Attackers have generated $3,900 so far in an ongoing campaign that’s exploiting the popular rTorrent application to install currency-mining software on computers running Unix-like operating systems, researchers said Thursday.
The misconfiguration vulnerabilities are similar in some respects to ones Google Project Zero researcher Tavis Ormandy reported recently in the uTorrent and Transmission BitTorrent apps. Proof-of-concept attacks Ormandy developed exploited weaknesses in the programs’ JSON-RPC interface, which allows websites a user is visiting to initiate downloads and control other key functions. Ormandy’s exploits demonstrated how malicious sites could abuse the interface to run malicious code on vulnerable computers.
The in-the-wild attacks targeting rTorrent are exploiting XML-RPC, an rTorrent interface that uses HTTP and the more-powerful XML to receive input from remote computers. rTorrent doesn’t require any authentication for XML-RPC to work. Even worse, the interface can execute shell commands directly on the OS rTorrent runs on.
The attack scenario against rTorrent is more severe than for uTorrent and Transmission because attackers can exploit vulnerable rTorrent apps with no interaction required of the user. The uTorrent and Transmission flaws, by contrast, could be exploited only by sites a user actively visited. Ormandy’s exploits used a technique known as domain name system rebinding to make an untrusted Internet domain resolve to the local IP address of the computer running a vulnerable BitTorrent app.
Submitted by: Arnfried Walbrecht