Hackers exploiting rTorrent to install Unix coin miner have netted $4k so far

[Archiee]

Ongoing attacks give complete control and require no user interaction.

Attackers have generated $3,900 so far in an ongoing campaign that's exploiting the popular rTorrent application to install currency-mining software on computers running Unix-like operating systems, researchers said Thursday.

The misconfiguration vulnerabilities are similar in some respects to ones Google Project Zero researcher Tavis Ormandy reported recently in the uTorrent and Transmission BitTorrent apps. Proof-of-concept attacks Ormandy developed exploited weaknesses in the programs' JSON-RPC interface, which allows websites a user is visiting to initiate downloads and control other key functions. Ormandy's exploits demonstrated how malicious sites could abuse the interface to run malicious code on vulnerable computers.

The in-the-wild attacks targeting rTorrent are exploiting XML-RPC, an rTorrent interface that uses HTTP and the more-powerful XML to receive input from remote computers. rTorrent doesn't require any authentication for XML-RPC to work. Even worse, the interface can execute shell commands directly on the OS rTorrent runs on.

Attackers are scanning the Internet for computers that are running RPC-enabled rTorrent apps and then exploiting them to install software that mines the digital coin known as Monero, researchers from Seattle-based security firm F5 said in a blog post. At the time this post was going live, the attacker wallets had a combined balance of $3,900. At their current rate, the attackers are generating about $43 per day. That's a modest sum compared to one cryptocurrency-mining group researchers said netted coins worth $3.4 million.

No user interaction required

The attack scenario against rTorrent is more severe than for uTorrent and Transmission because attackers can exploit vulnerable rTorrent apps with no interaction required of the user. The uTorrent and Transmission flaws, by contrast, could be exploited only by sites a user actively visited. Ormandy's exploits used a technique known as domain name system rebinding to make an untrusted Internet domain resolve to the local IP address of the computer running a vulnerable BitTorrent app.

F5 was careful to note that the developer of rTorrent "explicitly recommends not using the RPC functionality over TCP sockets." This would indicate that the vulnerable XML-RPC interface isn't enabled by default. Many BitTorrent users find such interfaces useful and assume they can be controlled only by someone with physical access to the computer running it. The susceptibility to DNS rebinding or other hacks invalidates the assumption, at least when the interface lacks password authentication or other security-in-depth measures, either because they're not provided by the developer or they're not enabled by end users.

The malware the exploit downloads doesn't just run compute- and electricity-draining mining software. It also scans infected computers for rival miners, and if found attempts to remove them. At the moment, the downloaded malware is detected by only three of the top 59 antivirus providers. That number is likely to change soon.

It wasn't immediately clear if there's an rTorrent update that fixes the vulnerabilities. The app developer didn't immediately respond to an e-mail seeking comment for this post. People who run rTorrent should inspect their computers carefully for signs of infection, which likely include excessive amounts of bandwidth and computing power being consumed. rTorrent users should also ensure that the vulnerable RPC interface isn't enabled, at least until there's confirmation of a fix in place. People running other BitTorrent apps should also remain wary of the RPC interface and turn them off whenever practical.