Popular Windows download manager Orbit Downloader contains malicious additional code designed to launch DDoS attacks, researchers at security software company ESET recently discovered. The function was added at some point between versions 126.96.36.199, released on December 25, 2012, and 188.8.131.52, released on January 10, 2013. Experts have questioned why such a high-profile piece of software would contain such code, and some have suggested that it was implanted by outside attackers through the use of a Web vulnerability.
ESET’s researchers discovered the DDoS component while researching potential junk add-ons included with Orbit Downloader, a free tool that makes its money by bundling in third-party offers and software. Orbit is one of the most popular utilities for improving download speeds and downloading embedded online content such as YouTube videos. Similar programs have been discovered to be vectors for malware, according to researcher and security blogger Graham Cluley. Nonetheless, the sudden appearance of dangerous code in such a popular tool is unusual, ESET noted.
A malicious component
In affected versions of Orbit Downloader, a component that has been added to orbitdm.exe sends a download request to the company’s server, which then points to a Win32 PE DLL file. This file, which is encrypted to avoid detection, appears to be configured to download a list of URLs to target with DoS attacks and then carry these attacks out.
“These attacks, while basic, are effective due to their throughput: On a test computer in our lab with a gigabit Ethernet port, HTTP connection requests were sent at a rate of about 140,000 packets per second, with falsified source addresses largely appearing to come from IP ranges allocated to Vietnam,” researchers wrote. “These blocks of IP addresses were hardcoded into the DLL file downloaded from ido.ipl, different ranges may have been used in the past, though, and could change in future versions of the DLL file.”
The DoS functionality appears to have originally existed in a program file called orbitnet.exe, which downloaded its configuration file from the address static.koramgame.com rather than the orbitdownloader.com domain. The version of orbitnet.exe containing the DoS code (version 184.108.40.206) also does not appear to have been bundled with any of the installation packages released by Orbit Downloader, which contains version 220.127.116.11 of orbitnet.exe. It is possible that it was a file downloaded post-installation or that it was distributed through other means, IDG News Service reported.
Where it came from
ESET noted that Orbit’s business model of bundling other software is common for such freeware programs, but the inclusion of dangerous code is more surprising, particularly given the program’s popularity. Developer Innoshock has not responded to inquiries about the issue, and ESET has added it to its malware database.
“While we are just as puzzled as everyone else as to why this popular file downloading utility now contains remotely-updating DDoS functionality, we are taking action to protect ESET’s users from it,” the company stated.
One way to account for the recent appearance of the code may be that Orbit Downloader’s website was targeted by attackers exploiting a vulnerability, ZDNet’s Larry Seltzer suggested. As a result they might have been able to take advantage of both the software and the servers to carry out DoS attacks.
If this is the case, it’s a firm reminder to developers that their programs can unexpectedly become vectors for malware distribution. In some instances, such attacks are even carried out by disgruntled internal stakeholders. Securing Web application code and building security checks into programming processes to catch unexpected functions are essential for ensuring the software security of popular tools remains intact. With approaches such as peer code review and source code analysis, organizations can detect issues with their software on an ongoing basis.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.