BitTorrent DNA Vulnerable to Remote Hijack

A recent reports suggests that the BitTorrent DNA, which is bundled with the mainline client, is an "exploitable" version of uTorrent without the user interface. It is suggested that it is possible for any websites to offload content to the btdna.exe, without the user's consent.

bittorrent dnaBitTorrent DNA is used for p2p streaming of online videos. It works like this; the user who wants to watch a stream has to install the BitTorrent DNA application, which is also bundled with the BitTorrent mainline client. When the user plays a BitTorrent accelerated stream it will not only download data, but also upload it to other people who are watching the same stream, similar to a regular BitTorrent download.

It turns out that the DNA application is almost identical to uTorrent. “All of the resources are there, dialogs, icons, etc. It is a full blown µTorrent client that just doesn’t display it’s User Interface” writes Wefixedtheglitch, who reverse engineered the application.

The algorithm has changed a bit of course. Pieces are no longer picked at random because this doesn’t work for streaming, so it has to start with getting the first bits, first. Another difference between uTorrent and DNA is that the latter has a built in webserver. This server is used to stream media from localhost or 127.0.0.1, but also introduces some vulnerabilities.

Wefixedtheglitch reports: “It is not impossible for ANY website to hijack and offload content onto your “btdna.exe” process. I consider this risk as “HIGH” and do not recommend users to have the “btdna.exe” software installed on their systems due to these risks, especially if your ISP limits/charges you for bandwidth overages.” This claim was backed up by an additional researcher upon TorrentFreak’s request.

This report contradicts an earlier statement from BitTorrent Inc. CEO Ashwin Navin, who told TorrentFreak: “BitTorrent DNA only accelerates content that a user clicks on. It does not anticipate user wants, or pre-load a user’s PC with content they did not explicitly ask for (via an HTTP request from a webpage).”

One thing is for sure, BitTorrent DNA isn’t perfect yet. Several users reported that it slows down their web-browsers, with Linksys router owners being particularly affected. We have contacted the BitTorrent team about this slowdown issue before and they told us that they are working on a fix. I have no doubt that they will also address the security issues if there are any, but for now I think it is better to uninstall the application when you don’t need it.

DNA automatically starts with Windows, and has to be uninstalled separately from the mainline client. It is pretty well hidden and many users probably don’t even know that btdna.exe is running, as its only noticeable when the Windows task manager is opened.

Update: We received a response from BitTorrent Inc.

The blog post suggesting BitTorrent DNA is an “exploitable” version of uTorrent is erroneous. The blogger you cite should have been more diligent in his/her research, but one can hardly expect reliable information from an anonymous blog. While it is possible for any application to send requests through btdna.exe as a simple proxy, the DNA client will only accelerate authorized URLs that are registered by BitTorrent Inc. in the DNA service center. When an authorized URL is passed to the proxy, the DNA client connects to a managed infrastructure that includes a high performance tracker that introduces the client to DNA peers who have also requested the same file. The DNA service center also includes a real-time
dashboard that provides our customers visibility and control over their accelerated content, as well as better management over their entire content delivery infrastructure.

As far as the user is concerned, BitTorrent DNA only receives data that a user requests. Like any BitTorrent transfer, it is ‘private’ in that it never uploads anything you yourself haven’t requested from a webpage. It does not anticipate user wants, or pre-load a user’s PC with content not explicitly requested via an HTTP request from a webpage. Our terms for DNA
require websites to disclose to users why and how DNA improves the experience for video, software, and games with P2P acceleration.

Furthermore, BitTorrent DNA when fully released in BitTorrent mainline will allow users to see and fully control DNA activity through the mainline interface. Currently DNA is being deployed as a stand alone application, but DNA functionality will be added to mainline seamlessly in the future. We have standardized our development for PC clients on the uTorrent codebase. Mainline 6.0 was the first to leverage this codebase, and our DNA client also leverages the uTorrent codebase but includes many new enhancements beyond uTorrent for things like video streaming for example.

Not all P2P video streaming is created equal, and we strive to offer progressively downloaded video maintaining as much of the efficiency “rarest-first” offered in traditional BitTorrent. Making video streaming with BitTorrent work reliably and efficiently is non-trivial engineering, and we’ve spent quite a bit of time getting it to be the best implementation available.

The best place to visualize DNA video in action is here:

Or for full length movies and TV shows here:

Tagged in: , , ,

Share this post

Share on Google+

You May Also Like

c There are 141 comments. Add yours?

comment policy