story

UTorrent.com compromised, malware added to installer (opens in new tab)

blog.bittorrent.com

100 pointsemilw14y ago37 comments

37 comments

As far as I remember, uTorrent has an internal auto-update functionality that interrogates the server for a new version. I wonder how well that is secured and if owning utorrent.com is enough to distribute a malicious update to all users unfortunate enough to start the application while owned.

I'm very wary about auto-updates that pull executables (as opposed to merely data) in this way. It's one thing for Chrome to do it, I assume Google does it in a way that's safe. But freeware/shareware projects? Not so much. Hell, who's to say the authors don't lose interest in two years and let the domain expire. I had one freeware or open-source app that didn't even have the courtesy of asking, it just pulled fresh binaries and restarted -- ouch. (At least you could disable this feature in the preference.)

jbk14y ago

For example, VLC (and, IIRC, Firefox) uses asymetric crypto to sign the update messages and the binaries. And the private keys are in none of the VideoLAN servers, but in other secret locations.

So, if the server is hacked, or a DNS is spoofed, you cannot make auto-update pull broken/malware binaries.

The problem is that, if your update process is buggy in some release, you loose those users forever...

pdaddyo14y ago

Just since you mentioned Chrome's updating mechanism, it is a fascinating approach that they took: http://www.chromium.org/developers/design-documents/software...

wslh14y ago

Yes, but it's very difficult to setup outside Google.

vogonj14y ago

courgette is just a binary diff algorithm -- there's nothing fancy to it (they use some really neat tricks, though), and apparently (I haven't verified) the source is in the chromium tree.

validating your updates via asymmetric crypto can be mildly expensive (http://www.verisign.com/code-signing/content-signing-certifi... lists Windows Authenticode certificates at $400/yr) but is within the realm of a small company.

setting up a Google-scale CDN and writing a reliable push update framework? that's the hard part.

4 more replies

vogonj14y ago

from what I've gleaned from being a uTorrent user, it interrogates the server for a .torrent file and then downloads that torrent from a tracker they run. presumably, anyone who owns the host of the .torrent, or anyone who owns the tracker, could own the update download -- though I'm not sure whether they use technologies like code signing at all to verify that the bits are their own.

eyko14y ago

I stopped using it since it wasn't open source. Worse when it became infested with "optional" ~~adware~~ search bar.

ntoshev14y ago

I installed it recently and even though I tried being careful not to install anything unnecessary, it tricked me into it! There was a checkbox saying something like "accept terms and conditions and install Bing toolbar", and I only readbthe beginning and left it checked as Eulas have conditioned me (of course I had accepted terms and conditions of utorrent before that).

baddox14y ago

Optional adware I can deal with in an otherwise open source application, but I've never understood why anyone would use a closed source bittorrent client if they ever plan on committing copyright infringement.

DrJ14y ago

still using the last-open source version with the auto-updater disabled!

kenny_r14y ago

May I suggest Deluge (http://deluge-torrent.org/)?

It's open-source, cross-platform and very similar to µTorrent in both functionality and looks.

wladimir14y ago

Transmission ( http://www.transmissionbt.com/ ) is an open source torrent client with a nice web interface (as well as native interface) just like Deluge.

I think it is somewhat lighter resource-wise (I'm running it on my NAS), but apart from that I don't know the exact differences between Deluge and Transmission, but I thought I'd mention it for completeness' sake.

1 more reply

linker300014y ago

Just watch out for the latest (1.3.3) Windows release - it (or one of the bundled dependencies) seems very broken and I had to revert to the previous version to make things work again.

aptwebapps14y ago

Can I choose which files to download before it puts empties on the file system?

1 more reply

skeptical14y ago

Interesting, I've been using deluge for many years, had no idea they had a build that runs on windows.

Deluge has all the features I want on a torrent client, I will replace my uTorrent installations on windows by deluge.

ordinary14y ago

I'm pretty sure uTorrent was never open source. The mainline client was, though.

itsnotvalid14y ago

The current "mainline" one is simply the same as utorrent, with a different name.

DrJ14y ago

my mistake it wasn't oss, it was the last version before BitTorrent began bundling it into installers.

latitude14y ago

For those on Windows, here is a bit of code that can be used to validate Authenticode signature of the update package.

https://github.com/apankrat/assorted/blob/master/validate_pa...

Basically the idea is to get an Authenticode certificate and sign the update .exe with it. Then, when a program checks for an update and pulls it down, it would validate the package signature and will not proceed if the details - the application and the certificate subject names - are wrong. It is as simple as it gets.

streptomycin14y ago

And this is one of many reasons I love that almost all my software is installed through a secure package manager.

agravier14y ago

pacman cough cough sorry I just lost it for a second...

agravier14y ago

Some explanation to counter those terrible downvotes: Pacman, the package manager of Archlinux, is not implementing the verification of package signatures. It's a recurrent issue in the Arch community.

ga2arch14y ago

It seems things are changing http://allanmcrae.com/2011/08/pacman-package-signing-3-pacma...

j / k navigate · click thread line to collapse

37 comments

morsch14y ago

jbk14y ago

For example, VLC (and, IIRC, Firefox) uses asymetric crypto to sign the update messages and the binaries. And the private keys are in none of the VideoLAN servers, but in other secret locations.

So, if the server is hacked, or a DNS is spoofed, you cannot make auto-update pull broken/malware binaries.

The problem is that, if your update process is buggy in some release, you loose those users forever...

pdaddyo14y ago

Just since you mentioned Chrome's updating mechanism, it is a fascinating approach that they took: http://www.chromium.org/developers/design-documents/software...

wslh14y ago

Yes, but it's very difficult to setup outside Google.

vogonj14y ago

courgette is just a binary diff algorithm -- there's nothing fancy to it (they use some really neat tricks, though), and apparently (I haven't verified) the source is in the chromium tree.

setting up a Google-scale CDN and writing a reliable push update framework? that's the hard part.

4 more replies

vogonj14y ago

eyko14y ago

I stopped using it since it wasn't open source. Worse when it became infested with "optional" ~~adware~~ search bar.

ntoshev14y ago

baddox14y ago

DrJ14y ago

still using the last-open source version with the auto-updater disabled!

kenny_r14y ago

May I suggest Deluge (http://deluge-torrent.org/)?

It's open-source, cross-platform and very similar to µTorrent in both functionality and looks.

wladimir14y ago

Transmission ( http://www.transmissionbt.com/ ) is an open source torrent client with a nice web interface (as well as native interface) just like Deluge.

1 more reply

linker300014y ago

Just watch out for the latest (1.3.3) Windows release - it (or one of the bundled dependencies) seems very broken and I had to revert to the previous version to make things work again.

aptwebapps14y ago

Can I choose which files to download before it puts empties on the file system?

1 more reply

skeptical14y ago

Interesting, I've been using deluge for many years, had no idea they had a build that runs on windows.

Deluge has all the features I want on a torrent client, I will replace my uTorrent installations on windows by deluge.

ordinary14y ago

I'm pretty sure uTorrent was never open source. The mainline client was, though.

itsnotvalid14y ago

The current "mainline" one is simply the same as utorrent, with a different name.

DrJ14y ago

my mistake it wasn't oss, it was the last version before BitTorrent began bundling it into installers.

latitude14y ago

For those on Windows, here is a bit of code that can be used to validate Authenticode signature of the update package.

https://github.com/apankrat/assorted/blob/master/validate_pa...

streptomycin14y ago

And this is one of many reasons I love that almost all my software is installed through a secure package manager.

agravier14y ago

pacman cough cough sorry I just lost it for a second...

agravier14y ago

ga2arch14y ago

It seems things are changing http://allanmcrae.com/2011/08/pacman-package-signing-3-pacma...

j / k navigate · click thread line to collapse