Search This Blog

Showing posts with label BitTorrent. Show all posts

rTorrent flaw exploited in crypto-mining campaign

Researchers from F5 Networks Inc. have found that hackers are targeting a flaw in the popular rTorrent application to install crypto-mining software on computers running Unix-like operating systems. They have so far generated over $3,900.

This campaign exploits a previously undisclosed misconfiguration vulnerability and deploys a Monero (XMR) crypto-miner operation.

The attacks exploit XML-RPC, an rTorrent interface that uses XML and HTTP to access remote computers, and for which rTorrent doesn’t require any authentication. Shell commands can be executed directly on the OS rTorrent runs on.

The hackers identify the computers running RPC-enabled rTorrent apps on the internet and target them to install Monero, the digital coin mining software.

The malware downloaded doesn’t just run mining software but also scans for rival miners and removes them.

The vulnerabilities being exploited are in some respects similar to those reported through the Google Zero project in the BitTorrent client uTorrent. The difference lies in that the rTorrent flaw can be exploited without any user interaction rather than only by sites visited by the user.

The XML-RPC interface isn’t enabled by default and rTorrent recommends not using RPC over TCP sockets.

Below is an email rTorrent developer Jari Sundell wrote regarding the flaw:

There is no patch as the vulnerability is due to a lack of knowledge about what is exposed when enabling RPC functionality, rather than a fixable flaw in the code. It was always assumed, from my perspective, that the user would ensure they properly handled access restriction. No 'default behavior' for rpc is enabled by rtorrent, and using unix sockets for RPC is what I'm recommending. The failure in this case is perhaps that I've created a piece of software that is very flexible, yet not well enough documented that regular users understand all the pitfalls.

Currently, the hackers generate about $43 per day using this exploit and have already generated $3,900 combined.

Security flaw in uTorrent allows hackers remote access

Tavis Ormandy, a vulnerability researcher at Google and a part of Google Project Zero, a team of security analysts specializing in finding zero-day vulnerabilities, revealed on Wednesday a vulnerability in BitTorrent’s uTorrent Windows and web client that allows hackers to either plant malware on the user’s computer or see their download activity.

Google Project Zero published their research once the 90-day window that it gave to uTorrent to fix the flaw before publicly disclosing it was over.

According to Ormandy, the flaws are easy to exploit and make it possible for hackers to remotely access downloaded files or download malware on their computers using the random token generated upon authentication.

He reported on Twitter that the initial fix that BitTorrent rolled out seemed to only generate a second token, which did not fix the flaw and said, “you just have to fetch that token as well.”


BitTorrent issued a statement on Wednesday regarding the issue:

On December 4, 2017, we were made aware of several vulnerabilities in the uTorrent and BitTorrent Windows desktop clients. We began work immediately to address the issue. Our fix is complete and is available in the most recent beta release (build 3.5.3.44352 released on 16 Feb 2018). This week, we will begin to deliver it to our installed base of users. All users will be updated with the fix automatically over the following days. The nature of the exploit is such that an attacker could craft a URL that would cause actions to trigger in the client without the user’s consent (e.g. adding a torrent).