We Fixed The Glitch

Ranting about software that sucks.
Jan 01
Permalink

Extracting the BitTorrent DNA

BitTorrent, Inc. describes their DNA as “a content delivery service that uses a secure, private, managed peer network to power faster, more reliable, more efficient delivery of richer content. BitTorrent DNA works with your existing CDN or origin servers, seamlessly accelerating your downloads or HTTP media streams.”.

Source: http://www.bittorrent.com/dna/ 

I describe the DNA as “a figment of their imagination”, however that is not enough so I will explain my reasoning in this article.

Firstly what exactly consists of the DNA? There are several portions, an executable win32 binary named “btdna.exe”, a plugin for firefox named “npbtdna.dll”, javascript named “btdna.js”, flash/flex interface and web-services that serve up .torrent meta information to said executable.

Lets have some fun and explore what exactly is “btdna.exe”, what it actually consists of, what it’s capable of and the origin of it’s existence. 

In this exercise I will be using using an executable unpacker, a software debugger, a hardware debugger, a dissembler, a packet sniffer and an md5 tool.

There is no version information contained about the “btdna.exe” binary itself, however the md5 hash before unpacking is 1S7V8-A916B-VWMGL-RNLH3-QN6SA and the md5 after unpacking is 1S7V8-A916B-VWMGL-RNLH3-QN6SA. This be suffice for accuracy sake in this experiment and we will refer to this as “btdna_unpacked.exe”.

The very first interesting thing I noticed is that the unpacked binary replicates itself to the install directory, so launching ”btdna_unpacked.exe” creates “btdna.exe” but since it is already unpacked the copy is too. This behavior is much like µTorrent binary itself.

I have found a version number in “btdna_unpacked.exe” which looks exactly like µTorrent version numbers.

00444C9A |. 68 60AE4700 PUSH btdna.0047AE60 ; UNICODE "DNA 2.0 Beta (build 6132) "

I am going to go ahead and close the case that “btdna.exe” is no more than µTorrent. The following excerpts of code are also found in µTorrent:

0042AA8F |. 68 F4854500 PUSH btdna.004585F4 ; /Arg1 = 004585F4 ASCII "/gui/guest.html"

0042B383 |. 68 34844500 PUSH btdna.00458434 ; ASCII "Unable to read webui.zip"

00436631 |. BA 30A64500 |MOV EDX,btdna.0045A630 ; ASCII "******* List of unknown strings in the language file: ******* "

Explore the following directory and then explore “C:\Documents and Settings\Owner\Application Data\uTorrent".

00436978 |. BE 30E64600 |MOV ESI,btdna.0046E630 ; UNICODE "C:\Documents and Settings\Owner\Application Data\DNA\"

Does “btdna.exe” transfer data over encrypted channels? 

No, BitTorrent, Inc. is simply lying about being both “secure and private”. In fact the only thing resembling encryption in “btdna.exe” is the PHE, which is simply an obfuscation layer to get around ISP’s throttling traffic and is available in most any other Torrent client.

How does the “btdna.exe” work? How does it speed up flash movies?

This is easy, “btdna.exe” is simply an http proxy for the flash wrapper around the movie that you view in your browser. The “btdna.exe” process simply get meta data(torrent) from the site visited, loads this up and starts a normal BitTorrent transfer however the piece picker has been changed so rarest first is not the case as this would not work when trying to stream media. Now that “btdna.exe” is chunking away just like regular BitTorrent the Flash/Flex movie that you see opens an HTPP connection to “btdna.exe“‘s built in webserver and streams the media from localhost or 127.0.0.1. 

What is the webserver running in “btdna.exe” called? 

00421665 |. 68 58714500 PUSH btdna.00457158 ; ASCII "HTTP/1.1 200 OK %s%sServer: BitTorrent_DNA_Proxy/1.0 Connection: close

Do flash web applications have access to “btdna.exe”?

Yes in fact they do over a TCP socket. The following code was found in “btdna_unpacked.exe”:

db '?xml version="1.0"? cross-domain-policy allow-access-from domain="*" / /cross-domain-policy'db '/crossdomain.xml'

This is a Policy file that determines if a Flash or Flex application can access 127.0.0.1:0. The first thing that a Flash/Flex application does when attempting to connect to your local machine is check for this “crossdomain.xml” policy file, if it exists, is valid and allows the domain then the Flash/Flex application running inside of your browser can make tcp socket connections to the service, in this case “btdna.exe”. That is how the Flash/Flex movie gets access to the content that “btdna.exe” has downloaded thus far.

Is “btdna.exe” simply the BitTorrent stack from µTorrent? 

No, in fact all of the resources are there, dialogs, icons, etc. It is a full blown µTorrent client that just doesn’t display it’s User Interface.

I’d like to sum up this article with several things of concern that I will touch on in a later in depth article. Using the information provided by the “btdna.js” and a packet trace from the Flash/Flex movie talking to it over TCP it is not impossible for ANY website to hijack and offload content onto your “btdna.exe” process. I consider this risk as “HIGH” and do not recommend users to have the “btdna.exe” software installed on their systems due to these risks, especially if your ISP limits/charges you for bandwidth overages.

What gets me the most is this 60 employee well funded company is seemingly incompetent in writing their own code, solutions, etc… What are they doing with their investors money?

**glitch 
wefixedtheglitch (at) gmail.com

 
  1. theeasytech reblogged this from wefixedtheglitch
  2. dailybinarynews reblogged this from wefixedtheglitch
  3. wefixedtheglitch posted this