This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Orbit Downloader found capable of malicious activity

Share this article:

Researchers at security company Eset have discovered the popular file-downloading utility Orbit Downloader contains a remotely-updating distributed denial-of-service attack (DDoS) capability.

 

Orbit Downloader is a program that allows users to download files more quickly over the internet and also allows them to install videos and music not typically meant for download, such as streaming videos from YouTube or Vimeo. 

 

"The program does these functions," Eset researcher Aryeh Goretsky told SCMagazine.com on Monday, "but also has an undesirable hidden feature that, when it's running, it can take over a computer's network connection and use it to send blasts of data over the network connection to other computers that it's been told to target."

 

When a single computer is performing this type of attack, it is referred to as a denial-of-service (DoS). When thousands or millions of Orbit Downloader users are – unknowingly, in this case – performing the attack, then it is referred to as a distributed denial-of-service (DDoS).

 

According to the Eset post, two types of attacks have been observed. One is a kind of DDoS attack known as a SYN flood, which sends a high number of SYN requests to a target to make its system unresponsive, and another where TCP packets are sent containing HTTP connection requests.

 

Users will recognise the attack is happening because their network connection will be reduced to a sluggish crawl, Goretsky explained, adding the DDoS behaviour does not occur every time the program is run.

 

He added that the program updated at one point to be more selective about the number of computers performing the attack, but without knowing any motivations behind the findings, the researcher could only speculate that it was an attempt to be more covert.

 

Who has been on the receiving end of the attack has varied, but Goretsky and his research team have observed attacks on Vietnamese websites, as well as the targeting of the Ku Klux Klan website.

 

"As far as I know, this is unprecedented," Goretsky said. "We've seen programs get affected before unintentionally. We've seen programs used maliciously. We don't typically see software come from a developer with attack code built into it and getting updated."

 

Goretsky said that when the program is downloaded it initially does not contain the DDoS functionality until it checks for an update that, when run, downloads the module that performs the attack from the author's website,  which in turn allows for surreptitious updates and changes of behaviour.

 

What makes this particularly dangerous is that the program could theoretically be customised to do anything a piece of malware could, including stealing information, displaying advertisements or locking the system with ransomware, Goretsky said.

 

Orbit Downloader was created in 2006, but Goretsky said the malicious behaviour was not seen until earlier this year. He said the Eset researchers will continue to monitor if the module is being used to attack computers, and they will also look into other programs and software produced by Orbit Downloader developer Innoshock. 

 

Innoshock has not responded to Eset following the post, according to Goretsky, and the software developer did not immediately respond to a query from SCMagazine.com.

 

Goretsky said Eset researchers began looking into the program in May for fairly routine inspection purposes. Quickly noting that the program was executing unwanted malicious behaviour, the researchers began recommending that users uninstall the utility and replace it with another program.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Queen's website hosts controversial tracking technique

Queen's website hosts controversial tracking technique

Advertising tracking called 'canvas fingerprinting' is used on many websites and identifies unique individuals and their browsing habits and works surreptitiously.

Could MH17 sanctions push Russia to cyber warfare?

Could MH17 sanctions push Russia to cyber warfare?

A leading cyber security academic has warned the US and European governments that tougher sanctions on Russia relating to the MH17 airplane crash could result in the start of cyber ...

Snowden, Ellsberg ask hackers to help obscure whistleblower activity

Snowden, Ellsberg ask hackers to help obscure whistleblower ...

Crowds of people came out to see Daniel Ellsberg chat with Edward Snowden at HOPE X conference.