Categories

Fraud/Scam Alert

Potentially Unwanted Miners – Toolbar Peddlers Use Your System To Make BTC

Potentially Unwanted Programs or PUPs as we like to call them, are things like Toolbars, Search Agents, etc. Unnecessary junk for your desktop that usually involves monitoring your surfing/shopping habits and slowing down your system with their sub-par software that ends up hurting you much more than helping.

A recent and unfortunate discovery  by some of our users revealed that some of these programs do more than just cover your desktop in ads, they also steal your systems resources for mining purposes.

I have written two blog posts in the recent past about Bitcoin Mining as well as the various types of cybercrime getting involved in the Bitcoin hype, either by installing miners to crunch numbers on an infected users system or otherwise stealing Bitcoins directly from online Bitcoin wallet services.

This time, however, we are taking a look at a PUP that installs a Bitcoin miner on the user system, not just for a quick buck but actually written into the software’s EULA.

This type of system hijacking is just another way for advertising based software to exploit a user into getting even more cash.

VictorPost

On Nov 22, we received a request for assistance from one of our users about a file that was taking up 50 percent of the system resources on their system. After trying to remove it by deleting it, he found that it kept coming back, the filename was “jh1d.exe”.

procesexplorer-jh1e-003

We did some research and found out that the file in question was a Protoshare Miner (similar to a Bitcoin Miner that uses CPU Memory rather than GPU)  known as “jhProtominer”, a popular mining software that runs via the command line.

However, it wasn’t the miner recreating its own file and executing but a parent process known as “monitor.exe. Monitor.exe was created by a company known as Mutual Public, which is also known as We Build Toolbars, LLC or WBT.

We were able to find out the connection between WBT and Mutual Public thanks to an entry in the  Sarasota Business Observer.

WBT_is_MP

Another product belonging to Mutual Public is known as Your Free Proxy. 

YourFreeProxy

The website for YourFreeProxy is also owned by WBT LLC, according to a lookup of their domain name.

WhoISYourFreePRoxy

Your Free Proxy uses the Mutual Public Installer (monitor.exe), obtaining it from an Amazon cloud server.

WiresharkStream

We checked out this cloud server and found monitor.exe but also some additional interesting files, notably multiple types of “silent” installers and a folder called “coin-miner.”

wbtMedia

Monitor.exe beacons out constantly, waiting for commands from a remote server, eventually downloading the miner and installing it on the system.

So now that we have proof that a PUP is installing miners on users systems, do they do it without ever letting the user know? Well not exactly, their EULA specifically covers a section on Computer Calculations: COMPUTER CALCULATIONS, SECURITY: as part of downloading a Mutual Public, your computer may do mathematical calculations for our affiliated networks to confirm transactions and increase security. Any rewards or fees collected by WBT or our affiliates are the sole property of WBT and our affiliates.

EULAProof

Their explanation is basically the purpose of Bitcoin Miners and that they will install this software on the system, run it, use up your system resources and finally keep all rewards from the effort YOUR system puts in.

Talk about sneaky.

In my opinion, PUPs have gone to a new low with the inclusion of this type of scheme, they already collected information on your browsing and purchasing habits with search toolbars and redirectors.

They assault users with pop-up ads and unnecessary software to make a buck from their affiliates. Now they are just putting the nails in the coffin by stealing resources and driving user systems to the grave.

Though are Bitcoin Miners bad? Are they always used by malicious ne’er do wells? No way! When used legitimately by willing participants, they help the Bitcoin network run more efficiently and make some extra cash for those willing to put in the effort.  

The unfortunate side is that while anyone can run a miner, anyone can also force a miner to run on a system, even if it isn’t their own.

So take note if your system is running especially slow or if a process is taking up massive amounts of your processing power; it might be malware or even a PUP running a miner on your system.

We at Malwarebytes are putting our foot down and detecting these threats as what they are, giving our users the option to remove them and never look back. A special thanks to Rich Matteo, Dave Nelson, Steven Burn, VictorValiant and Hammerhode for bringing to attention this threat and the efforts made to put an end to it.

UPDATE: Dec 02,2013: Looks like an Independent Security Researcher, Ashkan Soltani, wrote about a similar incident  on 25 Nov, concerning the gaming company E-Sports, where the state of New Jersey sued the company for installing BTC miners on users systems. Looks like everyone is getting Bitcoin fever =/.

——————————————————————————————————–

Follow Adam Kujawa and all of his zany opinions on Twitter @Kujman5000


10 thoughts on “Potentially Unwanted Miners – Toolbar Peddlers Use Your System To Make BTC

  1. gilbertwham says on December 1, 2013 at 11:45 am :

    I have an idea: is it not possible to create something similar a la SETI/Folding to mine coins for socially useful purposes? Charity efforts and so forth. Occupy’s Rolling Jubilee would be funny. Even if it’s impractical for making large amounts, it’s a nifty PR stunt.

  2. Tony Hill says on December 2, 2013 at 9:23 am :

    With bitcoins being like $1k per coin ($980 per coin at this time), not a bad money making scheme. I’m glad Malwarebytes is taking a stand against this abuse.

  3. Adam Kujawa says on December 2, 2013 at 12:09 pm :

    @gilbertwham, I suppose it would be a good method for raiding funds however the potential damage to users hardware outweighs the $$ reward since there are massive Bitcoin farms being run right now by users all over the world.

  4. CJ Turner says on December 3, 2013 at 1:29 pm :

    “Borrowing” someone’s machine for Bitcoin mining has real costs. A few years back, I read an article about computer time donations to “Folding@home,” a major grid supercomputing effort, that talked about having ~1 million PS3s donating 8 hours per day at about 220 watts per system. Something like 1.6 billion watt-hours per day, not just in donated “cycles,” but in real, pay-the-man energy. At $0.12 (USA average) per kwhr, That is about $192,000 per day to support Folding@home. Is there an estimate of how many computers have installed this toolbar, and is there a load estimate for it?

  5. Paul Westin says on December 5, 2013 at 10:56 am :

    jhprotominer isn’t even capable of mining Bitcoin. Do some research, guys.

  6. Adam Kujawa says on December 5, 2013 at 11:10 am :

    jhProtominer mines for Protoshares, you are right. However this is just one example and other miners we have found actually mine for coins. At the end of the day they steal massive amounts of resources from user systems and as CJ Turner mentioned, $$ from energy costs. I’ll change the wording to ensure that it’s obvious, thanks for the feedback =).

  7. dorky says on December 7, 2013 at 9:30 pm :

    Hi, I have a miner installed in my computer to mine quark (another alternative of bitcoin) and I own my computer. I just recently experience uninvited pop-ups during internet browsing and so I use malwarebytes to scan for such malware and quarantine them. Unfortunately, my quark miner no longer works after the scanning. This miner is installed by intention and not something out of hacking. How can I reactivate this miner back into operation? Will it help that I uninstall malwarebytes before reinstalling it back again to bring back my miner?

  8. Adam Kujawa says on December 8, 2013 at 10:48 am :

    Hey Dorky, Malwarebytes Anti-Malware might be detecting the miner as malicious, if you add the miner .exe to the “Ignore List” in MBAM and it shouldn’t detect it as malicious for you anymore. You shouldn’t need to uninstall Malwarebytes however if you have any additional questions, please refer to our Forums (https://forums.malwarebytes.org/index.php?showforum=41) and someone can help you with your specific case. Thanks for the comment!

  9. Pasang Maa says on December 10, 2013 at 7:55 am :

    bitcoin miner on this site too http://bagmati.gov.np/

  10. felipeclement says on December 26, 2013 at 2:20 am :

    It is the hacker’s way of targeting our bitcoins. Most likely, this stealing is due to the skillful ability of programmers to monitor and track our computer tasks and schedules. I have read an article in Bitcoin Daily News on ways to avoid stealing our bitcoins and scenarios we need to be aware of.

Leave a Reply

Subscribe to our YouTube Channel