Downloader has Built-in DDoS

Friday, August 23, 2013 @ 04:08 PM gHale

The popular Windows download manager Orbit Downloader comes equipped with a distributed denial of service (DDoS) component, researchers said.

The Orbit Downloader has been around since 2006. That and the fact that it is a free download has made it popular.

RELATED STORIES
Code Repository Hit by DDoS
Automated Hacking Tools
Apache Struts Fixes Critical Holes
Apache Struts: Another Week, Another Fix

The DDoS component, discovered by ESET researchers while doing a routine examination of the software, added into to orbitDM.exe sometime between the release of version 4.1.1.14 (December 25, 2012) and version 4.1.1.15 (January 10, 2013).

How it works is: The installed software contacts Orbit Downloader’s server (at orbitdownloader.com) to download a configuration file containing a list of target URLs and IP addresses, and a Win32 PE DLL file to perform the attack against them, the researchers said.

The software can perform two types of DDoS attacks, depending on whether a third-party tool (WinPcap) bundled with the Orbit Donwloader.

When this tool is present, the software sends specially crafted TCP SYN packets to the targeted machines on port 80, and masks the sources of the attacks with random IP addresses. If WinPcap is not present, OD sends a wave of HTTP connection request on port 80 and UDP datagrams on port 53 to the targeted machines.

“These attacks, while basic, are effective due to their throughput: On a test computer in our lab with a gigabit Ethernet port, HTTP connection requests were sent at a rate of about 140,000 packets per second, with falsified source addresses largely appearing to come from IP ranges allocated to Vietnam,” the researchers said in a blog post.
http://www.welivesecurity.com/2013/08/21/orbital-decay-the-dark-side-of-a-popular-file-downloading-tool/

Further analysis of older versions of the software revealed the denial of service (DoS) functionality has been present for some time — since 2008 — in a different program file and would download configuration files from another server.

The latest vulnerable version of the software is still available for download from the official site, but ended up removed from file download sites like MajorGeeks and Softpedia.



Leave a Reply

You must be logged in to post a comment.