Attackers have generated $3,900 so far in an ongoing campaign that uses the popular rTorrent tool to install currency mining software on computers running Unix operating systems, researchers said Wednesday.
The vulnerabilities are similar in some ways to what Google Project Zero researchers Tavis Ormandy reported recently in the uTorrent and BitTorrent applications. Ormandy’s proof-of-concept attacks developed exploitable vulnerabilities in JSON-RPC interface programs, which allow websites that users visit to initiate downloads and manage other key functions. The Ormandy exploits show how malicious sites can exploit the interface to run malicious code on vulnerable computers.
Internal attacks targeting rTorrent are exploiting XML-RPC, an interface of rTorrent that uses HTTP and more robust XML to accept input from remote computers. rTorrent does not require any authentication for XML-RPC to work. Even worse, the interface can run shell commands directly on the OS rTorrent is running on.
Attackers are scanning the Internet for computers running rTorrent-powered RPC applications and then using them to install software that generates a digital currency known as Monero, researchers from the security firm of it is based on Seattle F5 said in a blog post. At the time this post went live, the attacker wallets had a combined balance of $3,900. At their current rate, the attackers are providing about $43 per day. That’s a small amount compared to a cryptocurrency mining group researchers say netted coins worth $3.4 million.
No user interaction is required
The attack scenario against rTorrent is more severe than for uTorrent and Transfer because attackers can use vulnerable rTorrent applications with no user interaction required. uTorrent and Transfer flaws, by contrast, can only be exploited by sites that a user visits. Ormandy’s exploits use a technique known as domain name system rebinding to assign an untrusted Internet domain to the local IP address of the computer running the vulnerable BitTorrent application.
F5 is careful to note that the developer of rTorrent “expressly recommends not using RPC functionality over TCP sockets.” This would indicate that the vulnerable XML-RPC interface is not enabled by default. Many BitTorrent users find such interfaces useful and think that they can be controlled by someone with physical access to the operating computer. Susceptibility to DNS redirection or other hacks is assumed, at least when the interface does not have password authentication or other security-in-depth methods, either because they are not provided by the developer or they are not enabled by end users.
The malware that the downloads exploit doesn’t count—and the mining software is fueling the fire. It also scans infected computers for rival miners and, if found, tries to remove them. At this time, the recorded malware was detected by only three of the top 59 antivirus providers. That number is likely to change soon.
In an email sent after this post went live, rTorrent developer Jari Sundell wrote:
There is no patch as the vulnerability is due to a lack of knowledge about what appears when you enable RPC functionality, rather than a fixable flaw in the code. It is always assumed, from my perspective, that the user will make sure that they handle the access restriction properly.
There is no ‘default behavior’ for rpc enabled by rpc, and using unix sockets for RPC is what I’m recommending.
The failure in this case is maybe I have created a piece of software that is very simple, yet it is not well documented that normal users understand all the pitfalls.
People who run rTorrent should check their computers carefully for signs of infection, which is possible with a lot of bandwidth and computing power consumed. rTorrent users should also make sure they follow Sundell’s advice. People running other BitTorrent applications should also be careful of RPC interface and disable them whenever necessary.