Orbit Downloader includes DDoS code, says ESET

First released back in 2006, Orbit Downloader’s ease of use and lengthy feature list helped make it one of the most successful download managers around. And so it’s all the more surprising that new research by ESET claims the program includes a component designed to assist in distributed denial-of-service (DDoS) attacks.

Starting with version 4.1.1.15, the main Orbit Downloader executable has apparently been communicating with the orbitdownloader.com site, silently downloading a DLL file and retrieving configuration data.

The DLL file includes a function called SendHTTP. And this, in turn, will download a list of targets -- again from the orbitdownloader.com site -- and carry out one of at least two possible attacks (SYN floods or regular TCP packets).

Whatever is happening here, it’s apparent that someone has done their best to hide it. The DDoS configuration file is encoded in base64, for instance, then further transformed with a password embedded in the DLL. Even if you were monitoring your network traffic closely, there would be nothing here to attract attention.

It’s not clear how actively this DDoS component has been used, if at all. ESET’s research talks of some empty or initialized configuration files, and it’s possible the module remains in a testing stage.

There’s no way to tell who’s responsible yet, either. An explanation from developers Innoshock would be welcome, but with their last blog entry dated 2009, and the official Orbit forum seemingly abandoned to spammers, this may not happen in a hurry. (Although maybe the apparent disappearance of any close project management is part of the explanation in itself.)

We’re not willing to wait, though, and have today pulled Orbit Downloader from the DownloadCrew.com site (the page exists, but the download link now points to ESET’s report). It will remain offline until the situation has been resolved to our satisfaction. And given what ESET has discovered, it’s hard to see how that will ever happen.