Potentially Unwanted Programs secretly serve Bitcoin miner

11:30 ET, 4 December 2013

Security experts at Malwarebytes discovered Potentially Unwanted Programs like Toolbars and Search Agents that installed Bitcoin miners on user’s PC

The value of the Bitcoin for a few days has passed the psychological threshold of one thousand dollars, confirming its growth trend, the attention in the virtual currency scheme is at the highest levels and cybercriminals are exploiting new ways to monetize the unprecedented surge.

b1

Blackmarket is proposing new exploit kits, like Atrax, that could be used to infect victims with the purpose to steal Bitcoin wallets or to abuse of the computational resources of the victims for Bitcoin mining.

Recently security experts at Malwarebytes alerted the security community on the diffusion of Potentially Unwanted Programs (PUPs) including search agents and Toolbars, that are bundled with malware having mining capabilities.

“This time, however, we are taking a look at a PuP that installs a Bitcoin miner on the user system, not just for a quick buck but actually written into the software’s EULA. This type of system hijacking is just another way for advertising based software to exploit a user into getting even more cash.” states the blog post on Malwarebytes website.

The experts have discovered a malware instance that utilizes victims’ computing resources for Bitcoin mining, in particular it uses ‘jhProtominer’ a popular mining software that runs via the command line, to abuse the CPUs and GPUs of the infected machine.

On November  22th researchers at Malwarebytes received a request for assistance from users about an anomalous behavior of a file, titled “jh1d.exe” that was taking up 50% of the system resources. The file in reality was the Bitcoin Miner “jhProtominer”. The experts also discovered that jhProtominer wasn’t the miner recreating its own file and executing but a parent process known as “monitor.exe”, Monitor.exe was created by a company known as Mutual Public, which is also known as We Build Toolbars, LLC or WBT.

Upon further investigation Malwarebytes experts have found a link between WBT and Mutual Public thanks to an entry in the  Sarasota Business Observer.

b2

“monitor.exe” is a component of YourFreeProxy application, which “beacons out constantly, waiting for commands from a remote server, eventually downloading the miner and installing it on the system.”

Resuming the experts collected the proof that a PUP is installing Bitcoin miners on users systems, but the concerning issue is that they do it providing ambiguous information in the EULA proposed to the victims. The Eula in fact specifically covers a section on Computer Calculations describing a series of operations similar to the actions of a Bitcoin Miner.

COMPUTER CALCULATIONS, SECURITY: as part of downloading a Mutual Public, your computer may do mathematical calculations for our affiliated networks to confirm transactions and increase security. Any rewards or fees collected by WBT or our affiliates are the sole property of WBT and our affiliates.

Practically the user is advised that the company behind the PUP can and will install an application for Bitcoin mining keep the rewards for itself.

The increased popularity of Bitcoin will motivate the cybercrime industry to produce new and even more sophisticated miners and wallet stealers, it is highly recommended to install proper defense systems and to keep PC and applications updated.

Pierluigi Paganini

(Security Affairs –  Bitcoin miner, malware)

rsa-logo

 

 

 

 

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.

APPLY NOW

10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase

X