Some parts of the Internet are just inexplicably sketchy. It’s not clear to me why every piece of video conversion, screen capture, and video streaming software has to include malware, but they certainly all seem to. Torrent clients are among the worst offenders. There are many legitimate uses for the bittorrent protocol, but it can still be difficult to find a torrent client that doesn’t try to bundle something nasty.
Recently, you may have heard that µTorrent has been secretly installing malware that mines Litecoins on your computer. You may also have heard the exact opposite, from µTorrent themselves.
We can confirm there’s no silent installs on uTorrent: http://t.co/1go5Skav89
— µTorrent® (@utorrent) March 6, 2015
In fact, µTorrent is claiming that the software being installed is actually part of a charitable enterprise. So what’s actually going on here?
What is EpicScale, And What Does it do?
The software in question, called EpicScale, is one of the ‘partner offers’ bundled with the torrent client itself, which tries to convince you to install it while you’re clicking through an interminable list of installer options. The software is nominally intended to open up people’s idle CPUs for scientific research. To quote their website:
“Your computer sits idle waiting for you to come back to use it. Its incredible processing power goes unused. What if there was a way to harness that unused processing power to change the world? That is what we do at Epic Scale.”
For now, the plan seems to be to simply distribute a piece of Litecoin mining software, and then donate the proceeds to charity. Again from the site:
“We started with cryptocurrency mining as a way to advance the first mission. Today 100% of our profits go to charity because we are just starting out and want to make as big of an impact as we can. As our company grows our plan is to donate 75% of our profits to charity. “
I personally am skeptical about this effort, because Litecoin mining isn’t free – it costs the user in electricity and lost performance. And, since PCs are very inefficient at turning electricity into Litecoins (compared to the dedicated hardware in use by most miners) the user is losing far more money on extra electric bills than is being generated for charity. That’s the sort of trade-off – a large cost to the user, and a small benefit to the developer – that’s a lot more appealing if you’re a malware developer than a philanthropist.
What is a Litecoin Miner, And How Will it Affect my Computer?
To get into a little more detail, cryptocurrencies like Bitcoin and Litecoin work by maintaining a distributed ledger of all balances and transactions. These ledgers update when wallet holders make (cryptographically verifiable) statements to the network indicating that they’d like to move some of their money. In order to ensure that the ledgers don’t get out of sync (and aren’t being forged), a tool called ‘proof of work’ is used.
In cryptocurrencies like Bitcoin, ‘miners’ compete to solve specific, difficult math problems related to the current state of the ledger. When a solution is found, the solution becomes a part of the ledger. The solution is called a ‘proof of work,’ because it proves that someone’s computer did a certain amount of math to generate it. When a client is trying to determine which ledger is the right one, it checks whether all of the proofs of work in the ledger are valid, and adds up the difficulty of all of them, to determine how much computational work was expended on it. Whichever ledger has more work associated with it wins. This is a way of ensuring that the official ‘history’ of the network is decided by the pool of the greatest computer power, making it prohibitively expensive for any individual person to take over the network and rewrite its history. In return for their service, the network awards successful miners with both transaction fees and large rewards of freshly-generated Bitcoins. For more information, check out our explanation of how BitCoin works.
In this case, the mining software for the Litecoin ledger is being distributed (allegedly without user consent), running in the background on users’ computers and sending the profits back to EpicScale. This has a number of side-effects, including increased electric bills, reduced computer performance, and potentially even shorter hardware lifespan due to increased heat. If the software were being installed without user consent, that would a huge problem. The question: is it?
Users are complaining that the software was installed despite their explicit opt-out, and that the software is difficult or impossible to uninstall. The latter claim is implicitly backed up by just how much of the EpicScale website is devoted to people having trouble uninstalling the thing.
Users: “µTorrent installs a Bitcoin miner now, wth?” Admins: “It can’t install w/o permission!” Users: “But it did.” Admins: *delete forums*
— Kortney (@Kortney) March 6, 2015
To try to figure out exactly what’s going on, I bit the bullet and installed µTorrent. Unfortunately, by the time I got to it, the software had already been updated to remove EpicScale entirely. It did, however, try to get me to install something else entirely.
Huh. I wonder what ‘Wajam’ is?
Other sites have attempted to verify the forced installation of EpicScale, and haven’t had any luck reproducing the issue. TrustedReviews, the site that originally broke the scandal, has concluded that forced installation complaints are probably due to users simply hitting the wrong button, which sounds like the simplest explanation to me.
However, this doesn’t let µTorrent off the hook. Not even close.
Waze is definitely, and unambiguously malware – and so is EpicScale, until they prove otherwise. Even if they technically require your consent to install this stuff, they are trying to trick you. Disguising malware as a legitimate installation step is among the scummiest tactics used by dark-side software developers. Legitimate developers don’t feel the need to trick users into downloading malware. As far as EpicScale goes, legitimate developers also don’t generally need to distribute their software by deception. Plenty of distributed computing projects (like Folding@Home) get by just fine on normal, voluntary downloads.
“Like many software companies, we have partner offers in our install path and our policy is that they are strictly optional.”
This is, if you’ll pardon my French, a steaming load of bull-hockey. “Many software companies” don’t do this. This is scummy, scammy, skeevy, and other bad alliterations. It’s not something that responsible developers do, and it’s not something that users should tolerate. We’ve praised µTorrent before for its modern interface and feature set, but I feel entirely comfortable revoking that recommendation right now, in light of their installation policies.
Don’t download µTorrent. If you’ve already got it, uninstall it, along with Wajam, EpicScale, and anything else it might have been bundled with There are a lot of lightweight BitTorrent clients out there – if you want to be sure you’re safe from malware, stick to open-source clients like qBittorrent or Deluge. In general, steer clear of any installer that tries to trick you into installing stuff you don’t want (including literally anything from cnet.com).
As software consumers, we deserve better, and it would be a shame to let cynical people take advantage of us. While the Litecoin mining malware isn’t necessarily worse for users than spyware or adware, the novelty has attracted enough attention that this is a good opportunity to remind people that they have options in how they consume software. The relationship doesn’t have to be a predatory one.