Bitcoin Miners Bundled With PUPs In Legitimate Applications Backed By EULA

← Back to Stories (view on slashdot.org)

Bitcoin Miners Bundled With PUPs In Legitimate Applications Backed By EULA

Posted by timothy on Saturday November 30, 2013 @07:12AM from the informed-consent-it-ain't dept.

hypnosec writes "Bitcoin miners are being integrated with third party potentially unwanted programs (PUPs) that come bundled with legitimate applications. These miners surreptitiously carry out Bitcoin mining operations on the user's system consuming valuable CPU time without explicitly asking for user's consent. Malwarebytes, the company which found evidence of these miners, first came across such an instance of a Bitcoin miner when one of the users of its software requested for assistance on November 22 through a forum post. The user revealed that 'jh1d.exe' was taking up over 50 percent of the CPU resource and even after manual deletion the executable was re-appearing. Malwarebytes dug deeper into this and found traces of a miner 'jhProtominer,' a popular mining software that runs via the command line". However, it seems that the company behind the application has a specific clause 3 in EULA that talks about mathematical calculations similar to Bitcoin mining operation. This means that the company behind the software can and will install Bitcoin miners and use system resources to perform operations as required to mine Bitcoins and keep the rewards for themselves."

33 of 194 comments (clear)

Min score:

Reason:

Sort:

Free Software by Anonymous Coward · 2013-11-30 07:14 · Score: 5, Insightful

This is why you should use free software from a reputable source, such as Debian GNU/Linux.
1. Re:Free Software by Runaway1956 · 2013-11-30 08:00 · Score: 5, Insightful
  
  Agreed - but you can't convince the unwashed masses. It's great having a "trusted repository" from which to pull almost all your applications. It's even better that you can browse the source code before compiling, to be halfway sure that the software does what it claims, and nothing "extra".
  Admittedly, I'm not qualified to really examine all that source code, but I can and do browse through it from time to time.
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
2. Re:Free Software by khellendros1984 · 2013-11-30 09:37 · Score: 4, Informative
  
  How soon before websites try using the CPU of visitors to mine bitcoin? Would that be possible?
  It's been done. Link goes to a Javascript-based bitcoin miner that you can embed in a webpage.
  
  --
  It is pitch black. You are likely to be eaten by a grue.
3. Re:Free Software by gutnor · 2013-11-30 12:37 · Score: 3, Insightful
  
  The vast majority of the software use would not be able to read the source at all.
  What they can do is asked other people that can if the software is ok or not. At that stage it does not matter if the code is open source or not. If the community, like malware listing site or others, has vetted the software, it is as good guarantee as they will ever have. Having the source code just make our job easier when trying to help guys with problem.
4. Re:Free Software by Anonymous Coward · 2013-11-30 13:34 · Score: 2, Informative
  
  I'd imagine that the fact that even GPU mining is a fairly dubious proposition at this point (I can't remember if the increases in price lately allow it to still be viable if the hardware costs are already sunk but you need to pay the electric bill; but the FPGAs and ASICs aren't getting any slower or less numerous), even donated or stolen CPU time would be close to worthless, even if doing it in Javascript doesn't impose much overhead...
  The cost of production is irrelevant if you can dump it off onto a hacked/infected/duped user as a negative externality. It's like when a meth head smashes your car window, to steal your $400 phone, which he sells for $20:
  Cost to you, $400 phone, $250 window, time & stress from the window repair and loss of communications: $650+
  Income to meth head: $20.
  That's a net -$630 loss to the pair of you, but you bear all the cost and he all the "profit".
  This is also why methadone clinics should be funded by clear thinking conservatives, as well as after school programs and "crap" like arts, music and sports.
5. Re:Free Software by lgw · 2013-11-30 13:35 · Score: 4, Interesting
  
  I think there's a big future for a testing company, like Underwriter's Labs is for physical goods, to do just that. Anyone big or small can send them code to review, and pay a fee, and they'll certify the resulting binary as trouble-free, at least to level of confidence you's expect from a good app store or distro (acknowledging that sufficiently clever malware can hide anywhere, but forcing it to be really clever would probably fix 99% of the problem),
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
Incorrect by Frosty+Piss · 2013-11-30 07:14 · Score: 5, Insightful

Bitcoin miners are being integrated with third party potentially unwanted programs (PUPs) that come bundled with legitimate applications. ... However, it seems that the company behind the application has a specific clause 3 in EULA that talks about mathematical calculations similar to Bitcoin mining operation. This means that the company behind the software can and will install Bitcoin miners and use system resources to perform operations as required to mine Bitcoins and keep the rewards for themselves

Incorrect.
Software that includes "PUPs" from the original software producer is not "legitimate". Any company with a EULA such as the one described is not a "legitimate" software company.

--
If you want news from today, you have to come back tomorrow.
1. Re:Incorrect by mysidia · 2013-11-30 07:43 · Score: 4, Insightful
  
  Software that includes "PUPs" from the original software producer is not "legitimate". Any company with a EULA such as the one described is not a "legitimate" software company.
  I agree with you about it not being "legitimate"; HOWEVER, certain major vendors have a conflicting opinion; including the operators of sites such as Download.com and Sourcforge.net.
  The trouble is; they're able to hide behind the EULA, and if they are aggressive --- they can sue and win against anyone calling their software malware, since the behavior is "disclosed" as expected operation of the software.
  Unfortunately; we ultimately need some prescriptive guidelines for consumer software.
  And probably a regulatory regime... including certification marks; example a "SafeSoftware" seal for publishers, similar to the idea behind TRUSTe ---- if the software isn't digitally signed by a vendor holding a SafeSoftware seal; then perhaps, your browser should warn you before releasing the file to the Downloads folder
  Then we could use something like an FDA, as it were, to regulate the labelling and safety of software sold to consumers, or provided as a free download.
2. Re:Incorrect by AlphaWolf_HK · 2013-11-30 07:52 · Score: 4, Insightful
  
  Then we could use something like an FDA, as it were, to regulate the labelling and safety of software sold to consumers, or provided as a free download.
  
  Yes, because I would just love having to go through regulatory channels and potentially paying fees in order to publish software that I don't even make any money from.
  
  --
  Careful with names containing L slashdot.org/~AiphaWolf_HK slashdot.org/~AlphaWoif_HK slashdot.org/~AiphaWoif_HK
3. Re:Incorrect by gl4ss · 2013-11-30 08:44 · Score: 2
  
  there was full disclosure via text of eula and explicit permission given when pressing yes to it. problem of course being that people don't read the things(nobody does). but even if it had a blinking fullscreen dialog that spelled out that they will use your computers cpu and your electricity to make money people would still press yes, if it was a necessary step for installing software that they for some reason or another wanted to install. most addware addons nowadays are quite clear in the installers what they will do(install a fucking browser toolbar) but still people install them by the millons.
  I do agree with that it's not nice for them to do it, but calling it illegitimate implies that it's unlawful...
  good news is that it's bundled with software one doesn't want in the first place.
  
  --
  world was created 5 seconds before this post as it is.
4. Re:Incorrect by dkf · 2013-11-30 09:54 · Score: 3, Informative
  
  The trouble is; they're able to hide behind the EULA, and if they are aggressive --- they can sue and win against anyone calling their software malware, since the behavior is "disclosed" as expected operation of the software.
  They might be able to claim that, but it doesn't mean that courts would necessarily agree. Consumers typically have greater legal protections than companies precisely because they are usually so much less skilled in contract law. This applies in many areas of commerce; for someone to say that computer software should be exempt from this principle is entirely unrealistic.
  
  --
  "Little does he know, but there is no 'I' in 'Idiot'!"
5. Re:Incorrect by johndoe42 · 2013-11-30 11:29 · Score: 4, Insightful
  
  Or we could finally fix the law and declare EULAs to be unenforceable. Unilateral contracts like EULAs are out of control.
6. Re:Incorrect by geminidomino · 2013-11-30 12:26 · Score: 3, Insightful
  
  I think you underestimate the time needed to generate a bitcoin.
7. Re:Incorrect by The123king · 2013-11-30 13:17 · Score: 2
  
  Apple, in my mind, have solved the problem in the best way possible in (Mac) OS X. By only allowing the system to install signed (and thus hopefully vetted) software, many of these rogue applications just flat-out cannot be installed by the user. Obviously, any mechanism like this is only good if there's a way to turn it off, and indeed Mac OS X provides that capability. By restricting what Joe Idiot can and cannot install means that Joe Idiot is less likely to get crap installed on his computer. And for the more tech savvy people, there's always the option to turn it off.
  
  --
  If you gave me a choice between a printer and a giraffe with explosive diarrhoea, i'll get my ladder and my raincoat
8. Re:Incorrect by rhysweatherley · 2013-11-30 13:32 · Score: 4, Interesting
  
  Yes, because I would just love having to go through regulatory channels and potentially paying fees in order to publish software that I don't even make any money from.
  Depends on the regulations: "Commercial software can pick from one of the 5 following standard commercial licenses: ... Any commercial software license that deviates from a Standard License reverts to Standard License Type 1 wherever its EULA conflicts with this regulation. Software that complies with the Open Source Definition or otherwise allows the user to inspect the source code and remove unwanted features independently is exempt from this section."
  You are then perfectly free to make money from your software. Pick whichever one of the standard licenses suits your purpose and carry on. But what you cannot do is employ a lawyer to invent a creative way to screw your users in the fine print. If you do, your license is automatically torn up and replaced with something sane.
9. Re:Incorrect by Anonymous Coward · 2013-11-30 14:06 · Score: 5, Insightful
  
  If you have to piggy-back on another app in order to get downloaded, you're malware. If the download screen only talks about the main app with no mention of your piggy-back app, you're malware. If you have to hide your software description in the EULA (needlessly but commonly embedded inside a tiny scroll window) to avoid scrutiny, you're malware. If you weasel-word the software description (math calculations?) instead of being forthright, you're malware. If you will not cleanly uninstall when the user uninstalls you, you're malware.
10. Re:Incorrect by arisvega · 2013-12-01 02:29 · Score: 2
  
  By restricting what Joe Idiot can and cannot install means that Joe Idiot is less likely to get crap installed on his computer.
  Just because Joe does not know computers, does not mean that Joe is an idiot. Or that you are smarter than he is.
  
  --
  The three laws of thermodynamics:(1) You can't win. (2) You can't break even. (3) You can't even quit.
"potentially unwanted programs" by Anonymous Coward · 2013-11-30 07:17 · Score: 5, Insightful

Is "potentially unwanted programs" the new politicaly correct term for malware? It's OK to call it malware, even if the user technically-allegedly-probablynot signed an EULA allowing it.
If it runs an unauthorized bitcoin miner, stealing your cycles and electricity, it's malware. No exceptions.
1. Re:"potentially unwanted programs" by retchdog · 2013-11-30 07:30 · Score: 2
  
  As i understand it, there was some concern about something like this happening to anti-malware organizations. So, call it "pups" instead. Everyone knows, or will soon know, what you really mean, but it's technically hard to argue that it's slander.
  
  --
  "They were pure niggers." – Noam Chomsky
2. Re:"potentially unwanted programs" by Linsaran · 2013-11-30 07:40 · Score: 3, Insightful
  
  Potentially Unwanted Programs are not quite malware, though in many cases I'd argue are worse. PUPs are generally stuff like 'WOMG Awesome Toolbar', 'Internet Coupon Printer 3000', "Free smilies wacky mouse pointers' and Java.
  They're legitimate in the sense that they won't exploit vulnerabilities in your system to install themselves, or (generally) ignore (or interfere with) attempts to remove them from your computer. They might even propose to have some sort of functionality that a user could want. The reality is that the functionality they generally offer is limited at best, and may even be inferior to the native functionality of the computer. They often slow your machine down, eating up your CPU cycles, opening up your computer to additional vulnerabilities, stealing your personal information to sell to advertisers, and generally speaking are not really useful to or needed by the people who have them installed on their computers.
  
  --
  In a bit of shameless internet panhandling, I accept Litecoin Donations at Lbd2oH9QsthD1GfuUXPyka12YxvWJYnBVf
3. Re:"potentially unwanted programs" by N1AK · 2013-11-30 09:16 · Score: 2
  
  If you say when it tells you that it can install a bitcoin miner than it isn't running an unauthorised miner. We can argue all day about the idea that EULAs should mean anything, and we'd probably agree, but the EULA tells users this is what they'll do so it's not unauthorised.
  
  I'm sure the people offering programs with a bitcoin miner would be perfectly happy to provide a version without a miner that costs $1 or something equally nominal (it's not like a typical home pc is getting much from mining these days anyway). Unfortunately people are tight and stupid. They'll pirate the paid for version rather than pay a $1 or they'll find a 'free' alternative instead (which includes a miner).
One Word: CNet by Frosty+Piss · 2013-11-30 07:30 · Score: 5, Interesting

End users need to learn to be responsible for their own systems.
True to a certain extent. But think about downloads from CNet.
Isn't CNet a trustworthy source? No? It certainly LOOKS like a trustworthy source. It's not a warez site, right?
But of course most /. folks know otherwise, we know that CNet is one the major sources of malware.
Also, please remember that not everyone who uses a computer is an "IT pro". This should not be necessary to avoid shit like this crap.

--
If you want news from today, you have to come back tomorrow.
1. Re:One Word: CNet by Bacon+Bits · 2013-11-30 20:52 · Score: 4, Insightful
  
  And there is the problem. People pay hundreds or thousands for a computer and still want to treat it as an appliance like their toaster. Why should I give a shit about their safety if they don't give a shit about it?
  Yes, I'm sure auto mechanics, carpenters, doctors, soldiers, and farmers all think the same thing when they get up to do their daily work.
  The fact is, all people need medicine, not just those who are experts. All people need homes, not just those that can build them. All people need their vehicles repaired, not just those who can do it themselves. All people need their nation defended, not just those who can devote their life to it. All people need food, not just those with the means to produce their own. And, yes, all people need computers, not just those who are experts.
  We experts have jobs because we're supposed to help these other people. Having a skill doesn't make you special. It just makes you useful. Being useful doesn't give you the right to be an asshole.
  
  --
  The road to tyranny has always been paved with claims of necessity.
The really strange thing about this: by Dputiger · 2013-11-30 07:40 · Score: 4, Interesting

Bitcoin mining on anything but ASICs is no longer profitable. Even on an R9 290X with an 80+ Platinum PSU, you're making maybe $1 - $2 a day. And the vast majority of people don't have anything like that equipment. CPU mining is so slow, you'll never complete any work before the block is finished. GPU mining is still fast enough to get some work done, provided you own an AMD GPU.
But Nvidia GPUs don't mine BTC for beans and most mining kernels will crash an NV card or lead to rampant slowdowns and random lockups. Even an AMD card needs a low priority miner to escape the kind of UI chokeup that immediately alerts someone to a problem in the system. This might have made sense in 2010, when CPUs could still mine, but these days the return on investment is going to be terrible -- and the performance hit is big enough that people *will* notice.
1. Re:The really strange thing about this: by NoNonAlphaCharsHere · 2013-11-30 07:43 · Score: 5, Informative
  
  That's the whole point: there's no investment at all if it's running on somebody else's machine.
2. Re:The really strange thing about this: by DingerX · 2013-11-30 07:45 · Score: 2
  
  Who cares? If your freebie gets 100k installs, and only 1000 of them still work, you can probably count on $500/day, recoup your dev costs and make some money faster than you can say "Unconscionable".
  
  Yeah, there is that. A EULA that crypto-tries to say "in exchange, you agree for us to take over your computer and use it to crank out money" is no good.
3. Re:The really strange thing about this: by ledow · 2013-11-30 09:10 · Score: 3, Interesting
  
  http://mining.thegenesisblock.com/
  Select the hardware, look at the cost (just underneath it), see how many actually make a profit (in blue on the right) after a few months, how many after an entire year, and how many never make one (profit in red and bracketed).
  Quite a lot of the companies have NOTHING on there that generates profit at all (including the new USB ASIC miners, for instance, as I said).
  The ones that do make a profit, you need a few thousand of dollars investment, hope the difficulty doesn't go up, and you might make a few hundred dollars for 6 months until they start to make a loss. The ones that make thousands of dollars cost over $10,000 in the first place.
  And next year, you will be worse off again.
  Not saying you can't make profit. Saying that when you take into account the hassle, the cost, the difficulty changes, and the risk, you'll be lucky to make more than your bank would have given you for the same amount of cash in a savings account. And at least that doesn't "devalue" over time.
4. Re:The really strange thing about this: by Bert64 · 2013-11-30 10:43 · Score: 2
  
  Current generation ASICS are capable of hashing bitcoin faster than supercomputers, which consist of thousands of high end CPUs running 24/7...
  Your network of compromised computers won't all be running 24/7, won't all be the latest processors and won't have exclusive use of the CPU...
  Incidentally this article isn't talking about bitcoin, but about an alternative coin which works similarly to bitcoin but using a different proof of work algorithm, one that is designed to be less suited to GPU and ASIC implementation, while also being less popular and thus having less competition (and much lower value).
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
5. Re:The really strange thing about this: by R3d+M3rcury · 2013-11-30 15:37 · Score: 2
  
  Well, consider an alternative: Putting ads in your application. That might get you a few cents per day. Getting $50 a day from an application sounds like a pretty good deal to me.
Re:Names please by k2r · 2013-11-30 08:02 · Score: 2

I should have understood the article, first.
From the article it seems to be
www.yourfreeproxy.net
Well, who would not want to install an application that redirects all of their network traffic though their servers FOR FREE?
Re:Names please by mr_jrt · 2013-11-30 08:37 · Score: 4, Insightful

I should have understood the article, first.
From the article it seems to be
www.yourfreeproxy.net
Well, who would not want to install an application that redirects all of their network traffic though their servers FOR FREE?
Someone not very technical wanting to bypass their government's mandated filtering?

--
Boo.
theft of electricity... by AndroSyn · 2013-11-30 09:02 · Score: 2

Remember when all the crackers could be charged with was, "Theft of Electricity"? Now this is actual real theft of electricity.
CPU: Choose the right coin (not Bitcoin) by DrYak · 2013-11-30 15:18 · Score: 4, Informative

I'd imagine that the fact that even GPU mining is a fairly dubious proposition at this point (I can't remember if the increases in price lately allow it to still be viable if the hardware costs are already sunk but you need to pay the electric bill; but the FPGAs and ASICs aren't getting any slower or less numerous)
Indeed, for *Bitcoin*, anything under a high-end ASIC (dozens or more GH/s) is worthless and a huge waste of electricty and heat.

even donated or stolen CPU time would be close to worthless, even if doing it in Javascript doesn't impose much overhead...
The trick is choosing the correct crypto coin: there's a whole zoo of them.
Some rely on SHA256^2 hashing like bitcoin, other rely on hashing algorithme for which only CPU implementations do exist (Primecoin is a nice example, and also doubles by doing actually useful computations instead of just plain brute-forcing hashes).
In fact TFA article is wrong, this isn't a Bitcoin miner. This is a miner for Protoshare, which is currently mostly mined on CPUs.

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]