You know those third-party toolbars and proxies you download? They may be silently using you to mine Bitcoins, and you may have actually agreed to it.
These add-ons and browser plug-ins are sometimes called PUPS, or potentially unwanted programs. They can serve a purpose, such as a browser toolbar that might help you search for or save content, but these often come with extra unwanted tools that take up space, watch your Internet activities, and try to send you advertising.
Malwarebytes discovered one of these add-ons was actually installing a Bitcoin miner in the background that reinstalled itself when deleted. The weirdest part is that it tried to be above-board with it all, putting a clause in its end-user license agreement (EULA) about the miner.
Bitcoin uses the general public to help solve “blocks,” or encrypted Bitcoin transactions. Blocks are protected by a difficult mathematical problem, that often can use a lot of computer power to solve many blocks at one time. The person who solves the block is rewarded in Bitcoin, which is currently worth over $1,000 a coin.
Malwarebytes got wind of the issue when a user posted to its forum that he was unable to remove a file called “jh1d.exe” that was taking up a lot of processing power from his computer. The file, Malwarebytes found, was actually that of a popular miner called jhProtominer, but it was being installed and reinstalled by a “parent process” called monitor.exe.
The security company traced malware.exe to a Sarasota, Fla.-based firm known as both Mutual Public and We Build Toolbars LLC. The company builds proxy software called “Your Free Proxy” that also distributes the monitor.exe process, otherwise known as the Mutual Public Installer.
The installer lives on Amazon Web Services and includes other tools such as silent installers. In the Mutual Public Installer Malwarebytes further found a EULA clause that states:
COMPUTER CALCULATIONS, SECURITY: as part of downloading a Mutual Public, your computer may do mathematical calculations for our affiliated networks to confirm transactions and increase security. Any rewards or fees collected by WBT or our affiliates are the sole property of WBT and our affiliates.
As Malwarebytes notes, this exactly describes Bitcoin mining. Unfortunately, no one (except other Bitcoin enthusiasts) is going to actually recognize that as saying, “We’re going to eat up your processing power and make money that we aren’t going to share with you while doing it.”
We’ve seen plenty of malware that installs miners, such as one that spread through Skype messages. The message would say, “I can’t believe this picture of you!” and then download the miner when you clicked the associated link. Research firm Kaspersky Lab said in April that the malware was attracting 2,000 clicks per hour. But Mutual Public almost seems to want to have legal ground to stand on.
The moral is, don’t download third party toolbars that you don’t really trust and read your EULAs and terms of service. If you see something in there that sounds weird, that’s probably because it is and you want to get out of there.