BitTorrent DNA Vulnerable to Remote Hijack
Written by Ernesto on January 03, 2008A recent reports suggests that the BitTorrent DNA, which is bundled with the mainline client, is an “exploitable” version of uTorrent without the user interface. It is suggested that it is possible for any websites to offload content to the btdna.exe, without the user’s consent.
BitTorrent DNA is used for p2p streaming of online videos. It works like this; the user who wants to watch a stream has to install the BitTorrent DNA application, which is also bundled with the BitTorrent mainline client. When the user plays a BitTorrent accelerated stream it will not only download data, but also upload it to other people who are watching the same stream, similar to a regular BitTorrent download.
It turns out that the DNA application is almost identical to uTorrent. “All of the resources are there, dialogs, icons, etc. It is a full blown µTorrent client that just doesn’t display it’s User Interface” writes Wefixedtheglitch, who reverse engineered the application.
The algorithm has changed a bit of course. Pieces are no longer picked at random because this doesn’t work for streaming, so it has to start with getting the first bits, first. Another difference between uTorrent and DNA is that the latter has a built in webserver. This server is used to stream media from localhost or 127.0.0.1, but also introduces some vulnerabilities.
Wefixedtheglitch reports: “It is not impossible for ANY website to hijack and offload content onto your “btdna.exe” process. I consider this risk as “HIGH” and do not recommend users to have the “btdna.exe” software installed on their systems due to these risks, especially if your ISP limits/charges you for bandwidth overages.” This claim was backed up by an additional researcher upon TorrentFreak’s request.
This report contradicts an earlier statement from BitTorrent Inc. CEO Ashwin Navin, who told TorrentFreak: “BitTorrent DNA only accelerates content that a user clicks on. It does not anticipate user wants, or pre-load a user’s PC with content they did not explicitly ask for (via an HTTP request from a webpage).”
One thing is for sure, BitTorrent DNA isn’t perfect yet. Several users reported that it slows down their web-browsers, with Linksys router owners being particularly affected. We have contacted the BitTorrent team about this slowdown issue before and they told us that they are working on a fix. I have no doubt that they will also address the security issues if there are any, but for now I think it is better to uninstall the application when you don’t need it.
DNA automatically starts with Windows, and has to be uninstalled separately from the mainline client. It is pretty well hidden and many users probably don’t even know that btdna.exe is running, as its only noticeable when the Windows task manager is opened.
Update: We received a response from BitTorrent Inc.
The blog post suggesting BitTorrent DNA is an “exploitable” version of uTorrent is erroneous. The blogger you cite should have been more diligent in his/her research, but one can hardly expect reliable information from an anonymous blog. While it is possible for any application to send requests through btdna.exe as a simple proxy, the DNA client will only accelerate authorized URLs that are registered by BitTorrent Inc. in the DNA service center. When an authorized URL is passed to the proxy, the DNA client connects to a managed infrastructure that includes a high performance tracker that introduces the client to DNA peers who have also requested the same file. The DNA service center also includes a real-time
dashboard that provides our customers visibility and control over their accelerated content, as well as better management over their entire content delivery infrastructure.
As far as the user is concerned, BitTorrent DNA only receives data that a user requests. Like any BitTorrent transfer, it is ‘private’ in that it never uploads anything you yourself haven’t requested from a webpage. It does not anticipate user wants, or pre-load a user’s PC with content not explicitly requested via an HTTP request from a webpage. Our terms for DNA
require websites to disclose to users why and how DNA improves the experience for video, software, and games with P2P acceleration.
Furthermore, BitTorrent DNA when fully released in BitTorrent mainline will allow users to see and fully control DNA activity through the mainline interface. Currently DNA is being deployed as a stand alone application, but DNA functionality will be added to mainline seamlessly in the future. We have standardized our development for PC clients on the uTorrent codebase. Mainline 6.0 was the first to leverage this codebase, and our DNA client also leverages the uTorrent codebase but includes many new enhancements beyond uTorrent for things like video streaming for example.
Not all P2P video streaming is created equal, and we strive to offer progressively downloaded video maintaining as much of the efficiency “rarest-first” offered in traditional BitTorrent. Making video streaming with BitTorrent work reliably and efficiently is non-trivial engineering, and we’ve spent quite a bit of time getting it to be the best implementation available.
The best place to visualize DNA video in action is here:
Or for full length movies and TV shows here:
Previously: Conspiracy Against Shareaza and Open Letter to the Recording Industry
Next: US Pirate Party Endorses Barack Obama
144 Responses
Pages: « 1 [2] 3 4 5 6 » Show All
Notice that BitTorrent Inc. basically ignored the “secure/private” portions of my findings. Their response is lame at best. I will give an exploit on my next blog post to prove their “theory” incorrect about unauthorized offloading of content onto the “btdna.exe”. “btdna.exe” will communicate with “any” tracker not just theirs as they are seemingly stating.
[quote comment="255377"]I will give an exploit on my next blog post to prove their “theory” incorrect about unauthorized offloading of content onto the “btdna.exe”. “btdna.exe” will communicate with “any” tracker not just theirs as they are seemingly stating.[/quote]
And will that exploit show that the your upload bandwidth can be used to serve other users for content which isn’t authorised by BitTorrent Inc?
You guys still seem to be confused. There is no such thing as BitTorrent Inc. authorized content for BitTorrent DNA. BitTorrent DNA is provided for third party use in the first place. Of course it allows all domains to access it, it’s not designed exclusively for Flash players used by BitTorrent Inc, it’s designed for all third parties who sign up for the technology to use.
[quote comment="255492"]There is no such thing as BitTorrent Inc. authorized content for BitTorrent DNA… it’s designed for all third parties who sign up for the technology to use.[/quote]
Which is what I meant. Although anyone could put DNA on their servers, only those servers which have licensed the technology would be able to have their distribution shared (which is what I meant by “authorised”) - in theory…
Cmon propertiary software and closed….
Get rTorrent
Ha a back door for the RIAA. We don’t need BT inc anymore ignore them until they die and use opensource clients. We don’t need their damn BT DNA protocol is fine the way it is.
I’m using uTorrent but Halite is definately my candidate for next bittorrent client. Once a few more features appear then I’ll probably switch. I used Mainline once years ago and it annoyed the crap out of me.
Thanks for the good picture, glitch and Anonymous!
As i see now, there is a lot of work from BitTorrent Inc, to be the client end for download anything.
But the current way is very dangerous for the end user.
Firms want to put more “service” on the internet. The files will be bigger.
So there are two kinds of putting info (===files) to the user.
One way is - BitTorrent has revolutionized - putting and getting hudge file(s)
form distributor to the client. This is for very big data, films and so on, where files resides on the client.
The other way is streaming. This is good for teaching, film and video on demand and so on.
The two technologies have only one thing common - the client program is running on the same machine. And, in that days, the programs are using the TCP/IP technology.
If you want to build a service with streaming, you may buy some good programs. If this is not the way you want, you may use some open source programs. The later has the following problem: you may change and use the changed and better server program for you , internal. If you wonna make money with it, selling the program, you have a
problem.
Short and long videos and streaming, this is comming. Flash is everywhere, most of the user never thing about security risk with it. And this is, why i thank you for this topic.
For streaming, there are standards. The standards are not so bad. Really.
The standard interface in Java has Sun, and Sun has so copyrighted it’s interfacfe, that you, as programer, have only one possibilitiy - forget it. Never look and tuch.
Or, if you do, and write any streaming server or streaming client program, you will have copyright problems.
All you have written come to me as follows.
I tell BitTorrent, i wonna use their “technology”. So, i pay (or something like that, it is not for my blue eyes) and write my special flash stream. Of course, i may write some codes. Some maybe very special and the user may got something
very special if his/her end-IP is one of my favorites.
Here is the point: Flash together with BitTorrent DNA is dangerous. Thank, glitch.
And streaming client with the bittorrent technology - a bad joke.
miniGandalf
Duh?
Alarmist FUD is the reason the U.S.A. is still run by a monkey. . . Do you really want to be on-par with that kind of reporting. Alot of the talk about DNA “improvements” revolves around 2.0, which has yet to have a proposed release date. Presumably it will rely on a new stable version of uTorrent which leverages the features they want to implement. The codebase for “Mainline” will be closed for the same reason the codebase for uTorrent was closed when ludde was the sole proprietor of the client. I forsee BitTorrent 6.0.1/6.1 or they may even jump a version or two to coincide with numbering correlating off the uTorrent basecode version.
Understanding that change doesn’t happen overnight and since BT,Inc. developers have the same limitations as any other developer ADDED to communicating with a sales/marketing department now… when’s the last time a coder spoke in the same tongue as a marketing guy?
To those who complain about service on the forums… it’s a free service, so you should do your OWN due diligence before reporting a problem you’re having. All-in-all keeping issues separate and concise, as in the title in-relation-to the actual content, should be evaluated and followed. I am usually happy with your reporting Ernesto, but this shrieks of “viewership inflation”.
OT: I’m amazed at you Anonymous, you don’t even realize who you’re talking to above… I know who you are azureus developer. Don’t worry the FUD never wins in the end.
All I know is I deleted bittorrent and Btdna is still on my comp using between 2 and 95 percent of my proc limit. This is short cuz my keystroks arent recognized till 5 sec after i press them…agonizing…also new processes are pinger.exe and Apoint.exe…cannot find these readily…anyone wanna give me a place to look?
An update…i found Btdna.exe in program files/DNa can be deleted without return. both pinger and apoint checked out. For reference to the article…As soon as I deleted DNA directory my computer started working same as always…I do not know what it was being used for or by whom…not as smart as most of you here..but it was certainly overloading my system resources…My experience with this program was bad…maybe not same for everyone, but there is definently an issue…I have neither downloaded nor installed any new program or file in the last two days…this issue began this morning…weather or not the program is malicious is beyond me but i suggest avoidance based on my brush with it.
Can you please tell us how you deleted the file, because it doesn’t want to delete here!!
Thanks!!
All you have to do is uninstall DNA in the add/remove programs. You can leave BitTorrent as I did, it hasn’t been a problem so far.
GG windows vista, auto detected and blocked for me :P
Add/remove program
and also gg
[quote comment="268432"]Can you please tell us how you deleted the file, because it doesn’t want to delete here!!
Thanks!![/quote]
Likewise here. Add/Remove software won’t respond when I try to remove this. Anyone have advice? I am also experiencing serious delays in keyboard response since this program appeared, like 2 - 5 seconds. Maddening!
Update here - I went to Program Files/DNA and right-clicked then delete. Seems to have resolved the responsiveness issues. Hope this is an appropriate action, ie. didn’t break something that shows up later.
i have this program, if i delete it.. will my loading videos be gone too? I need some advice.. thnx
I haven’t noticed anything not working, yet.
I don’t like programs that install themselves without my knowledge.
My software firewall says “btdna.exe is trying to transmit e-mail” STMP to a particular IP address. Why e-mail??
i uninstalled bittorrent yesterday and the add/remove programs control panel said that bittorrent had been completely removed from my system. but when i booted up this morning and logged in as the administrator, zonealarm popped up and asked me if i wanted to allow btdna.exe to access the internet.
even after shutting down dna and removing it through the add/remove programs control panel, btdna.exe was left on my computer (in C:\Program Files\DNA), as were all of its plug-ins, two .pf files in the C:\WINDOWS\Prefetch folder, and numerous refences in the registry.
maybe the bittorrent flack would like to respond to this?
i love this site.
3 references to this post
Pages: « 1 [2] 3 4 5 6 » Show All
Responses are closed
All remaining responses will continue to be archived. Use the TorrentFreak forums if you want to discuss something.