ESET reports trojan in Orbit Downloader

ESET reports trojan in Orbit Downloader

Summary: A popular Windows downloader contains a DDOS program that is silently controlled by the company's web servers to conduct attacks on 3rd party URLs.

SHARE:
TOPICS: Security
3

Researchers at security software company ESET have found a remotely-updating DDOS functionality built into a popular Windows download manager, Orbit Downloader.

The DDOS function appears to have been in the program for some time. When the orbitdm.exe program is run, it starts a series of communications with the servers at orbitdownloader.com, the end result of which is that the client system silently downloads via HTTP a Win32 PE DLL and a configuration file containing a list of URLs and a randomly-generated IP address for each.

This program and the list are used to conduct either a SYN flood attack or a wave of HTTP connection requests on port 80 (the HTTP port) and UDP datagrams on port 53 (DNS). The IP address that accompanied the URL in the config file is used as the source address for the attack.

In ESET's tests they have seen about a dozen versions of the DLL and the contents of the config file change frequently. This indicates that the DDOS net of Orbit Downloader users is being actively managed. Below is a sample of one of the config files.

orbit-downloader-ip-php
A sample il.php config file for the DDOS in Orbit Downloader

ESET expresses surprise that such an attack would be included in such a popular program. It is a distinct possibility that the company's web site has been compromised by an outside attacker who is using it and the software unbeknownst to the proprietors of Orbit Downloader.

At the time of this writing, a vulnerable version (4.1.1.18) was still available for download on the company's site, and the URLs used for downloading the attack code and config file were still live.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • These apps

    I've seen hundreds of cases like these. People install a program they normally use and then suddenly one day their entire PC is highjacked.

    Bittorrent, StarDock, anything from Adobe and all these so called 'Downloaders' and video players all end up being portals to download more crud to your PC.

    I will stick to managing my PC's like Soviet Russia. Nothing gets installed unless I trust the source or they allow me to manage their so called 'updates'
    Dreyer Smit
  • Possible scheme from the beginning.

    If I were to be a 'hacker,' I'd be smart about it. It's stupid to put your 'hack' code (like this) inside a relatively obscure and unknown, and definitely not trusted program. You have to develop an application that people use, want, and trust.

    Then once you have the userbase you need, you begin your DDOS attacks or whatever.

    For me though:
    1. I can't code lol
    2. There's no company I hate enough
    3. I don't have any ideas for good freeware programs.

    But if I WERE, I would do it like Orbit Downloader.
    SirProudNoob
  • Eset Online Scanner

    Tho' I find what I believe to some false positives, I like running their Online Scanner from time to time on my Units to be worthwhile as another layer of defence. Eset finds little uglies even Malwarebytes, AVG and SuperAntiSpyware miss. Seemingly innocuous but devilishly dangerous anyway.
    PreachJohn