Orbit Downloader hacked, turns users into DDoS bots

By on
Orbit Downloader hacked, turns users into DDoS bots

Denial of service function tested on Klu Klux Klan site.

Denial of service attack capabilities have been found in popular media program Orbit Downloader.

The Windows program integrated into web browsers and was downloaded more than 1.5 million times from website Softpedia and 18,000 times last month alone from rival Softonic. It was still available for download on these sites.

But Eset researchers led by Aryeh Goretsky said the program appeared to have been compromised since late 2008 – infecting users December last year – with a script that turned user machines into zombie nodes for distributed denial of service (DDoS) of service attacks.


Softonic warning
Softonic warning

“Given the age and the popularity of Orbit Downloader means that the program might be generating gigabits or more of network traffic, making it an effective tool for DDoS attack,” Goretsky said in a post.

“Sometime between the release of version and version, an additional component was added to orbitdm.exe, the main executable module for Orbit Downloader.

“[Until] the developer of Orbit Download explains this behaviour and/or releases an updated version without this unwanted functionality, we recommend uninstalling this program and using a different file downloader.”

The researchers found a compromised script which had been encoded with base64 and XORed with a fixed 32-character string.

A .dll file was silently downloaded after installation that contained a function that downloads an obfuscated configuration file containing a list of targets, and another which executes the SYN flood DDoS attack.

Researchers said the malicious authors appeared to have tested the DDoS functionality on the Ku-Klux Clan web site.

In Eset tests, HTTP connection requests were sent at 140,000 packets per second with fake source addresses orginating from Vietnam IP ranges.

Eset, Kaspersky, Trend Micro and Ikarus were the only anti-virus applications to flag the latest program as malicious according to VirusTotal tests


A screen shot showing one of the il.php configuration files
A screen shot showing one of the il.php configuration files
Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

In Partnership With

Most Read Articles

Log In

Username / Email:
  |  Forgot your password?