August 26, 2013 at 11:49Orbit Downloader download manager used for DDoS attacks
The program Orbit Downloader (Innoshock) is a download manager (download manager) and is used to speed up downloading files from the Internet, and also contains the ability to download videos from popular services, for example, YouTube. It has been released since at least 2006 and, like many other programs, is available for free use. The developer of this download manager receives revenue from installers such as OpenCandy , which is used to install third-party software and allows you to display advertisements for profit.
This type of advertising is already a fairly typical phenomenon and is one of the reasons why ESET analysts can rank such software as a Potentially Unwanted Application (PUA) family. A similar process of classifying programs for PUA is a rather routine work for analysts and requires a thorough study of all the details, since the reasons why software can be attributed to PUA are determined individually.
Cybercriminals understand that many users can fall into the trap of phishing when they are offered the opportunity to download files from video hosting services and use this for their own purposes, so you need to be careful when you try to download a program or browser extension that is presented as a download manager. In the case of Orbit Downloader, we found that some of its versions contain malicious code for Denial of Service (DoS) attacks. Given the popularity of this program (Orbit Downloader is listed as one of the most downloaded applications on several popular software distribution websites), it can be assumed that with its help a huge amount of network traffic could be generated for DDoS attacks. Malicious versions of Orbit Downloader are detected by ESET asWin32 / DDoS.Orbiter.A .
Malicious code was added to the orbitdm.exe executable between versions 4.1.1.14 (December 25, 2012) and 4.1.1.15 (January 10, 2013). This file is the main module of the download manager and performs the following actions. Sends an HTTP GET request to its hXXp server : //obupdate.orbitdownloader.com/update/myinfo.php . The server then responds with two URLs that contain the following information. The first URL with the name “url” has the form hXXp: //obupdate.orbitdownloader.com/update/ido.ipl and points to the Win32 PE DLL file that will be secretly downloaded. Note that we have discovered more than ten versions of this file. The second URL with the name “param” looks like this hXXp: //obupdate.orbitdownloader.com/update/rinfo.php? Lang = language. Attackers also used another template - hXXp: //obupdate.orbitdownloader.com/update/param.php? Lang = language .
We managed to get the following response from the server:
Honestly, we did not quite understand why the attackers chose a website with that name as the URL for the response. Perhaps it was just a test of the authors for the serviceability of the service. Below is a screenshot of the network interaction of the program with the server, during which the configuration file and the DLL library are requested.
After analyzing the DLL, it turned out that it contains the exported SendHTTP function , which performs two actions. Download the encrypted configuration file hXXp: //obupdate.orbitdownloader.com/update/il.php containing a list of addresses to attack. Next, it carries out the attack itself on the targets listed in the configuration file. Below is a screenshot of part of the il.php configuration file.
The entries in this file are in the format URL = IP, for example, as shown below.
bbs1.tanglongs.com/2DClient_main.swf=210.245.122.119
tanglongs.com/static/script/jquery-1.7.1.min.js=118.69.169.103
The first part of the file entry, i.e. the URL, is the DoS target attacks. The second part is the IP address that is substituted as the source for the sent IP packet. The file itself is encrypted using base64 and the XOR algorithm using a 32-character string. The string is MD5 from a special password that is hardwired into a DLL file.
We discovered two types of attacks. If WinPcap is present on a compromised system, specially formed TCP SYN packets are sent to the remote system via port 80 with an arbitrary IP address as the source. This type of attack is known as SYN flood. It should be emphasized that WinPcap is a legitimate tool for creating network packets, working with a network and is not connected with intruders in any way. In the absence of WinPcap, TCP packets are sent to establish an HTTP connection on port 80. When using UDP, port 53 is used on the remote system.
Such attacks are quite effective due to the bandwidth of modern communication channels. About 140 thousand packets per second were sent on a test system with a Gigabit Ethernet port in our laboratory. It was noted that the falsified IP addresses of the sources belong to Vietnam. These blocks of IP addresses were hardwired into a DLL file loaded as ido.ipl.
This type of advertising is already a fairly typical phenomenon and is one of the reasons why ESET analysts can rank such software as a Potentially Unwanted Application (PUA) family. A similar process of classifying programs for PUA is a rather routine work for analysts and requires a thorough study of all the details, since the reasons why software can be attributed to PUA are determined individually.
Cybercriminals understand that many users can fall into the trap of phishing when they are offered the opportunity to download files from video hosting services and use this for their own purposes, so you need to be careful when you try to download a program or browser extension that is presented as a download manager. In the case of Orbit Downloader, we found that some of its versions contain malicious code for Denial of Service (DoS) attacks. Given the popularity of this program (Orbit Downloader is listed as one of the most downloaded applications on several popular software distribution websites), it can be assumed that with its help a huge amount of network traffic could be generated for DDoS attacks. Malicious versions of Orbit Downloader are detected by ESET asWin32 / DDoS.Orbiter.A .
Malicious code was added to the orbitdm.exe executable between versions 4.1.1.14 (December 25, 2012) and 4.1.1.15 (January 10, 2013). This file is the main module of the download manager and performs the following actions. Sends an HTTP GET request to its hXXp server : //obupdate.orbitdownloader.com/update/myinfo.php . The server then responds with two URLs that contain the following information. The first URL with the name “url” has the form hXXp: //obupdate.orbitdownloader.com/update/ido.ipl and points to the Win32 PE DLL file that will be secretly downloaded. Note that we have discovered more than ten versions of this file. The second URL with the name “param” looks like this hXXp: //obupdate.orbitdownloader.com/update/rinfo.php? Lang = language. Attackers also used another template - hXXp: //obupdate.orbitdownloader.com/update/param.php? Lang = language .
We managed to get the following response from the server:
[update]
url = http: //www.kkk.com
exclude =
param = 200
Honestly, we did not quite understand why the attackers chose a website with that name as the URL for the response. Perhaps it was just a test of the authors for the serviceability of the service. Below is a screenshot of the network interaction of the program with the server, during which the configuration file and the DLL library are requested.
After analyzing the DLL, it turned out that it contains the exported SendHTTP function , which performs two actions. Download the encrypted configuration file hXXp: //obupdate.orbitdownloader.com/update/il.php containing a list of addresses to attack. Next, it carries out the attack itself on the targets listed in the configuration file. Below is a screenshot of part of the il.php configuration file.
The entries in this file are in the format URL = IP, for example, as shown below.
bbs1.tanglongs.com/2DClient_main.swf=210.245.122.119
tanglongs.com/static/script/jquery-1.7.1.min.js=118.69.169.103
The first part of the file entry, i.e. the URL, is the DoS target attacks. The second part is the IP address that is substituted as the source for the sent IP packet. The file itself is encrypted using base64 and the XOR algorithm using a 32-character string. The string is MD5 from a special password that is hardwired into a DLL file.
We discovered two types of attacks. If WinPcap is present on a compromised system, specially formed TCP SYN packets are sent to the remote system via port 80 with an arbitrary IP address as the source. This type of attack is known as SYN flood. It should be emphasized that WinPcap is a legitimate tool for creating network packets, working with a network and is not connected with intruders in any way. In the absence of WinPcap, TCP packets are sent to establish an HTTP connection on port 80. When using UDP, port 53 is used on the remote system.
Such attacks are quite effective due to the bandwidth of modern communication channels. About 140 thousand packets per second were sent on a test system with a Gigabit Ethernet port in our laboratory. It was noted that the falsified IP addresses of the sources belong to Vietnam. These blocks of IP addresses were hardwired into a DLL file loaded as ido.ipl.