Malware, Patch/Configuration Management, Vulnerability Management

Orbit Downloader found capable of malicious activity

Researchers at security company ESET have discovered the popular file-downloading utility Orbit Downloader contains a remotely-updating distributed denial-of-service attack (DDoS) capability.

Orbit Downloader is a program that allows users to download files more quickly over the internet and also allows them to install videos and music not typically meant for download, such as streaming videos from YouTube or Vimeo. 

"The program does these functions," ESET researcher Aryeh Goretsky told SCMagazine.com on Monday, "but also has an undesirable hidden feature that, when it's running, it can take over a computer's network connection and use it to send blasts of data over the network connection to other computers that it's been told to target."

When a single computer is performing this type of attack, it is referred to as a denial-of-service (DoS). When thousands or millions of Orbit Downloader users are – unknowingly, in this case – performing the attack, then it is referred to as a distributed denial-of-service (DDoS).

According to the ESET post, two types of attacks have been observed. One is a kind of DDoS attack known as a SYN flood, which sends a high number of SYN requests to a target to make its system unresponsive, and another where TCP packets are sent containing HTTP connection requests.

Users will recognize the attack is happening because their network connection will be reduced to a sluggish crawl, Goretsky explained, adding the DDoS behavior does not occur every time the program is run.

He added that the program updated at one point to be more selective about the number of computers performing the attack, but without knowing any motivations behind the findings, the researcher could only speculate that it was an attempt to be more covert.

Who has been on the receiving end of the attack has varied, but Goretsky and his research team have observed attacks on Vietnamese websites, as well as the targeting of the Ku Klux Klan website.

"As far as I know, this is unprecedented," Goretsky said. "We've seen programs get affected before unintentionally. We've seen programs used maliciously. We don't typically see software come from a developer with attack code built into it and getting updated."

Goretsky said that when the program is downloaded it initially does not contain the DDoS functionality until it checks for an update that, when run, downloads the module that performs the attack from the author's website,  which in turn allows for surreptitious updates and changes of behavior.

What makes this particularly dangerous is that the program could theoretically be customized to do anything a piece of malware could, including stealing information, displaying advertisements or locking the system with ransomware, Goretsky said.

Orbit Downloader was created in 2006, but Goretsky said the malicious behavior was not seen until earlier this year. He said the ESET researchers will continue to monitor if the module is being used to attack computers, and they will also look into other programs and software produced by Orbit Downloader developer Innoshock. 

Innoshock has not responded to ESET following the post, according to Goretsky, and the software developer did not immediately respond to a query from SCMagazine.com.

Goretsky said ESET researchers began looking into the program in May for fairly routine inspection purposes. Quickly noting that the program was executing unwanted malicious behavior, the researchers began recommending that users uninstall the utility and replace it with another program.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.