johndoe Posted August 23, 2013 Share Posted August 23, 2013 (edited) Orbital Decay: the dark side of a popular file downloading toolBY ARYEH GORETSKY POSTED 21 AUG 2013 AT 11:59AM [UPDATE: Popular file download site MajorGeeks has removed Orbit Downloader from their site. 2013-08-23 19:00 AG] IntroductionOrbit Downloader by Innoshock is a popular file downloading add-on for web browsers, used not only to speed up the transfer of files over the Internet but also for its ability to download embedded videos from popular streaming video sites like YouTube.Figure 1 – Orbit DownloaderOrbit Downloader has been around since at least 2006, and like many programs these days, is available for free. The developer, Innoshock, generates its revenue from bundled offers, such asOpenCandy, which is used to install third-party software as well as to display advertisements in order to generate revenue.This type of advertising arrangement is normal behavior these days and one of the things that ESET’s researchers regularly look at when determining whether or not a program is to be classified as a Potentially Unwanted Application (PUA). While that process is likewise fairly routine for ESET’s researchers, it is one which requires careful examination because the reasons for which programs may be classified as a PUA vary on a case-by-case basis.Criminals understand that computer users want to download files and streamed videos and have already begun to take advantage of the situation, as computer security researcher Graham Cluley noted in a post on his blog, “Is that YouTube Video Downloader browser plugin safe? Beware!“What is unusual, though, is to see a popular utility containing additional code for performing Denial of Service (DoS) attacks, which is exactly what our threat researchers found during an otherwise routine examination of the Orbit Downloader software package. Given the age and the popularity of Orbit Downloader (it is listed as one of the top downloads in its category on several popular software web sites) this means that the program might be generating gigabits (or more) of network traffic, making it an effective tool for Distributed Denial of Service (DDoS) attacks. ESET identifies versions of Orbit Downloader containing this attack code as Win32/DDoS.Orbiter.A. Orbital MechanicsSometime between the release of version 4.1.1.14 (December 25, 2012) and version 4.1.1.15 (January 10, 2013), an additional component was added to orbitdm.exe, the main executable module for Orbit Downloader. Here is what it does:When orbitdm.exe is run, it sends a HTTP GET request to Orbit Downloader’s server at. The server responds with two URLs containing further information: The first URL, named “url“, currently responds with the URL which points to the location of a Win32 PE DLL file that is silently downloaded by the software. So far, ESET’s researchers have seen more than a dozen different versions of this DLL file. The second URL, named “param“, initially responded with an URL oflanguage Several days ago, this switched tolanguage For both URLs, the language variable was set to ENU for English, SKY for Slovak and so forth. The second URL, “param“, seems to generate a response via HTTP POST based on the language parameter sent to the server in Step 1. Most of the time the configuration files were not very interesting to look at, consisting of zero values such as:[update]begintime=00000000000000endtime=00000000000000We did, however, observe one interesting response that stood out:[update]url=http://www.kkk.comexclude=param=200It is unclear to us why the Ku-Klux Clan’s web site was chosen, as no similar sites were seen during our monitoring. This may have simply been a test by the tool’s authors to verify it was working.This screenshot from a packet capture shows the HTTP GET requests from Orbit Downloader as it downloads the configuration file used to target the attack and the DLL used to perform them: Figure 2: example of HTTP GET requestsExamination of the Win32 PE DLL by ESET’s researchers reveals an exported function with the nameSendHTTP which performs two actions: The first action is to download an obfuscated configuration file from containing a list of targets to attack. The second action is to perform the attack against the targets listed in the configuration file.Here is a screen shot showing one of the il.php configuration files: Figure 3: example of il.php fileOnce extracted, entries appear in the format of a URL, followed by an equal sign “=” and an IP address. Here are some entries from another il.php configuration file we examined: bbs1.tanglongs.com/2DClient_main.swf=210.245.122.119tanglongs.com/static/script/jquery-1.7.1.min.js=118.69.169.103The first portion of an entry, the URL, is the target of the DoS attack. The source IPs are randomly generated. In some instances, we downloaded blank il.php configuration files. This may have meant there were no current targets.Two types of attacks have been observed: If WinPcap is present, specially crafted TCP SYN packets are sent to the targeted machines on port 80, with random source IP addresses. This kind of denial of service attack is known as a SYN flood. It should be noted that WinPcap is a legitimate third-party tool bundled with many programs and is otherwise unrelated to this attack. If WinPcap is not present, TCP packets are sent containing an HTTP connection request on port 80 and UDP datagrams on port 53 to the targeted machines. These attacks, while basic, are effective due to their throughput: On a test computer in our lab with a gigabit Ethernet port, HTTP connection requests were sent at a rate of about 140,000 packets per second, with falsified source addresses largely appearing to come from IP ranges allocated to Vietnam. These blocks of IP addresses were hardcoded into the DLL file downloaded from ido.ipl, different ranges may have been used in the past, though, and could change in future versions of the DLL file. Orbit EccentricityAs mentioned above, the configuration file downloaded from Orbit Downloader’s server is encrypted to avoid casual examination. The first step is that files are encoded in base64, an encoding scheme most often used to send binary files as file attachments. After decoding, the data is then XORed with a fixed 32-character string. That 32-character string is actually the MD5 hash of a 9-character password that is hardcoded into the DLL file. After this operation, each pair of consecutive bytes areXORed together to generate a single byte of plaintext.While each download of the encrypted data from the server varies, the actual content, once converted to plaintext, has remained constant for considerably longer periods of time. Historical OrbitsLooking through older versions of Orbit Downloader, it appears that the DoS functionality has been present for some time, if not actively used, in a program file named orbitnet.exe, and notorbitDM.exe like current version. Also, this older version downloaded its configuration file fromstatic.koramgame.com and not from the orbitdownloader.com domain. Curiously, the version of orbitnet.exe containing the DoS code (version 2.6.0.7) does not appear to be bundled with any of the installation packages released by Orbit Downloader, although an older version, 2.6.0.4, appears to be distributed with the current version of Orbit Downloader, version 4.1.1.18, released May 2, 2013. ConclusionWhile we are just as puzzled as everyone else as to why this popular file downloading utility now contains remotely-updating DDoS functionality, we are taking action to protect ESET’s users from it. Beginning with virus signature database 8604, versions of Orbit Downloader with DoS functionality are detected by ESET’s software as Win32/DDoS.Orbiter.A.In the meantime, until Innoshock, the developer of Orbit Download explains this behavior and/or releases an updated version without this unwanted functionality, we recommend uninstalling this program and using a different file downloader.The following are the MD5 hashes of files analyzed in this article: 036b2f895fa1d64a1f1821ce9f61a56b1896b319f5f5b101c028066c659c354e1ce53a55317ae1f7eaef65b6241c66c828c22bac5621f058deb67ea9d7249de933544b3c3de8113847f8a676bbdf2db63988b798439e7d2deb03bb265cb9277a3cbe133243e78e15445ad70fd33fc66744d9dbe00e0396dbbac0efb3631bd8a1809d5a4af232f08f88d315b116e478289e898210781061805844cc90cb77d3bd9ef50486265891aff5542c3581934ab3aaeb12d4b2498fb271d50fb31f4e1d5dbd80f4eec1246289d3d735d8d0c7a57ec21c7845b4f9510f9f18e4da284a5af5d3a2438ee876a8780dfee73b8d266118d8595fcc4ccbd7a742455ed30b156d69e16366ee9ae1086bc86a719eaeebeb7bf76c4e8ebcc79aa16f4254ed219a2857f99c2446ddaa5ee9ebaf2abbc70d4a94 I would like to thank my colleagues Daniel, David, Hugo, Jean-Ian, Peter and Pierre-Marc for their research and assistance with this article. Aryeh Goretsky, MVP, ZCSEDistinguished Researcher Author Aryeh Goretsky, We Live SecuritySource / Direct link to article Edited August 23, 2013 by 7h3Pr3d47oR Edit title. Link to comment Share on other sites More sharing options...
TuFaS Posted August 23, 2013 Share Posted August 23, 2013 Thanks 4 sharing! Link to comment Share on other sites More sharing options...
insanedown58 Posted August 23, 2013 Share Posted August 23, 2013 This has been posted numerous times but more clarification about the information would be more than appreciated. :DThough I don't use programs like these mainly because I am satisfied with my download speeds, I think its a real douchebag move by Innoshock to turn a what seemed to be very reputable service to a cracked up DDoSing machine. Link to comment Share on other sites More sharing options...
Mr Orus Posted August 23, 2013 Share Posted August 23, 2013 Thanks for sharing.* Topic moved to Software News. Link to comment Share on other sites More sharing options...
MITHI PRASAD Posted August 23, 2013 Share Posted August 23, 2013 I was previously very long back using orbit downloader until they stopped updating firefox addon.How is the browser integration now Link to comment Share on other sites More sharing options...
Ambrocious Posted August 23, 2013 Share Posted August 23, 2013 I'm just sad that this once good download manager did this...wtf. Link to comment Share on other sites More sharing options...
Siddharta Posted August 23, 2013 Share Posted August 23, 2013 It should be removed from the frontpage immediately! <_< Link to comment Share on other sites More sharing options...
Administrator Lite Posted August 23, 2013 Administrator Share Posted August 23, 2013 It should be removed from the frontpage immediately! <_<Actually we haven't listed the downloads for this since July.We are leaving the malware note for this for the short-term to help users be aware of this. Link to comment Share on other sites More sharing options...
debebee Posted August 24, 2013 Share Posted August 24, 2013 I've abandoned ODL in favor of FDM and IDM Link to comment Share on other sites More sharing options...
Recommended Posts