Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bitcoin Miners Bundled With PUPs In Legitimate Applications Backed By EULA

Posted by timothy on from the informed-consent-it-ain't dept.

hypnosec writes "Bitcoin miners are being integrated with third party potentially unwanted programs (PUPs) that come bundled with legitimate applications. These miners surreptitiously carry out Bitcoin mining operations on the user's system consuming valuable CPU time without explicitly asking for user's consent. Malwarebytes, the company which found evidence of these miners, first came across such an instance of a Bitcoin miner when one of the users of its software requested for assistance on November 22 through a forum post. The user revealed that 'jh1d.exe' was taking up over 50 percent of the CPU resource and even after manual deletion the executable was re-appearing. Malwarebytes dug deeper into this and found traces of a miner 'jhProtominer,' a popular mining software that runs via the command line". However, it seems that the company behind the application has a specific clause 3 in EULA that talks about mathematical calculations similar to Bitcoin mining operation. This means that the company behind the software can and will install Bitcoin miners and use system resources to perform operations as required to mine Bitcoins and keep the rewards for themselves."

22 of 194 comments (clear)

  1. Free Software by Anonymous Coward · · Score: 5, Insightful

    This is why you should use free software from a reputable source, such as Debian GNU/Linux.

    1. Re:Free Software by Runaway1956 · · Score: 5, Insightful

      Agreed - but you can't convince the unwashed masses. It's great having a "trusted repository" from which to pull almost all your applications. It's even better that you can browse the source code before compiling, to be halfway sure that the software does what it claims, and nothing "extra".

      Admittedly, I'm not qualified to really examine all that source code, but I can and do browse through it from time to time.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    2. Re:Free Software by khellendros1984 · · Score: 4, Informative

      How soon before websites try using the CPU of visitors to mine bitcoin? Would that be possible?

      It's been done. Link goes to a Javascript-based bitcoin miner that you can embed in a webpage.

      --
      It is pitch black. You are likely to be eaten by a grue.
    3. Re:Free Software by gutnor · · Score: 3, Insightful

      The vast majority of the software use would not be able to read the source at all.

      What they can do is asked other people that can if the software is ok or not. At that stage it does not matter if the code is open source or not. If the community, like malware listing site or others, has vetted the software, it is as good guarantee as they will ever have. Having the source code just make our job easier when trying to help guys with problem.

    4. Re:Free Software by lgw · · Score: 4, Interesting

      I think there's a big future for a testing company, like Underwriter's Labs is for physical goods, to do just that. Anyone big or small can send them code to review, and pay a fee, and they'll certify the resulting binary as trouble-free, at least to level of confidence you's expect from a good app store or distro (acknowledging that sufficiently clever malware can hide anywhere, but forcing it to be really clever would probably fix 99% of the problem),

      --
      Socialism: a lie told by totalitarians and believed by fools.
  2. Incorrect by Frosty+Piss · · Score: 5, Insightful

    Bitcoin miners are being integrated with third party potentially unwanted programs (PUPs) that come bundled with legitimate applications. ... However, it seems that the company behind the application has a specific clause 3 in EULA that talks about mathematical calculations similar to Bitcoin mining operation. This means that the company behind the software can and will install Bitcoin miners and use system resources to perform operations as required to mine Bitcoins and keep the rewards for themselves

    Incorrect.

    Software that includes "PUPs" from the original software producer is not "legitimate". Any company with a EULA such as the one described is not a "legitimate" software company.

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:Incorrect by mysidia · · Score: 4, Insightful

      Software that includes "PUPs" from the original software producer is not "legitimate". Any company with a EULA such as the one described is not a "legitimate" software company.

      I agree with you about it not being "legitimate"; HOWEVER, certain major vendors have a conflicting opinion; including the operators of sites such as Download.com and Sourcforge.net.

      The trouble is; they're able to hide behind the EULA, and if they are aggressive --- they can sue and win against anyone calling their software malware, since the behavior is "disclosed" as expected operation of the software.

      Unfortunately; we ultimately need some prescriptive guidelines for consumer software.

      And probably a regulatory regime... including certification marks; example a "SafeSoftware" seal for publishers, similar to the idea behind TRUSTe ---- if the software isn't digitally signed by a vendor holding a SafeSoftware seal; then perhaps, your browser should warn you before releasing the file to the Downloads folder

      Then we could use something like an FDA, as it were, to regulate the labelling and safety of software sold to consumers, or provided as a free download.

    2. Re:Incorrect by AlphaWolf_HK · · Score: 4, Insightful

      Then we could use something like an FDA, as it were, to regulate the labelling and safety of software sold to consumers, or provided as a free download.

      Yes, because I would just love having to go through regulatory channels and potentially paying fees in order to publish software that I don't even make any money from.

      --
      Careful with names containing L slashdot.org/~AiphaWolf_HK slashdot.org/~AlphaWoif_HK slashdot.org/~AiphaWoif_HK
    3. Re:Incorrect by dkf · · Score: 3, Informative

      The trouble is; they're able to hide behind the EULA, and if they are aggressive --- they can sue and win against anyone calling their software malware, since the behavior is "disclosed" as expected operation of the software.

      They might be able to claim that, but it doesn't mean that courts would necessarily agree. Consumers typically have greater legal protections than companies precisely because they are usually so much less skilled in contract law. This applies in many areas of commerce; for someone to say that computer software should be exempt from this principle is entirely unrealistic.

      --
      "Little does he know, but there is no 'I' in 'Idiot'!"
    4. Re:Incorrect by johndoe42 · · Score: 4, Insightful

      Or we could finally fix the law and declare EULAs to be unenforceable. Unilateral contracts like EULAs are out of control.

    5. Re:Incorrect by geminidomino · · Score: 3, Insightful

      I think you underestimate the time needed to generate a bitcoin.

    6. Re:Incorrect by rhysweatherley · · Score: 4, Interesting

      Yes, because I would just love having to go through regulatory channels and potentially paying fees in order to publish software that I don't even make any money from.

      Depends on the regulations: "Commercial software can pick from one of the 5 following standard commercial licenses: ... Any commercial software license that deviates from a Standard License reverts to Standard License Type 1 wherever its EULA conflicts with this regulation. Software that complies with the Open Source Definition or otherwise allows the user to inspect the source code and remove unwanted features independently is exempt from this section."

      You are then perfectly free to make money from your software. Pick whichever one of the standard licenses suits your purpose and carry on. But what you cannot do is employ a lawyer to invent a creative way to screw your users in the fine print. If you do, your license is automatically torn up and replaced with something sane.

    7. Re:Incorrect by Anonymous Coward · · Score: 5, Insightful

      If you have to piggy-back on another app in order to get downloaded, you're malware. If the download screen only talks about the main app with no mention of your piggy-back app, you're malware. If you have to hide your software description in the EULA (needlessly but commonly embedded inside a tiny scroll window) to avoid scrutiny, you're malware. If you weasel-word the software description (math calculations?) instead of being forthright, you're malware. If you will not cleanly uninstall when the user uninstalls you, you're malware.

  3. "potentially unwanted programs" by Anonymous Coward · · Score: 5, Insightful

    Is "potentially unwanted programs" the new politicaly correct term for malware? It's OK to call it malware, even if the user technically-allegedly-probablynot signed an EULA allowing it.

    If it runs an unauthorized bitcoin miner, stealing your cycles and electricity, it's malware. No exceptions.

    1. Re:"potentially unwanted programs" by Linsaran · · Score: 3, Insightful

      Potentially Unwanted Programs are not quite malware, though in many cases I'd argue are worse. PUPs are generally stuff like 'WOMG Awesome Toolbar', 'Internet Coupon Printer 3000', "Free smilies wacky mouse pointers' and Java.

      They're legitimate in the sense that they won't exploit vulnerabilities in your system to install themselves, or (generally) ignore (or interfere with) attempts to remove them from your computer. They might even propose to have some sort of functionality that a user could want. The reality is that the functionality they generally offer is limited at best, and may even be inferior to the native functionality of the computer. They often slow your machine down, eating up your CPU cycles, opening up your computer to additional vulnerabilities, stealing your personal information to sell to advertisers, and generally speaking are not really useful to or needed by the people who have them installed on their computers.

      --
      In a bit of shameless internet panhandling, I accept Litecoin Donations at Lbd2oH9QsthD1GfuUXPyka12YxvWJYnBVf
  4. One Word: CNet by Frosty+Piss · · Score: 5, Interesting

    End users need to learn to be responsible for their own systems.

    True to a certain extent. But think about downloads from CNet.

    Isn't CNet a trustworthy source? No? It certainly LOOKS like a trustworthy source. It's not a warez site, right?

    But of course most /. folks know otherwise, we know that CNet is one the major sources of malware.

    Also, please remember that not everyone who uses a computer is an "IT pro". This should not be necessary to avoid shit like this crap.

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:One Word: CNet by Bacon+Bits · · Score: 4, Insightful

      And there is the problem. People pay hundreds or thousands for a computer and still want to treat it as an appliance like their toaster. Why should I give a shit about their safety if they don't give a shit about it?

      Yes, I'm sure auto mechanics, carpenters, doctors, soldiers, and farmers all think the same thing when they get up to do their daily work.

      The fact is, all people need medicine, not just those who are experts. All people need homes, not just those that can build them. All people need their vehicles repaired, not just those who can do it themselves. All people need their nation defended, not just those who can devote their life to it. All people need food, not just those with the means to produce their own. And, yes, all people need computers, not just those who are experts.

      We experts have jobs because we're supposed to help these other people. Having a skill doesn't make you special. It just makes you useful. Being useful doesn't give you the right to be an asshole.

      --
      The road to tyranny has always been paved with claims of necessity.
  5. The really strange thing about this: by Dputiger · · Score: 4, Interesting

    Bitcoin mining on anything but ASICs is no longer profitable. Even on an R9 290X with an 80+ Platinum PSU, you're making maybe $1 - $2 a day. And the vast majority of people don't have anything like that equipment. CPU mining is so slow, you'll never complete any work before the block is finished. GPU mining is still fast enough to get some work done, provided you own an AMD GPU.

    But Nvidia GPUs don't mine BTC for beans and most mining kernels will crash an NV card or lead to rampant slowdowns and random lockups. Even an AMD card needs a low priority miner to escape the kind of UI chokeup that immediately alerts someone to a problem in the system. This might have made sense in 2010, when CPUs could still mine, but these days the return on investment is going to be terrible -- and the performance hit is big enough that people *will* notice.

    1. Re:The really strange thing about this: by NoNonAlphaCharsHere · · Score: 5, Informative

      That's the whole point: there's no investment at all if it's running on somebody else's machine.

    2. Re:The really strange thing about this: by ledow · · Score: 3, Interesting

      http://mining.thegenesisblock.com/

      Select the hardware, look at the cost (just underneath it), see how many actually make a profit (in blue on the right) after a few months, how many after an entire year, and how many never make one (profit in red and bracketed).

      Quite a lot of the companies have NOTHING on there that generates profit at all (including the new USB ASIC miners, for instance, as I said).

      The ones that do make a profit, you need a few thousand of dollars investment, hope the difficulty doesn't go up, and you might make a few hundred dollars for 6 months until they start to make a loss. The ones that make thousands of dollars cost over $10,000 in the first place.

      And next year, you will be worse off again.

      Not saying you can't make profit. Saying that when you take into account the hassle, the cost, the difficulty changes, and the risk, you'll be lucky to make more than your bank would have given you for the same amount of cash in a savings account. And at least that doesn't "devalue" over time.

  6. Re:Names please by mr_jrt · · Score: 4, Insightful

    I should have understood the article, first.

    From the article it seems to be
    www.yourfreeproxy.net

    Well, who would not want to install an application that redirects all of their network traffic though their servers FOR FREE?

    Someone not very technical wanting to bypass their government's mandated filtering?

    --
    Boo.
  7. CPU: Choose the right coin (not Bitcoin) by DrYak · · Score: 4, Informative

    I'd imagine that the fact that even GPU mining is a fairly dubious proposition at this point (I can't remember if the increases in price lately allow it to still be viable if the hardware costs are already sunk but you need to pay the electric bill; but the FPGAs and ASICs aren't getting any slower or less numerous)

    Indeed, for *Bitcoin*, anything under a high-end ASIC (dozens or more GH/s) is worthless and a huge waste of electricty and heat.

    even donated or stolen CPU time would be close to worthless, even if doing it in Javascript doesn't impose much overhead...

    The trick is choosing the correct crypto coin: there's a whole zoo of them.
    Some rely on SHA256^2 hashing like bitcoin, other rely on hashing algorithme for which only CPU implementations do exist (Primecoin is a nice example, and also doubles by doing actually useful computations instead of just plain brute-forcing hashes).

    In fact TFA article is wrong, this isn't a Bitcoin miner. This is a miner for Protoshare, which is currently mostly mined on CPUs.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]