Orbit Downloader hacked, turns users into DDoS bots

By

Denial of service function tested on Klu Klux Klan site.

Denial of service attack capabilities have been found in popular media program Orbit Downloader.

Orbit Downloader hacked, turns users into DDoS bots

The Windows program integrated into web browsers and was downloaded more than 1.5 million times from website Softpedia and 18,000 times last month alone from rival Softonic. It was still available for download on these sites.

But Eset researchers led by Aryeh Goretsky said the program appeared to have been compromised since late 2008 – infecting users December last year – with a script that turned user machines into zombie nodes for distributed denial of service (DDoS) of service attacks.

 

Softonic warning
Softonic warning

“Given the age and the popularity of Orbit Downloader means that the program might be generating gigabits or more of network traffic, making it an effective tool for DDoS attack,” Goretsky said in a post.

“Sometime between the release of version 4.1.1.14 and version 4.1.1.5, an additional component was added to orbitdm.exe, the main executable module for Orbit Downloader.

“[Until] the developer of Orbit Download explains this behaviour and/or releases an updated version without this unwanted functionality, we recommend uninstalling this program and using a different file downloader.”

The researchers found a compromised script which had been encoded with base64 and XORed with a fixed 32-character string.

A .dll file was silently downloaded after installation that contained a function that downloads an obfuscated configuration file containing a list of targets, and another which executes the SYN flood DDoS attack.

Researchers said the malicious authors appeared to have tested the DDoS functionality on the Ku-Klux Clan web site.

In Eset tests, HTTP connection requests were sent at 140,000 packets per second with fake source addresses orginating from Vietnam IP ranges.

Eset, Kaspersky, Trend Micro and Ikarus were the only anti-virus applications to flag the latest program as malicious according to VirusTotal tests

 

A screen shot showing one of the il.php configuration files
A screen shot showing one of the il.php configuration files
Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:
data breachddosesetsecurity

Sponsored Whitepapers

Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Saviynt Simplifies GRC and Access Control for SAP and Beyond
Saviynt Simplifies GRC and Access Control for SAP and Beyond
Futureproof Your Business with Datacom and AMD: Seamless Windows 11 Transition
Futureproof Your Business with Datacom and AMD: Seamless Windows 11 Transition
See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra

Events

Most Read Articles

NSW Police to embark on $126m IT overhaul

NSW Police to embark on $126m IT overhaul
CBA looks to GenAI to assist 1200 'security champions'

CBA looks to GenAI to assist 1200 'security champions'
Australia's super funds told to assess authentication controls

Australia's super funds told to assess authentication controls
WestJet probes cyber security incident

WestJet probes cyber security incident
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?