BitTorrent Client qBittorrent Used to Spread Cryptomining Malware
Introduction
While BitTorrent client functionality hasn’t fundamentally changed over the past 20 years, developers of leading clients haven’t let their software stagnate.
A good example is the excellent qBittorrent, a feature-rich open source client which still receives regular updates. In common with similar clients, qBittorent can be found on GitHub along with its source and installation instructions.
Proxmox and LXC
For those unfamiliar with Proxmox VE, it’s an environment for virtual machines that once tried becomes very useful, extremely quickly. It’s also free for mere mortals and in most circumstances, very easy to install and get up and running.
With help from various Proxmox ‘helper scripts’ offered by tteck on GitHub (small sample to the right), even beginners can install any of dozens of available software packages in a matter of seconds using LXC containers.
Cryptominer Discovery
In summary, a Proxmox user deployed a tteck script to install qBittorrent and then a month later found his machine being worked hard by cryptomining software known as xmrig. While he investigated the problem, tteck removed the qBittorrent LXC script as a basic precaution, but it soon became clear that neither Proxmox or tteck’s script had anything to do with the problem.
The unwelcome software was indeed installed maliciously, but due to a series of avoidable events, rather than a genius hack.
Attacker Told qBittorrent to Run an External Program
To allow users to automate various tasks related to downloading and organizing their files, qBittorrent has a feature that can automatically run an external program when a torrent is added and/or when a torrent is finished.
The options here are limited only by the imagination and skill of the user but unfortunately the same applies to any attacker with access to the client’s web interface.
Easily Avoided
The default admin username for qBittorrent is ‘admin’ while the default password is ‘adminadmin’. Had these common-knowledge defaults been changed following install, the attacker would still have found the web interface but would’ve had no useful credentials for conventional access.
More fundamentally, possession of the correct credentials would’ve had limited value if the qBittorrent client hadn’t used UPnP to expose the web interface in the first place. Taking another step back, if UPnP hadn’t been enabled in the user’s router, qBittorrent would’ve had no access to UPnP, and wouldn’t have been able to forward ports or expose the interface to the internet.
In summary: disable UPnP in the router and only enable it once its function is fully understood and when absolutely necessary. Never leave default passwords unchanged, and if something doesn’t need to be exposed to the internet, don’t expose it unnecessarily.
Finally, it’s worth mentioning that tteck‘s response, to a problem that had nothing to do with Proxmox or his scripts, has been first class. Anyone installing the qBittorrent LXC from here will find the default admin password changed and UPnP disabled automatically.
Any time saved can be spent on automated installs of Plex, Tautulli, Emby, Jellyfin, Jellyseerr, Overseerr, Navidrome, Bazarr, Lidarr, Prowlarr, Radarr, Readarr, Sonarr, Tdarr, Whisparr, and many, many more.
