Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Bitcoin Software

Bitcoin Miners Bundled With PUPs In Legitimate Applications Backed By EULA 194

hypnosec writes "Bitcoin miners are being integrated with third party potentially unwanted programs (PUPs) that come bundled with legitimate applications. These miners surreptitiously carry out Bitcoin mining operations on the user's system consuming valuable CPU time without explicitly asking for user's consent. Malwarebytes, the company which found evidence of these miners, first came across such an instance of a Bitcoin miner when one of the users of its software requested for assistance on November 22 through a forum post. The user revealed that 'jh1d.exe' was taking up over 50 percent of the CPU resource and even after manual deletion the executable was re-appearing. Malwarebytes dug deeper into this and found traces of a miner 'jhProtominer,' a popular mining software that runs via the command line". However, it seems that the company behind the application has a specific clause 3 in EULA that talks about mathematical calculations similar to Bitcoin mining operation. This means that the company behind the software can and will install Bitcoin miners and use system resources to perform operations as required to mine Bitcoins and keep the rewards for themselves."
This discussion has been archived. No new comments can be posted.

Bitcoin Miners Bundled With PUPs In Legitimate Applications Backed By EULA

Comments Filter:
  • Free Software (Score:5, Insightful)

    by Anonymous Coward on Saturday November 30, 2013 @02:14PM (#45562571)

    This is why you should use free software from a reputable source, such as Debian GNU/Linux.

    • Re:Free Software (Score:5, Insightful)

      by Runaway1956 ( 1322357 ) on Saturday November 30, 2013 @03:00PM (#45562851) Homepage Journal

      Agreed - but you can't convince the unwashed masses. It's great having a "trusted repository" from which to pull almost all your applications. It's even better that you can browse the source code before compiling, to be halfway sure that the software does what it claims, and nothing "extra".

      Admittedly, I'm not qualified to really examine all that source code, but I can and do browse through it from time to time.

      • Also, the repository package managers are all shit on Windows. (Yes, there are some.)

      • Re:Free Software (Score:4, Insightful)

        by gutnor ( 872759 ) on Saturday November 30, 2013 @07:37PM (#45564217)

        The vast majority of the software use would not be able to read the source at all.

        What they can do is asked other people that can if the software is ok or not. At that stage it does not matter if the code is open source or not. If the community, like malware listing site or others, has vetted the software, it is as good guarantee as they will ever have. Having the source code just make our job easier when trying to help guys with problem.

        • Re:Free Software (Score:5, Interesting)

          by lgw ( 121541 ) on Saturday November 30, 2013 @08:35PM (#45564629) Journal

          I think there's a big future for a testing company, like Underwriter's Labs is for physical goods, to do just that. Anyone big or small can send them code to review, and pay a fee, and they'll certify the resulting binary as trouble-free, at least to level of confidence you's expect from a good app store or distro (acknowledging that sufficiently clever malware can hide anywhere, but forcing it to be really clever would probably fix 99% of the problem),

          • by TheLink ( 130905 )

            It is hard to certify some program is trouble-free - that's arguably harder than solving the halting-problem- since you aren't provided the full inputs and code (the program might download additional code).

            So I proposed something like this:
            https://bugs.launchpad.net/ubuntu/+bug/156693 [launchpad.net]
            https://bugzilla.novell.com/show_bug.cgi?id=308760 [novell.com]

            Trusted parties ( including 3rd parties) could sign the app and its sandbox.

            My proposal is a bit like working around the halting problem by forcibly limiting how long the progra

          • I think there's a big future for a testing company, like Underwriter's Labs is for physical goods, to do just that. Anyone big or small can send them code to review, and pay a fee, and they'll certify the resulting binary as trouble-free, at least to level of confidence you's expect from a good app store or distro (acknowledging that sufficiently clever malware can hide anywhere, but forcing it to be really clever would probably fix 99% of the problem),

            This. So what if some company certifies the code as non-toxic? For every legit code certifying company that goes online, there will be a hundred phishing sites popping up over-night to take advantage of it. The problem is not toxic code --- the problem is the toxic levels of foolishness and naivete of the vast majority of users on the net.

    • by wbr1 ( 2538558 )

      This is why you should use free software from a reputable source, such as Debian GNU/Linux.

      Like sourceforge? /sarcasm

  • Incorrect (Score:5, Insightful)

    by Frosty Piss ( 770223 ) * on Saturday November 30, 2013 @02:14PM (#45562575)

    Bitcoin miners are being integrated with third party potentially unwanted programs (PUPs) that come bundled with legitimate applications. ... However, it seems that the company behind the application has a specific clause 3 in EULA that talks about mathematical calculations similar to Bitcoin mining operation. This means that the company behind the software can and will install Bitcoin miners and use system resources to perform operations as required to mine Bitcoins and keep the rewards for themselves

    Incorrect.

    Software that includes "PUPs" from the original software producer is not "legitimate". Any company with a EULA such as the one described is not a "legitimate" software company.

    • Re:Incorrect (Score:5, Insightful)

      by mysidia ( 191772 ) on Saturday November 30, 2013 @02:43PM (#45562729)

      Software that includes "PUPs" from the original software producer is not "legitimate". Any company with a EULA such as the one described is not a "legitimate" software company.

      I agree with you about it not being "legitimate"; HOWEVER, certain major vendors have a conflicting opinion; including the operators of sites such as Download.com and Sourcforge.net.

      The trouble is; they're able to hide behind the EULA, and if they are aggressive --- they can sue and win against anyone calling their software malware, since the behavior is "disclosed" as expected operation of the software.

      Unfortunately; we ultimately need some prescriptive guidelines for consumer software.

      And probably a regulatory regime... including certification marks; example a "SafeSoftware" seal for publishers, similar to the idea behind TRUSTe ---- if the software isn't digitally signed by a vendor holding a SafeSoftware seal; then perhaps, your browser should warn you before releasing the file to the Downloads folder

      Then we could use something like an FDA, as it were, to regulate the labelling and safety of software sold to consumers, or provided as a free download.

      • Re:Incorrect (Score:5, Insightful)

        by AlphaWolf_HK ( 692722 ) on Saturday November 30, 2013 @02:52PM (#45562801)

        Then we could use something like an FDA, as it were, to regulate the labelling and safety of software sold to consumers, or provided as a free download.

        Yes, because I would just love having to go through regulatory channels and potentially paying fees in order to publish software that I don't even make any money from.

        • Yes, because I would just love having to go through regulatory channels ...

          No one would ever require that from small producers. After all, if you have just a couple of cows and want to sell a little raw milk and some craft cheese from your small farm, no one would ever interfere with that. That would be silly.

          Oh. ... Wait. ...

          • by ewieling ( 90662 )
            From a bottle of honey in my pantry: "Made in a cottage food operation that is not subject to Florida's food safety regulations." Unpasteurized (raw) milk is not covered under the Florida cottage food law, though you can still sell raw milk for "pet consumption". My point is that there ARE reasonable rules for many "cottage" products.
        • by mysidia ( 191772 )

          Yes, because I would just love having to go through regulatory channels and potentially paying fees in order to publish software that I don't even make any money from.

          I would say you should be exempt, providing -- (1) You don't generate any significant revenue from the software, from your users, for you, or any third party --- OR substantially all revenue generated was obtained from selling upfront licenses, less than $10,000, AND (2) You don't partner with a distributor who generates significant r

          • by fatphil ( 181876 )
            > downloading your software should just come with a disclaimer, that it has not been audited and inspected

            Or ... come with (an offer of) source?
        • Re:Incorrect (Score:5, Interesting)

          by rhysweatherley ( 193588 ) on Saturday November 30, 2013 @08:32PM (#45564601)

          Yes, because I would just love having to go through regulatory channels and potentially paying fees in order to publish software that I don't even make any money from.

          Depends on the regulations: "Commercial software can pick from one of the 5 following standard commercial licenses: ... Any commercial software license that deviates from a Standard License reverts to Standard License Type 1 wherever its EULA conflicts with this regulation. Software that complies with the Open Source Definition or otherwise allows the user to inspect the source code and remove unwanted features independently is exempt from this section."

          You are then perfectly free to make money from your software. Pick whichever one of the standard licenses suits your purpose and carry on. But what you cannot do is employ a lawyer to invent a creative way to screw your users in the fine print. If you do, your license is automatically torn up and replaced with something sane.

      • Re:Incorrect (Score:4, Informative)

        by dkf ( 304284 ) <donal.k.fellows@manchester.ac.uk> on Saturday November 30, 2013 @04:54PM (#45563441) Homepage

        The trouble is; they're able to hide behind the EULA, and if they are aggressive --- they can sue and win against anyone calling their software malware, since the behavior is "disclosed" as expected operation of the software.

        They might be able to claim that, but it doesn't mean that courts would necessarily agree. Consumers typically have greater legal protections than companies precisely because they are usually so much less skilled in contract law. This applies in many areas of commerce; for someone to say that computer software should be exempt from this principle is entirely unrealistic.

      • Re:Incorrect (Score:5, Insightful)

        by johndoe42 ( 179131 ) on Saturday November 30, 2013 @06:29PM (#45563759)

        Or we could finally fix the law and declare EULAs to be unenforceable. Unilateral contracts like EULAs are out of control.

        • I'm starting to wonder if we aren't going about this backwards. Maybe we should be coming up with a way for the computer owner to dictate a EULA to software, and tell it what it is allowed to do and how it's allowed to run. i.e. Instead of UAE in essence asking "do you want to allow this software to install and do whatever it likes?", it could ask "based on your understanding of what the program you're installing will do, should it be able to do...", followed by a bunch of check boxes and sliders.

          So yo
      • We could also adopt the truly revolutionary step of taking the theory that contracts actually reflect an 'agreement' between two contracting partners and applying it to the assorted contracts of adhesion that dominate the entire consumer side of the economy, with software simply one example among many, and hardly the most dangerous...

        So long as you can 'consent' to mandatory binding arbitration in the kangaroo court of the company's choice, without further recourse, by clicking through some clickwrap, fi
      • Apple, in my mind, have solved the problem in the best way possible in (Mac) OS X. By only allowing the system to install signed (and thus hopefully vetted) software, many of these rogue applications just flat-out cannot be installed by the user. Obviously, any mechanism like this is only good if there's a way to turn it off, and indeed Mac OS X provides that capability. By restricting what Joe Idiot can and cannot install means that Joe Idiot is less likely to get crap installed on his computer. And for th
        • By restricting what Joe Idiot can and cannot install means that Joe Idiot is less likely to get crap installed on his computer.

          Just because Joe does not know computers, does not mean that Joe is an idiot. Or that you are smarter than he is.

      • Re:Incorrect (Score:5, Insightful)

        by Anonymous Coward on Saturday November 30, 2013 @09:06PM (#45564829)

        If you have to piggy-back on another app in order to get downloaded, you're malware. If the download screen only talks about the main app with no mention of your piggy-back app, you're malware. If you have to hide your software description in the EULA (needlessly but commonly embedded inside a tiny scroll window) to avoid scrutiny, you're malware. If you weasel-word the software description (math calculations?) instead of being forthright, you're malware. If you will not cleanly uninstall when the user uninstalls you, you're malware.

    • by gl4ss ( 559668 )

      http://www.thefreedictionary.com/legitimate [thefreedictionary.com]

      dunno what's so hard about the word.

      • Doesn't matter what the law says. If anything from any source is using my computer for any purpose which was hidden, disguised, or obfuscated from me, then it is an illegitimate use. Full disclosure, with explicit permission, or it's illegitimate.

        • by gl4ss ( 559668 )

          there was full disclosure via text of eula and explicit permission given when pressing yes to it. problem of course being that people don't read the things(nobody does). but even if it had a blinking fullscreen dialog that spelled out that they will use your computers cpu and your electricity to make money people would still press yes, if it was a necessary step for installing software that they for some reason or another wanted to install. most addware addons nowadays are quite clear in the installers what

        • Re: (Score:2, Interesting)

          by Carewolf ( 581105 )

          Doesn't matter what the law says. If anything from any source is using my computer for any purpose which was hidden, disguised, or obfuscated from me, then it is an illegitimate use. Full disclosure, with explicit permission, or it's illegitimate.

          That would make the Chrome browser illegitimate. Most people are not aware that it is spyware and it is not advertised as spyware, it just mentions it deep in an EULA (much like the application in this stories does about being bitcoin miners).

          The problem is that a

    • That's "Legitimate" as in "Legitimate Businessmen".
    • That not the only incorrect thing.

      The mined coin isn't bitcoin, it's protoshare.

    • by tlhIngan ( 30335 )

      Software that includes "PUPs" from the original software producer is not "legitimate". Any company with a EULA such as the one described is not a "legitimate" software company.

      Depends - ad-supported programs are a big industry as seen by Android apps. Though, even Android and iOS is not immune - a new plugin for Unity installs a passive Bitcoin miner [pocketgamer.biz].

      If you're a app developer using the free-to-play model (or freemium), it's another option to consider. And given PC gaming is also going towards the freemium m

  • by Anonymous Coward on Saturday November 30, 2013 @02:17PM (#45562581)

    Is "potentially unwanted programs" the new politicaly correct term for malware? It's OK to call it malware, even if the user technically-allegedly-probablynot signed an EULA allowing it.

    If it runs an unauthorized bitcoin miner, stealing your cycles and electricity, it's malware. No exceptions.

    • As i understand it, there was some concern about something like this [slashdot.org] happening to anti-malware organizations. So, call it "pups" instead. Everyone knows, or will soon know, what you really mean, but it's technically hard to argue that it's slander.

    • by Linsaran ( 728833 ) on Saturday November 30, 2013 @02:40PM (#45562713) Homepage

      Potentially Unwanted Programs are not quite malware, though in many cases I'd argue are worse. PUPs are generally stuff like 'WOMG Awesome Toolbar', 'Internet Coupon Printer 3000', "Free smilies wacky mouse pointers' and Java.

      They're legitimate in the sense that they won't exploit vulnerabilities in your system to install themselves, or (generally) ignore (or interfere with) attempts to remove them from your computer. They might even propose to have some sort of functionality that a user could want. The reality is that the functionality they generally offer is limited at best, and may even be inferior to the native functionality of the computer. They often slow your machine down, eating up your CPU cycles, opening up your computer to additional vulnerabilities, stealing your personal information to sell to advertisers, and generally speaking are not really useful to or needed by the people who have them installed on their computers.

      • by dkf ( 304284 )

        Potentially Unwanted Programs are not quite malware, though in many cases I'd argue are worse. PUPs are generally stuff like 'WOMG Awesome Toolbar', 'Internet Coupon Printer 3000', "Free smilies wacky mouse pointers' and Java.

        What, like Windows 8 which came with all those Metro apps (which I've never seen a user actually want)?

    • Is "potentially unwanted programs" the new politicaly correct term for malware? It's OK to call it malware, even if the user technically-allegedly-probablynot signed an EULA allowing it.

      If it runs an unauthorized bitcoin miner, stealing your cycles and electricity, it's malware. No exceptions.

      I love Bitcoin, it's so honest, so fair, so real, so future-proof.

    • by N1AK ( 864906 )
      If you say when it tells you that it can install a bitcoin miner than it isn't running an unauthorised miner. We can argue all day about the idea that EULAs should mean anything, and we'd probably agree, but the EULA tells users this is what they'll do so it's not unauthorised.

      I'm sure the people offering programs with a bitcoin miner would be perfectly happy to provide a version without a miner that costs $1 or something equally nominal (it's not like a typical home pc is getting much from mining these
      • If you say when it tells you that it can install a bitcoin miner than it isn't running an unauthorised miner. We can argue all day about the idea that EULAs should mean anything, and we'd probably agree, but the EULA tells users this is what they'll do so it's not unauthorised.

        The only problem with that argument is that the EULA misrepresents the purpose of the "calculations" which might invalidate the ELUA:

        your computer may do mathematical calculations for our affiliated networks to confirm transaction

    • There is a huge gap between stealing personal information, and using electricity. Most people do not have anything other than the basic, integrated GPU that comes with commodity boxes. The amount of electricity stolen is nowhere near the typical mining expenditure.

      We need lines to be able to classify and differentiate, and your personal emotional response really doesn't help.

  • After all these years they figured out a way to make people pay for their software

    Along with winrar

  • And that's a big bump in electrical use these days. Especially if they're getting GPUs involved. My gaming rig's power consumption roughly triples under load. Then it cranks out the heat so my AC kick in...

    • And that's a big bump in electrical use these days. Especially if they're getting GPUs involved.

      Not in this case. This miner isn't for Bitcoin but for another alt-coin (with a different algoritm) which is mostly mined on CPUs.

  • by Dputiger ( 561114 ) on Saturday November 30, 2013 @02:40PM (#45562709)

    Bitcoin mining on anything but ASICs is no longer profitable. Even on an R9 290X with an 80+ Platinum PSU, you're making maybe $1 - $2 a day. And the vast majority of people don't have anything like that equipment. CPU mining is so slow, you'll never complete any work before the block is finished. GPU mining is still fast enough to get some work done, provided you own an AMD GPU.

    But Nvidia GPUs don't mine BTC for beans and most mining kernels will crash an NV card or lead to rampant slowdowns and random lockups. Even an AMD card needs a low priority miner to escape the kind of UI chokeup that immediately alerts someone to a problem in the system. This might have made sense in 2010, when CPUs could still mine, but these days the return on investment is going to be terrible -- and the performance hit is big enough that people *will* notice.

    • by NoNonAlphaCharsHere ( 2201864 ) on Saturday November 30, 2013 @02:43PM (#45562723)
      That's the whole point: there's no investment at all if it's running on somebody else's machine.
    • by DingerX ( 847589 )
      Who cares? If your freebie gets 100k installs, and only 1000 of them still work, you can probably count on $500/day, recoup your dev costs and make some money faster than you can say "Unconscionable".

      Yeah, there is that. A EULA that crypto-tries to say "in exchange, you agree for us to take over your computer and use it to crank out money" is no good.
      • Who cares? If your freebie gets 100k installs, and only 1000 of them still work.

        But instead of actually mining *Bitcoin* (have no idea where that idea came from) which will probably bring you 10$ a day,
        do like TFA and install something which mines a different alt-coin powered by an algorithme which only runs on CPUs.

        TFA's example is actually a Protoshare miner.

        PrimeCoin is another example which is still mined mostly on CPUs (and in addition to mining also produce scientific data)

        Then there are stuff like Quark Coin which use all the candidate for SHA-3 as hashing algo (and don't have g

    • by ledow ( 319597 )

      From what I see on the various online calculators for these sorts of things, the kind of ASICs you could afford are no longer profitable even now. You make a net loss on electricity even on the cheap, low-power USB device. You have to spend about $2000-3000 on a dedicated machine with dozens of ASICs in order to actually make any profit.

      And when you project into the future for the difficulty changes, etc., you'll find they are barely profitable for a year or two.

      CPU mining is worthless. Even with a whole

      • by tftp ( 111690 )

        We're reaching the top of the curve for bitcoin mining, long before all the possible coins are "found".

        This means that at some point the remaining coins wouldn't be searched for. For that to be economical, each coin would have to cost a $1M or something. If that's not the case, there is no reason to bother. It's exactly as I don't walk the streets looking for lost coins, wallets, or jewelry. I guess I could get some revenue this way, but it makes no sense - there are better ways to make money.

        ASIC mini

        • by ledow ( 319597 )

          You can pay a transaction fee to speed your transaction. It's assumed that when all the coins are mined, people will make money from this transaction fee instead.

          But all coins aren't mined yet, so there's still a once-in-a-year/decade/whatever chance that you'll generate a whole coin, so people won't stop mining for a while yet. And a whole coin is worth several thousand at the moment. It won't be "profitable" but people will still be mining on the off-chance of a windfall, I suspect.

        • by Bert64 ( 520050 )

          You won't get to a situation where noone is mining at all, as those for who mining is no longer profitable stop mining the share of profits for those who remains will go up and the difficulty goes down. Eventually you will hit a plateau where the people with cheap electricity and the latest asics will make money and noone else will bother.

        • If nobody mines anymore, how will the network operate? There is nothing on the horizon, and the difficulty would make it prohibitive anyway.

          The difficulty is set to keep the rate at which miners successfully create blocks roughly constant. If miners stop mining and the total network hashrate drops then the difficulty will also drop.

    • by gl4ss ( 559668 )

      it's profitable.

      it's just unprofitable if you have to pay for electricity or the machine investment. there is no investment in this method though. ..besides many of these machines do have gpu's.

    • Mining Bitcoins is unprofitable, yes. Mining some other coins (e.g. Litecoin) can still be profitable, even on a GPU. About $400/month with a high-end AMD at current difficulty.

    • This is the kind of thing where you can't see the forest for the trees - the problem is doing this on a massive scale as an addon to another application. As a company, you are not paying for equipment or electricity, only via your public image, and that requires someone to discover you're doing it first. It's like having a botnet mining coins for you. While you might not get a ton per computer infected, the total sum is going to be substantial over time.
  • Whenever I read something like this it makes me wonder what "plausible" software is the means of infection.
    I may be naive but I can not imagine that any of the companies and individuals I install stuff of on my machines would be shady enough.

    What stupid stuff from what shady source do I have to install to get a Bitcoin-Miner I didn't ask for?

    • by k2r ( 255754 )

      I should have understood the article, first.

      From the article it seems to be
      www.yourfreeproxy.net

      Well, who would not want to install an application that redirects all of their network traffic though their servers FOR FREE?

      • Re:Names please (Score:5, Insightful)

        by mr_jrt ( 676485 ) on Saturday November 30, 2013 @03:37PM (#45563067) Homepage

        I should have understood the article, first.

        From the article it seems to be
        www.yourfreeproxy.net

        Well, who would not want to install an application that redirects all of their network traffic though their servers FOR FREE?

        Someone not very technical wanting to bypass their government's mandated filtering?

  • If the EULA mentions minning of any kind and you accept it without reading it then you can't complain. The reason you have the EULA presented to you is because you're meant to read it.
  • Pretty sure that "free" chat client aggregater Digsby has been using CPU time on machines it's been installed on for ages - one of the reasons I don't recommend people use it.

    It's in section 15 of their TOS [digsby.com].

    Don't know if they've ever used this specifically for Bitcoin mining, but there's no reason they couldn't.

  • by AndroSyn ( 89960 ) on Saturday November 30, 2013 @04:02PM (#45563173) Homepage

    Remember when all the crackers could be charged with was, "Theft of Electricity"? Now this is actual real theft of electricity.

You mean you didn't *know* she was off making lots of little phone companies?

Working...