rTorrent helps attackers mine cryptocurrency on their users' computers

Unknown attackers have found a way to use the popular torrent rTorrent application for mining cryptocurrency. The application itself is used on Unix-like systems, which, in principle, are considered much more secure from the point of view of hacking than Windows.

However, with due diligence, you can find vulnerabilities in Unix. However, 99% is still to blame for the system user, who himself permits the malware to perform its tasks. This is what happened in the current case.

Not so long ago, cybersecurity researcher Tevis Ormandy from Google Project Zero spoke about vulnerabilities in popular Bittorent applications - uTorrent and Transmission. The researcher conducted a successful proof of concept attack based on vulnerabilities in the JSON-RPC interface. It is operated so that the user, without knowing it, performs the download of the malware.

Something similar is relevant in the case of rTorrent, only here the attackers exploit the rTorrent XML-RPC interval, which uses HTTP and XML to get input from remote systems. At the same time, rTorrent does not require any authentication for the interface to work. Even worse, if necessary, attackers can execute commands on the command line of the OS running rTorrent.
')
The attackers scan the Internet to find computers that use rTorrent and applications based on it, and then exploit the vulnerability to install software that runs Monero. This is a cryptocurrency, which is considered completely anonymous. It is popular among all kinds of intruders (the cryptocurrency itself is completely “white”, it’s just a tool), since it’s very difficult to trace transactions, if at all possible.

At the time the information about the new miner appeared on the network, the attackers managed to get about $ 4,000 in dollar equivalent. On the day, attackers mine cryptocurrencies for about $ 43.

The problem in this case is that rTorrent does not require any actions from the user to perform the operations that are needed by attackers. That is why the torrent client is even more dangerous than its “colleagues in the shop” uTorrent and Transmission. The latter can be infected only if the user visits malicious sites with specialized software.

Well, in the case of rTorrent, everything is simpler - the client himself visits everything that is needed, hiding his actions from the user. It is worth remembering that the rTorrent developer does not recommend users to use client RPC functionality for TCP ports. As you can see, the XML-RPC interface is not enabled by default, so users do it themselves, finding it quite convenient.

A malware that is downloaded using rTorrent does not only load the miner (this software, seemingly harmless, consumes the user's computer resources). It also scans the system for the presence of "competitors". If they are located, the application tries to delete them so that all the resources are available to this program. At the moment, it detects only 3 antiviruses out of 59 more or less common. Probably, soon their number will increase.

The rTorrent developer claims that at the moment he cannot release a patch, because he does not fully understand what it is using the malware to infect the program. If a vulnerability is found, the patch will be released immediately. According to the developer, the malware affects only those versions of rTorrent that are modified by users. The program has a lot of documented and not very opportunities that are used with might and main, and the developer is not able to check all possible combinations and modes of operation.

So far, users who work with rTorrent are advised to check their systems for the presence of a virus. At the moment, the most popular crypto miner is Coinhive. Its developers, in their own words, were unpleasantly surprised by the popularity of their project among intruders. "We were amazed at such a rapid distribution of the code," says one of the team representatives. “While working on the project, we were rather naive because we did not believe that the miner would be used by cybercriminals. We wanted our code to be used by site owners, used openly, warning users about mining cryptocurrency. But what happened over the past few weeks with Coinhive is unspeakably strange. ”

So far it is not entirely clear what to do with cryptomines, and how to deal with them. Some antiviruses (most of them) perceive any crypto miners as malicious software. Others - are indifferent to such programs.