Researchers at security software company ESET have found a remotely-updating DDOS functionality built into a popular Windows download manager, Orbit Downloader.
The DDOS function appears to have been in the program for some time. When the orbitdm.exe program is run, it starts a series of communications with the servers at orbitdownloader.com, the end result of which is that the client system silently downloads via HTTP a Win32 PE DLL and a configuration file containing a list of URLs and a randomly-generated IP address for each.
This program and the list are used to conduct either a SYN flood attack or a wave of HTTP connection requests on port 80 (the HTTP port) and UDP datagrams on port 53 (DNS). The IP address that accompanied the URL in the config file is used as the source address for the attack.
In ESET's tests they have seen about a dozen versions of the DLL and the contents of the config file change frequently. This indicates that the DDOS net of Orbit Downloader users is being actively managed. Below is a sample of one of the config files.
ESET expresses surprise that such an attack would be included in such a popular program. It is a distinct possibility that the company's web site has been compromised by an outside attacker who is using it and the software unbeknownst to the proprietors of Orbit Downloader.
At the time of this writing, a vulnerable version (220.127.116.11) was still available for download on the company's site, and the URLs used for downloading the attack code and config file were still live.