Results 1 to 9 of 9
  1. #1
    New Lounger
    Join Date
    Feb 2015
    Posts
    19
    Thanks
    4
    Thanked 0 Times in 0 Posts

    uTorrent can steal your CPU cycles to mine bitcoins

    http://www.engadget.com/2015/03/06/u...bitcoin-miner/

    Popular torrent client can steal your CPU cycles to mine bitcoins

    If you recently installed or updated uTorrent on your PC, you may have have picked up an unwanted passenger: a bitcoin miner called Epic Scale. If you don't pay attention, that piece of code can be inadvertently installed with the latest uTorrent build (version 3.4.2). It can then use your computer as part of a bitcoin farm (Litecoin, to be exact) to generate revenue for third parties. Users first reported the situation on uTorrent's forums, and it was quickly confirmed by a senior support manager. He said that the app "cannot be installed without permission," but one user claimed that there was "never a warning about it," even though he opted out of other bundled software.

  2. #2
    2 Star Lounger 1PW's Avatar
    Join Date
    Feb 2011
    Location
    North of the 38th parallel.
    Posts
    131
    Thanks
    26
    Thanked 46 Times in 28 Posts
    All running torrents can leave very challenging and sometimes fatal malware with this well known attack vector!
    Last edited by 1PW; 2015-03-09 at 18:50.
    All viruses are malware but not all malware are viruses and if the malware doesn't self replicate it just isn't a virus.

  3. #3
    Silver Lounger RolandJS's Avatar
    Join Date
    Dec 2009
    Location
    Austin metro area TX USA
    Posts
    1,727
    Thanks
    95
    Thanked 127 Times in 124 Posts
    Even security programs, which should know better, sometimes bundle potentially unwanted extra[s]. Avast install includes dropbox unless unchecked.
    "Take care of thy backups and thy restores shall take care of thee." Ben Franklin revisited.
    http://collegecafe.fr.yuku.com/forum...-Technologies/

  4. #4
    New Lounger
    Join Date
    Jul 2012
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Epic Scale installed?

    Is there a way to check if Epic Scale was installed?

  5. #5
    2 Star Lounger 1PW's Avatar
    Join Date
    Feb 2011
    Location
    North of the 38th parallel.
    Posts
    131
    Thanks
    26
    Thanked 46 Times in 28 Posts
    Hello bkpleng:

    The Epic Scale PUP/BHO can always be detected and removed using conventional techniques.

    http://www.malwareremovalguides.info/remove-epic-scale/
    All viruses are malware but not all malware are viruses and if the malware doesn't self replicate it just isn't a virus.

  6. #6
    Super Moderator Rick Corbett's Avatar
    Join Date
    Dec 2009
    Location
    South Glos., UK
    Posts
    2,141
    Thanks
    101
    Thanked 579 Times in 464 Posts
    As a test I installed uTorrent v3.4.2 including its advertised bundled PUPs (Spigot Search Protection and Skype) direct from the www.utorrent.com website into a new VM whilst tracking the install with InCtrl5. After installation, InCtrl5 showed that - in addition to Spigot Search Protection and Skype - some OpenCandy folders had been created (although never mentioned in the uTorrent installer).

    OpenCandy claims it's "a service that helps app developers earn money and keep their apps free-of-charge for you, the user. Developers earn money by recommending other select, free apps during the download and install process of their free app. We guarantee that all app recommendations are optional and you may choose to accept, decline, or uninstall any app at any time."

    OpenCandy was not mentioned anywhere in the uTorrent installer nor its silent installation of 2 executables into C:\Users\Test\AppData\Roaming\OpenCandy\OpenCandy_ 9BCBB5E205CC479F812A946BE76FEADB:

    du90i.exe (159 KB)
    dysubd1_p3v0.exe (71.6KB)

    On my test VM's I redirect all temporary files into C:\Temp. This folder showed 3 newly created files:

    utt2B76.tmp (293KB)
    utt3595.tmp (56KB)
    ~sp516C.tmp (1,307KB)

    I uploaded all 5 files to VirusTotal and found that all but one had been analyzed before.

    utt2B76.tmp showed a VirusTotal detection ration of 12/57 and is described as OpenCandySetupHlp.dll, part of the OpenCandy SDK.

    utt3595.tmp showed no VirusTotal warnings, i.e. a detection ratio of 0/57. There was no further info to identify it.

    ~sp516C.tmp showed a VirusTotal detection ration of 3/57 and is described as SearchProtectionSetup.exe. I was expecting this as the uTorrent installer had advertised Spigot Search Protect as part of the default install.

    du90i.exe showed a VirusTotal detection ration of 6/57 and is described as an 'Installation helper', digitally signed by OpenCandy.

    dysubd1_p3v0.exe showed no VirusTotal warnings, i.e. a detection ratio of 0/57. The executable is digitally signed by Syndacato, a software developer located in San Diego, California. A search on herdProtect confirmed Syndacato responsible for dysubd1_p3v0.exe.

    OpenCandy also claims - under How do I uninstall OpenCandy? - "Since OpenCandy does not permanently install anything on your computer, there is nothing to uninstall." To test this claim I restarted the VM then checked the same file locations. I found that the OpenCandy and OpenCandy_ 9BCBB5E205CC479F812A946BE76FEADB folders remained in C:\Users\Test\AppData\Roaming and that dysubd1_p3v0.exe remained within the OpenCandy_ 9BCBB5E205CC479F812A946BE76FEADB folder. I also found the 3 temporary files remained in C:\Temp, one of which is part of the OpenCandy SDK.

    Yet another OpenCandy claim - again under 'How do I uninstall OpenCandy? - 'is "If you are concerned that something extraordinary resulted in any remnant traces being left on your computer, you may download and run our small clean-up utility to ensure all OpenCandy traces which are regularly self-deleted, are in fact gone." I downloaded the clean-up utility - OCCleanupToo.exe (which VirusTotal showed a detection ration of 3/57 for).

    I ran the clean-up utility (monitoring it with InCtrl5) then checked the same file locations again. The OpenCandy cleanup utility did not remove any of the OpenCandy files and folders (or itself ).

    In conclusion, IMHO uTorrent is not open and honest about what is bundled with the installation of uTorrent v3.4.2 nor is OpenCandy honest on its website about what it's doing in the background. Either that or it doesn't know what its own software is doing (or, in the case of its 'clean-up utility', not doing.)

    Note: I deliberately haven't mentioned any additions to the registry. This is because most of the additions are just numeric CLSIDs without any other identifying information so it's not clear which - if any - additions are related to OpenCandy and which are down to the installation of uTorrent, Spigot Search Protection and Skype.

    A further note: I didn't find any indication of Epic Scale included in the installation of uTorrent v3.4.2.
    Last edited by Rick Corbett; 2015-03-16 at 15:07.

  7. The Following 2 Users Say Thank You to Rick Corbett For This Useful Post:

    1PW (2015-03-17),KrakowKaz (2015-03-17)

  8. #7
    New Lounger
    Join Date
    Feb 2015
    Posts
    19
    Thanks
    4
    Thanked 0 Times in 0 Posts
    Wow, thanks Rick! I only downloaded the newest version because 2.2.1 was being flagged as dangerous by my security software. I've always downloaded 2.2.1, and hate the new versions. I'll stick with it.

  9. #8
    Silver Lounger wavy's Avatar
    Join Date
    Dec 2009
    Location
    ny
    Posts
    2,371
    Thanks
    235
    Thanked 147 Times in 136 Posts
    Rick

    May I inquire what OS you were running InCtrl5? Your info seems to indicate a newer OS and I was thinking InCtrl5 did not work after W2K. I still have a folder w all the old PCMag utilities
    David

    Just because you don't know where you are going doesn't mean any road will get you there.

  10. #9
    Super Moderator Rick Corbett's Avatar
    Join Date
    Dec 2009
    Location
    South Glos., UK
    Posts
    2,141
    Thanks
    101
    Thanked 579 Times in 464 Posts
    Hi David, to use InCtrl5 with later OS's you need to first change it so it runs in compatibility mode (as Windows XP SP3) and run it as Administrator.

    Hope this helps...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •