DDoS Weapon Found Hidden in Orbit Downloader

ESET has reported that in evaluating the Orbit Downloader it found something completely unexpected
ESET has reported that in evaluating the Orbit Downloader it found something completely unexpected

The problem is that adware is also a legitimate means of paying for a free app – it’s a value judgement to decide when this legitimacy is stretched too far (see, for example, spider io’s expose on Sambreel earlier this month). To make this judgement, AV researchers have to evaluate the code of applications that could potentially be unwanted, to see exactly what they do.

Now ESET has reported that in evaluating the Orbit Downloader it found something completely unexpected. “Orbit Downloader has been around since at least 2006, and like many programs these days, is available for free,” notes Aryeh Goretsky in the ESET blog. “The developer, Innoshock, generates its revenue from bundled offers, such as OpenCandy, which is used to install third-party software as well as to display advertisements in order to generate revenue.”

This is fairly standard and acceptable – the user is able to decide whether receipt of the advertisements is a fair exchange for the free application. What is less acceptable, however, is what ESET actually found: “additional code for performing Denial of Service (DoS) attacks.” This code appears to have been added to orbitdm.exe, the main executable module for Orbit Downloader, at some point between the release of version 4.1.1.14 (December 25, 2012) and version 4.1.1.15 (January 10, 2013).

The code communicates with a server at orbitdownloader.com which ultimately provides the URLs to be attacked. ESET doesn’t say whether or how often the attack tool may have been used in the past, but makes it very clear how effective it could be. “Given the age and the popularity of Orbit Downloader (it is listed as one of the top downloads in its category on several popular software web sites) this means that the program might be generating gigabits (or more) of network traffic, making it an effective tool for Distributed Denial of Service (DDoS) attacks.”

In its own tests, “HTTP connection requests were sent at a rate of about 140,000 packets per second, with falsified source addresses largely appearing to come from IP ranges allocated to Vietnam.  These blocks of IP addresses were hardcoded into the DLL file downloaded from ido.ipl, different ranges may have been used in the past, though, and could change in future versions of the DLL file.”

For now, ESET is blocking Orbit Downloaders that include the DOS code. “In the meantime, until Innoshock, the developer of Orbit Download explains this behavior and/or releases an updated version without this unwanted functionality,” says Goretsky, “we recommend uninstalling this program and using a different file downloader.”

Infosecurity has asked Innoshock for a comment, but has not received a response in time for this article.

What’s hot on Infosecurity Magazine?