The curious case of Jdownloader VNC access

While strolling the interweb through shodan a couple of night back, I noticed a lot of VNC instances with disabled authentication that allow remote access to JDownloader. For those unfamiliar with the software, JDownloader is a download manager that apparently has a remote access feature, one of them, is through VNC.

I started the shodan search using the query below, they, I believe, should produce similar result in shodan.

"authentication disabled" port:5900,5901
"vnc authentication disabled"
"RFB 003.008"
authentication disabled product:"VNC"

After seeing a lot of Jdownloader VNC without authentication, filtering further by adding "jdownloader", or using “images” tabs to quickly understand the result.

Drilling on the statistics, currently I can see 153 instances of Jdownloader VNC with disabled auth, 149 of them are on the default port (5900). These instances are mostly located in Germany, South Korea, and Italy, while USA is number four.

Trend wise, these instances started in Mid 2023 (June-August) and it just keep going up until today (January figures is incomplete).

In the other hand VNC instances without authentication is, in general, going down in statistic as shown below:

JDownloader is not a new software, it’s quite old. The current version, version 2 is released in 2011, so it was kinda weird seing a lot of them is configured with disabled auth VNC 🤔

I tested the official executable and it did not have VNC access enabled by default. I also tried the suggested docker image (not maintained by Jdowloader team), this image have a clear warning HTTP and VNC connection are unencrypted and without password. However running it requires users to manually set up port forwarding for VNC (HTTP is what their example script is using, but no VNC). If that's the case, this new trend is unlikely to come from the Docker image.

I believe the Jdownloader we're seeing is installed through a NAS, self-hosting suite, or another platform where users can easily install it using a simple interface thus the VNC without authentication.

That’s all I have for this late night stroll in the interweb post. To close, here is an attempt where actor (likely automated script) tries download and run executable via powershell, not caring that the command falls into a Jdownloader UI instead of a shell.