Bitcoin Mining: There's a Right Way and a PUP Way

The Verge today describes a 'secret mining facility' reportedly located in Hong Kong. The facility uses 'open bath immersion' technology to maintain optimum operating temperatures, and, says The Verge, "operates at a Power Usage Effectiveness of 1.02, which 'would make it one of the most efficient designs in the world.'" While the cooling technology is top of the range, the computing equipment is not. The result is a relatively inexpensive specialist bitcoin mining facility – and one that represents the acceptable face of bitcoin mining.

But at least one company has chosen a different route to gain the the processing power – in this case for free – that it needs for the mining process. Adam Kujawa of MalwareBytes has described a free WiFi proxy of the type the anti-malware industry terms a PUP (a potentially unwanted program). It's a term that describes a category of program or app that isn't necessarily illegal, or even malicious, but is likely to be unwanted when users understand what it actually does.

In this instance MalwareBytes was alerted to the issue when a customer asked for help over an application that was consuming 50% of his processing power, and reinstated itself whenever he deleted it. "We did some research," writes Kujawa, "and found out that the file in question was a Bitcoin Miner known as 'jhProtominer,' a popular mining software that runs via the command line. However, it wasn’t the miner recreating its own file and executing but a parent process known as “monitor.exe.”

PUPs usually generate income for the developers by surreptitiously plugging the user into an affiliate advertising network. But in this instance a web proxy called YourFreeProxy (from We Build Toolbars, WBT, aka Mutual Public) uses an installer called monitor.exe which then installs the bitcoin miner. 

It may not, however, be illegal. Deep in the end user licence is the brief paragraph, "COMPUTER CALCULATIONS, SECURITY: as part of downloading a Mutual Public, your computer may do mathematical calculations for our affiliated networks to confirm transactions and increase security. Any rewards or fees collected by WBT or our affiliates are the sole property of WBT and our affiliates."

Kujawa comments, "Their explanation is basically the purpose of Bitcoin Miners and that they will install this software on the system, run it, use up your system resources and finally keep all rewards from the effort YOUR system puts in.  Talk about sneaky." Users are unlikely to assume that their free proxy installation simultaneously donates processing capacity to Mutual Public for bitcoin mining purposes; but in using the application they have agreed to do just that.

"We at Malwarebytes are putting our foot down and detecting these threats as what they are," he adds, "giving our users the option to remove them and never look back." It's an attitude applauded by security researcher Graham Cluley: "Hopefully other anti-virus vendors will follow MalwareBytes’s lead and add detection of this potentially unwanted application, as I cannot imagine many people wanting their computer’s performance to be halved because it is secretly making money for someone else."

What’s hot on Infosecurity Magazine?