Potentially Unwanted Programs secretly serve Bitcoin miner

Security experts at Malwarebytes discovered Potentially Unwanted Programs like Toolbars and Search Agents that installed Bitcoin miners on user’s PC

The value of the Bitcoin for a few days has passed the psychological threshold of one thousand dollars, confirming its growth trend, the attention in the virtual currency scheme is at the highest levels and cybercriminals are exploiting new ways to monetize the unprecedented surge.

Blackmarket is proposing new exploit kits, like Atrax, that could be used to infect victims with the purpose to steal Bitcoin wallets or to abuse of the computational resources of the victims for Bitcoin mining.

Recently security experts at Malwarebytes alerted the security community on the diffusion of Potentially Unwanted Programs (PUPs) including search agents and Toolbars, that are bundled with malware having mining capabilities.

“This time, however, we are taking a look at a PuP that installs a Bitcoin miner on the user system, not just for a quick buck but actually written into the software’s EULA. This type of system hijacking is just another way for advertising based software to exploit a user into getting even more cash.” states the blog post on Malwarebytes website.

The experts have discovered a malware instance that utilizes victims’ computing resources for Bitcoin mining, in particular it uses ‘jhProtominer’ a popular mining software that runs via the command line, to abuse the CPUs and GPUs of the infected machine.

On November 22th researchers at Malwarebytes received a request for assistance from users about an anomalous behavior of a file, titled “jh1d.exe” that was taking up 50% of the system resources. The file in reality was the Bitcoin Miner “jhProtominer”. The experts also discovered that jhProtominer wasn’t the miner recreating its own file and executing but a parent process known as “monitor.exe”, Monitor.exe was created by a company known as Mutual Public, which is also known as We Build Toolbars, LLC or WBT.

Upon further investigation Malwarebytes experts have found a link between WBT and Mutual Public thanks to an entry in the Sarasota Business Observer.

“monitor.exe” is a component of YourFreeProxy application, which “beacons out constantly, waiting for commands from a remote server, eventually downloading the miner and installing it on the system.”

Resuming the experts collected the proof that a PUP is installing Bitcoin miners on users systems, but the concerning issue is that they do it providing ambiguous information in the EULA proposed to the victims. The Eula in fact specifically covers a section on Computer Calculations describing a series of operations similar to the actions of a Bitcoin Miner.

COMPUTER CALCULATIONS, SECURITY: as part of downloading a Mutual Public, your computer may do mathematical calculations for our affiliated networks to confirm transactions and increase security. Any rewards or fees collected by WBT or our affiliates are the sole property of WBT and our affiliates.

Practically the user is advised that the company behind the PUP can and will install an application for Bitcoin mining keep the rewards for itself.

The increased popularity of Bitcoin will motivate the cybercrime industry to produce new and even more sophisticated miners and wallet stealers, it is highly recommended to install proper defense systems and to keep PC and applications updated.

Pierluigi Paganini

(Security Affairs – Bitcoin miner, malware)