're able to hide behind the EULA, and if they are aggressive --- they can sue and win against anyone calling their software malware, since the behavior is "disclosed" as expected operation of the software.

      Unfortunately; we ultimately need some prescriptive guidelines for consumer software.

      And probably a regulatory regime... including certification marks; example a "SafeSoftware" seal for publishers, similar to the idea behind TRUSTe ---- if the software isn't digitally signed by a vendor holding a SafeSoftware seal; then perhaps, your browser should warn you before releasing the file to the Downloads folder

      Then we could use something like an FDA, as it were, to regulate the labelling and safety of software sold to consumers, or provided as a free download.

    2. Re:Incorrect by AlphaWolf_HK · · Score: 4, Insightful

      Then we could use something like an FDA, as it were, to regulate the labelling and safety of software sold to consumers, or provided as a free download.

      Yes, because I would just love having to go through regulatory channels and potentially paying fees in order to publish software that I don't even make any money from.

      --
      Careful with names containing L slashdot.org/~AiphaWolf_HK slashdot.org/~AlphaWoif_HK slashdot.org/~AiphaWoif_HK
    3. Re:Incorrect by johndoe42 · · Score: 4, Insightful

      Or we could finally fix the law and declare EULAs to be unenforceable. Unilateral contracts like EULAs are out of control.

    4. Re:Incorrect by geminidomino · · Score: 3, Insightful

      I think you underestimate the time needed to generate a bitcoin.

    5. Re:Incorrect by Anonymous Coward · · Score: 5, Insightful

      If you have to piggy-back on another app in order to get downloaded, you're malware. If the download screen only talks about the main app with no mention of your piggy-back app, you're malware. If you have to hide your software description in the EULA (needlessly but commonly embedded inside a tiny scroll window) to avoid scrutiny, you're malware. If you weasel-word the software description (math calculations?) instead of being forthright, you're malware. If you will not cleanly uninstall when the user uninstalls you, you're malware.

  3. "potentially unwanted programs" by Anonymous Coward · · Score: 5, Insightful

    Is "potentially unwanted programs" the new politicaly correct term for malware? It's OK to call it malware, even if the user technically-allegedly-probablynot signed an EULA allowing it.

    If it runs an unauthorized bitcoin miner, stealing your cycles and electricity, it's malware. No exceptions.

    1. Re:"potentially unwanted programs" by Linsaran · · Score: 3, Insightful

      Potentially Unwanted Programs are not quite malware, though in many cases I'd argue are worse. PUPs are generally stuff like 'WOMG Awesome Toolbar', 'Internet Coupon Printer 3000', "Free smilies wacky mouse pointers' and Java.

      They're legitimate in the sense that they won't exploit vulnerabilities in your system to install themselves, or (generally) ignore (or interfere with) attempts to remove them from your computer. They might even propose to have some sort of functionality that a user could want. The reality is that the functionality they generally offer is limited at best, and may even be inferior to the native functionality of the computer. They often slow your machine down, eating up your CPU cycles, opening up your computer to additional vulnerabilities, stealing your personal information to sell to advertisers, and generally speaking are not really useful to or needed by the people who have them installed on their computers.

      --
      In a bit of shameless internet panhandling, I accept Litecoin Donations at Lbd2oH9QsthD1GfuUXPyka12YxvWJYnBVf
  4. This shouldn't need to be said but.. by Anonymous Coward · · Score: 0, Insightful

    End users need to learn to be responsible for their own systems. Then again, it's not like Microsoft has made it easy to identify running processes, what launched them and what they are communicating with, so perhaps not all blame belongs to the end user.

  5. Re:Names please by mr_jrt · · Score: 4, Insightful

    I should have understood the article, first.

    From the article it seems to be
    www.yourfreeproxy.net

    Well, who would not want to install an application that redirects all of their network traffic though their servers FOR FREE?

    Someone not very technical wanting to bypass their government's mandated filtering?

    --
    Boo.
  6. Re:One Word: CNet by Bacon+Bits · · Score: 4, Insightful

    And there is the problem. People pay hundreds or thousands for a computer and still want to treat it as an appliance like their toaster. Why should I give a shit about their safety if they don't give a shit about it?

    Yes, I'm sure auto mechanics, carpenters, doctors, soldiers, and farmers all think the same thing when they get up to do their daily work.

    The fact is, all people need medicine, not just those who are experts. All people need homes, not just those that can build them. All people need their vehicles repaired, not just those who can do it themselves. All people need their nation defended, not just those who can devote their life to it. All people need food, not just those with the means to produce their own. And, yes, all people need computers, not just those who are experts.

    We experts have jobs because we're supposed to help these other people. Having a skill doesn't make you special. It just makes you useful. Being useful doesn't give you the right to be an asshole.

    --
    The road to tyranny has always been paved with claims of necessity.