Bitcoin miners bundled with PUPs in legitimate applications backed by EULA

By  | 

Bitcoin miners are being allegedly bundled with third party potentially unwanted programs (PUPs) that come bundled with legitimate applications, a new report indicates.

According to a report by security company Malwarebytes third party applications that come bundled with legitimate applications and commonly known as potentially unwanted programs/applications (PUPs/PUAs) now come integrated with Bitcoin miners.

These miners surreptitiously carry out Bitcoin mining operations on the user’s system consuming valuable CPU time without explicitly asking for user’s consent. Because of the extensive mathematical calculations involved, the mining operation consumes a lot of CPU resource and renders the user’s system almost useless for regular operations.

Malwarebytes first came across such an instance of a Bitcoin miner when one of the users of its software requested for assistance on November 22 through a forum post. The user revealed that there was a process named “jh1d.exe” was taking up over 50 percent of the CPU resource and even after manual deletion the executable was re-appearing. The user noted that even when the executable was deleted using “moveonboot to remove it at the next boot” feature of MBM, it “manifests & executes” with a new filename “jh1c.exe”.

“We did some research and found out that the file in question was a Bitcoin Miner known as “jhProtominer”, a popular mining software that runs via the command line”, notes Malwarebytes. Upon further investigation Malwarebytes found that the parent of the Bitcoin miner was “monitor.exe”, a part of YourFreeProxy application, which “beacons out constantly, waiting for commands from a remote server, eventually downloading the miner and installing it on the system.”

Digging deeper into the EULA of the application there is a specific clause 3 titled “WBT Features on the Mutual Public Installer” that reads “COMPUTER CALCULATIONS, SECURITY: as part of downloading a Mutual Public, your computer may do mathematical calculations for our affiliated networks to confirm transactions and increase security. Any rewards or fees collected by WBT or our affiliates are the sole property of WBT and our affiliates.”

These computer calculations imply Bitcoin mining operation and the clause means that the company behind the software can and will install Bitcoin miners and use system resources to perform operations as required to mine Bitcoins and keep the rewards for themselves.