This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Orbit Downloader found capable of malicious activity

Share this article:

Researchers at security company Eset have discovered the popular file-downloading utility Orbit Downloader contains a remotely-updating distributed denial-of-service attack (DDoS) capability.


Orbit Downloader is a program that allows users to download files more quickly over the internet and also allows them to install videos and music not typically meant for download, such as streaming videos from YouTube or Vimeo. 


"The program does these functions," Eset researcher Aryeh Goretsky told on Monday, "but also has an undesirable hidden feature that, when it's running, it can take over a computer's network connection and use it to send blasts of data over the network connection to other computers that it's been told to target."


When a single computer is performing this type of attack, it is referred to as a denial-of-service (DoS). When thousands or millions of Orbit Downloader users are – unknowingly, in this case – performing the attack, then it is referred to as a distributed denial-of-service (DDoS).


According to the Eset post, two types of attacks have been observed. One is a kind of DDoS attack known as a SYN flood, which sends a high number of SYN requests to a target to make its system unresponsive, and another where TCP packets are sent containing HTTP connection requests.


Users will recognise the attack is happening because their network connection will be reduced to a sluggish crawl, Goretsky explained, adding the DDoS behaviour does not occur every time the program is run.


He added that the program updated at one point to be more selective about the number of computers performing the attack, but without knowing any motivations behind the findings, the researcher could only speculate that it was an attempt to be more covert.


Who has been on the receiving end of the attack has varied, but Goretsky and his research team have observed attacks on Vietnamese websites, as well as the targeting of the Ku Klux Klan website.


"As far as I know, this is unprecedented," Goretsky said. "We've seen programs get affected before unintentionally. We've seen programs used maliciously. We don't typically see software come from a developer with attack code built into it and getting updated."


Goretsky said that when the program is downloaded it initially does not contain the DDoS functionality until it checks for an update that, when run, downloads the module that performs the attack from the author's website,  which in turn allows for surreptitious updates and changes of behaviour.


What makes this particularly dangerous is that the program could theoretically be customised to do anything a piece of malware could, including stealing information, displaying advertisements or locking the system with ransomware, Goretsky said.


Orbit Downloader was created in 2006, but Goretsky said the malicious behaviour was not seen until earlier this year. He said the Eset researchers will continue to monitor if the module is being used to attack computers, and they will also look into other programs and software produced by Orbit Downloader developer Innoshock. 


Innoshock has not responded to Eset following the post, according to Goretsky, and the software developer did not immediately respond to a query from


Goretsky said Eset researchers began looking into the program in May for fairly routine inspection purposes. Quickly noting that the program was executing unwanted malicious behaviour, the researchers began recommending that users uninstall the utility and replace it with another program.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

NCA wants security pros to become cybercrime fighters

NCA wants security pros to become cybercrime fighters

The UK's National Crime Agency is on the hunt for cyber security professionals to "join the fight against some of the world's most significant cyber criminals" on salaries ranging from ...

GCHQ head says agency was 'never involved in mass surveillance'

GCHQ head says agency was 'never involved in ...

Sir Iain Lobban says GCHQ staff "are normal decent human beings who watch EastEnders and Spooks".

Apple Mac OS criticised for sending search results to third parties

Apple Mac OS criticised for sending search results ...

Apple is under pressure to make changes to the Spotlight feature on the new Mac OS X Yosemite 10.10, which tracks location and sends data back to the firm and ...