Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bitcoin Miners Bundled With PUPs In Legitimate Applications Backed By EULA

Posted by timothy on from the informed-consent-it-ain't dept.

hypnosec writes "Bitcoin miners are being integrated with third party potentially unwanted programs (PUPs) that come bundled with legitimate applications. These miners surreptitiously carry out Bitcoin mining operations on the user's system consuming valuable CPU time without explicitly asking for user's consent. Malwarebytes, the company which found evidence of these miners, first came across such an instance of a Bitcoin miner when one of the users of its software requested for assistance on November 22 through a forum post. The user revealed that 'jh1d.exe' was taking up over 50 percent of the CPU resource and even after manual deletion the executable was re-appearing. Malwarebytes dug deeper into this and found traces of a miner 'jhProtominer,' a popular mining software that runs via the command line". However, it seems that the company behind the application has a specific clause 3 in EULA that talks about mathematical calculations similar to Bitcoin mining operation. This means that the company behind the software can and will install Bitcoin miners and use system resources to perform operations as required to mine Bitcoins and keep the rewards for themselves."

6 of 194 comments (clear)

  1. One Word: CNet by Frosty+Piss · · Score: 5, Interesting

    End users need to learn to be responsible for their own systems.

    True to a certain extent. But think about downloads from CNet.

    Isn't CNet a trustworthy source? No? It certainly LOOKS like a trustworthy source. It's not a warez site, right?

    But of course most /. folks know otherwise, we know that CNet is one the major sources of malware.

    Also, please remember that not everyone who uses a computer is an "IT pro". This should not be necessary to avoid shit like this crap.

    --
    If you want news from today, you have to come back tomorrow.
  2. The really strange thing about this: by Dputiger · · Score: 4, Interesting

    Bitcoin mining on anything but ASICs is no longer profitable. Even on an R9 290X with an 80+ Platinum PSU, you're making maybe $1 - $2 a day. And the vast majority of people don't have anything like that equipment. CPU mining is so slow, you'll never complete any work before the block is finished. GPU mining is still fast enough to get some work done, provided you own an AMD GPU.

    But Nvidia GPUs don't mine BTC for beans and most mining kernels will crash an NV card or lead to rampant slowdowns and random lockups. Even an AMD card needs a low priority miner to escape the kind of UI chokeup that immediately alerts someone to a problem in the system. This might have made sense in 2010, when CPUs could still mine, but these days the return on investment is going to be terrible -- and the performance hit is big enough that people *will* notice.

    1. Re:The really strange thing about this: by ledow · · Score: 3, Interesting

      http://mining.thegenesisblock.com/

      Select the hardware, look at the cost (just underneath it), see how many actually make a profit (in blue on the right) after a few months, how many after an entire year, and how many never make one (profit in red and bracketed).

      Quite a lot of the companies have NOTHING on there that generates profit at all (including the new USB ASIC miners, for instance, as I said).

      The ones that do make a profit, you need a few thousand of dollars investment, hope the difficulty doesn't go up, and you might make a few hundred dollars for 6 months until they start to make a loss. The ones that make thousands of dollars cost over $10,000 in the first place.

      And next year, you will be worse off again.

      Not saying you can't make profit. Saying that when you take into account the hassle, the cost, the difficulty changes, and the risk, you'll be lucky to make more than your bank would have given you for the same amount of cash in a savings account. And at least that doesn't "devalue" over time.

  3. Re:Incorrect by rhysweatherley · · Score: 4, Interesting

    Yes, because I would just love having to go through regulatory channels and potentially paying fees in order to publish software that I don't even make any money from.

    Depends on the regulations: "Commercial software can pick from one of the 5 following standard commercial licenses: ... Any commercial software license that deviates from a Standard License reverts to Standard License Type 1 wherever its EULA conflicts with this regulation. Software that complies with the Open Source Definition or otherwise allows the user to inspect the source code and remove unwanted features independently is exempt from this section."

    You are then perfectly free to make money from your software. Pick whichever one of the standard licenses suits your purpose and carry on. But what you cannot do is employ a lawyer to invent a creative way to screw your users in the fine print. If you do, your license is automatically torn up and replaced with something sane.

  4. Re:Free Software by lgw · · Score: 4, Interesting

    I think there's a big future for a testing company, like Underwriter's Labs is for physical goods, to do just that. Anyone big or small can send them code to review, and pay a fee, and they'll certify the resulting binary as trouble-free, at least to level of confidence you's expect from a good app store or distro (acknowledging that sufficiently clever malware can hide anywhere, but forcing it to be really clever would probably fix 99% of the problem),

    --
    Socialism: a lie told by totalitarians and believed by fools.
  5. Re:Incorrect by Carewolf · · Score: 1, Interesting

    Doesn't matter what the law says. If anything from any source is using my computer for any purpose which was hidden, disguised, or obfuscated from me, then it is an illegitimate use. Full disclosure, with explicit permission, or it's illegitimate.

    That would make the Chrome browser illegitimate. Most people are not aware that it is spyware and it is not advertised as spyware, it just mentions it deep in an EULA (much like the application in this stories does about being bitcoin miners).

    The problem is that a lot of people rely on and trust applications that classically would fall into the category of malware. Google even went as far as inventing a new category called badware, which was the same as malware except it didn't include spyware intended for advertisement.

    If we accept that people are okay with using some types of malware (like Google Chome), then we need to consider our definitions much more deeply, because suddenly software that has unintended and potentially unwanted side-effects are considered legitimate.