|mogs||ESET reports trojan in Orbit Downloader|
|24th Aug, 2013 20:32|
User Since: 22nd Apr, 2009
System Score: 100%
Summary: A popular Windows downloader contains a DDOS program that is silently controlled by the company's web servers to conduct attacks on 3rd party URLs.
By Larry Seltzer for Zero Day | August 22, 2013 -- 20:55 GMT (21:55 BST)
Researchers at security software company ESET have found a remotely-updating DDOS functionality built into a popular Windows download manager, Orbit Downloader.
The DDOS function appears to have been in the program for some time. When the orbitdm.exe program is run, it starts a series of communications with the servers at orbitdownloader.com, the end result of which is that the client system silently downloads via HTTP a Win32 PE DLL and a configuration file containing a list of URLs and a randomly-generated IP address for each.
This program and the list are used to conduct either a SYN flood attack or a wave of HTTP connection requests on port 80 (the HTTP port) and UDP datagrams on port 53 (DNS). The IP address that accompanied the URL in the config file is used as the source address for the attack.
In ESET's tests they have seen about a dozen versions of the DLL and the contents of the config file change frequently. This indicates that the DDOS net of Orbit Downloader users is being actively managed. Below is a sample of one of the config files.
ESET expresses surprise that such an attack would be included in such a popular program. It is a distinct possibility that the company's web site has been compromised by an outside attacker who is using it and the software unbeknownst to the proprietors of Orbit Downloader.
At the time of this writing, a vulnerable version (18.104.22.168) was still available for download on the company's site, and the URLs used for downloading the attack code and config file were still live.