Popular Windows downloader has secret DDoS capability

Unbeknownst to its users and perhaps even to its developers, the popular Windows download manager Orbit Downloader has been outfitted with a DDoS component.

The Orbit Downloader has been around since 2006. That and the fact that it is available for download for free (although bundled with some potentially unwanted applications) has made it popular with many, many users.

The DDoS component has been discovered by ESET researchers while doing a routine examination of the software, and subsequent analysis of previous versions has shown that it was added to orbitDM.exe sometime between the release of version 4.1.1.14 (December 25, 2012) and version 4.1.1.15 (January 10, 2013).

The thing functions like this: the installed software contacts Orbit Downloader’s server (at orbitdownloader.com) to download a configuration file containing a list of target URLs and IP addresses, and a Win32 PE DLL file to perform the attack against them.

The software can perform two types of DDoS attacks, depending on whether a third-party tool (WinPcap) is bundled with the Orbit Donwloader.

When this tool is present, the software sends specially crafted TCP SYN packets to the targeted machines on port 80, and masks the sources of the attacks with random IP addresses. If WinPcap is not present, OD sends a wave of HTTP connection request on port 80 and UDP datagrams on port 53 to the targeted machines.

“These attacks, while basic, are effective due to their throughput: On a test computer in our lab with a gigabit Ethernet port, HTTP connection requests were sent at a rate of about 140,000 packets per second, with falsified source addresses largely appearing to come from IP ranges allocated to Vietnam,” the researchers noted.

Further analysis of older versions of the software revealed that the DoS functionality has been present for some time – since 2008 to be exact – in a different program file and would download configuration files from another server.

So far, it is unclear whether Orbit Downloader’s were complicit in all this or the software and its website have long been compromised by outside attackers.

The latest vulnerable version of the software is still available for download from the official site, but has been removed from popular file download sites MajorGeeks and Softpedia. Hopefully other will follow their example.

In the meantime, ESET has decided to make its AV software detect all versions of Orbit Downloader with DoS functionality. Trend Micro, Kaspersky Land and Ikarus decided to follow suit, at least for the latest version of OD.

Users are advised to deinstall the software and choose another one for their needs.