Orbital Decay: the dark side of a popular file downloading tool

Malware

32

[UPDATE #3: Popular file download site Download.Com has removed Orbit Downloader from their site. (2013-08-30 15:00 PDT)
UPDATE #2: Popular file download sites BetaNews, DownloadCrew, Softpedia and Softonic have all removed Orbit Downloader from their sites. (2013-08-23 19:00 PDT)
UPDATE #1: Popular file download site MajorGeeks has removed Orbit Downloader from their site. AG (2013-08-22 19:00 PDT)]

Introduction

Orbit Downloader by Innoshock is a popular file downloading add-on for web browsers, used not only to speed up the transfer of files over the Internet but also for its ability to download embedded videos from popular streaming video sites like YouTube.

Figure 1 - Orbit Downloader

Figure 1 – Orbit Downloader

Orbit Downloader has been around since at least 2006, and like many programs these days, is available for free.  The developer, Innoshock, generates its revenue from bundled offers, such as OpenCandy, which is used to install third-party software as well as to display advertisements in order to generate revenue.

This type of advertising arrangement is normal behavior these days and one of the things that ESET’s researchers regularly look at when determining whether or not a program is to be classified as a Potentially Unwanted Application (PUA).  While that process is likewise fairly routine for ESET’s researchers, it is one which requires careful examination because the reasons for which programs may be classified as a PUA vary on a case-by-case basis.

Criminals understand that computer users want to download files and streamed videos and have already begun to take advantage of the situation, as computer security researcher Graham Cluley noted in a post on his blog, “Is that YouTube Video Downloader browser plugin safe? Beware!

What is unusual, though, is to see a popular utility containing additional code for performing Denial of Service (DoS) attacks, which is exactly what our threat researchers found during an otherwise routine examination of the Orbit Downloader software package.  Given the age and the popularity of Orbit Downloader (it is listed as one of the top downloads in its category on several popular software web sites) this means that the program might be generating gigabits (or more) of network traffic, making it an effective tool for Distributed Denial of Service (DDoS) attacks.  ESET identifies versions of Orbit Downloader containing this attack code as Win32/DDoS.Orbiter.A.

 

Orbital Mechanics

Sometime between the release of version 4.1.1.14 (December 25, 2012) and version 4.1.1.15 (January 10, 2013), an additional component was added to orbitdm.exe, the main executable module for Orbit Downloader.  Here is what it does:

  1. When orbitdm.exe is run, it sends a HTTP GET request to Orbit Downloader’s server at hXXp://obupdate.orbitdownloader.com/update/myinfo.php.
  2. The server responds with two URLs containing further information:
    1. The first URL, named “url“, currently responds with the URL hXXp://obupdate.orbitdownloader.com/update/ido.ipl which points to the location of a Win32 PE DLL file that is silently downloaded by the software.  So far, ESET’s researchers have seen more than a dozen different versions of this DLL file.
    2. The second URL, named “param“, initially responded with an URL of hXXp://obupdate.orbitdownloader.com/update/rinfo.php?lang=language
      Several days ago, this switched to
      hXXp://obupdate.orbitdownloader.com/update/param.php?lang=language
      For both URLs, the language variable was set to ENU for English, SKY for Slovak and so forth.

The second URL, “param“, seems to generate a response via HTTP POST based on the language parameter sent to the server in Step 1.  Most of the time the configuration files were not very interesting to look at, consisting of zero values such as:

[update]
begintime=00000000000000
endtime=00000000000000

We did, however, observe one interesting response that stood out:

[update]
url=http://www.kkk.com
exclude=
param=200

It is unclear to us why the Ku-Klux Klan’s web site was chosen, as no similar sites were seen during our monitoring.  This may have simply been a test by the tool’s authors to verify it was working.

This screenshot from a packet capture shows the HTTP GET requests from Orbit Downloader as it downloads the configuration file used to target the attack and the DLL used to perform them:

Figure 2 - Orbit packet capture [CROP]

Figure 2: example of HTTP GET requests

Examination of the Win32 PE DLL by ESET’s researchers reveals an exported function with the name SendHTTP which performs two actions:

  1. The first action is to download an obfuscated configuration file from hXXp://obupdate.orbitdownloader.com/update/il.php containing a list of targets to attack.
  2. The second action is to perform the attack against the targets listed in the configuration file.

Here is a screen shot showing one of the il.php configuration files:

Figure 3 - Orbit il.php [CROP]

Figure 3: example of il.php file

Once extracted, entries appear in the format of a URL, followed by an equal sign “=” and an IP address.  Here are some entries from another il.php configuration file we examined:

bbs1.tanglongs.com/2DClient_main.swf=210.245.122.119

tanglongs.com/static/script/jquery-1.7.1.min.js=118.69.169.103

The first portion of an entry, the URL, is the target of the DoS attack.  The source IPs are randomly generated.  In some instances, we downloaded blank il.php configuration files.  This may have meant there were no current targets.

Two types of attacks have been observed:

  1. If WinPcap is present, specially crafted TCP SYN packets are sent to the targeted machines on port 80, with random source IP addresses.  This kind of denial of service attack is known as a SYN flood.  It should be noted that WinPcap is a legitimate third-party tool bundled with many programs and is otherwise unrelated to this attack.
  2. If WinPcap is not present, TCP packets are sent containing an HTTP connection request on port 80 and UDP datagrams on port 53 to the targeted machines.

These attacks, while basic, are effective due to their throughput:  On a test computer in our lab with a gigabit Ethernet port, HTTP connection requests were sent at a rate of about 140,000 packets per second, with falsified source addresses largely appearing to come from IP ranges allocated to Vietnam.  These blocks of IP addresses were hardcoded into the DLL file downloaded from ido.ipl, different ranges may have been used in the past, though, and could change in future versions of the DLL file.

Orbit Eccentricity

As mentioned above, the configuration file downloaded from Orbit Downloader’s server is encrypted to avoid casual examination.  The first step is that files are encoded in base64, an encoding scheme most often used to send binary files as file attachments.  After decoding, the data is then XORed with a fixed 32-character string.  That 32-character string is actually the MD5 hash of a 9-character password that is hardcoded into the DLL file.  After this operation, each pair of consecutive bytes are XORed together to generate a single byte of plaintext.

While each download of the encrypted data from the server varies, the actual content, once converted to plaintext, has remained constant for considerably longer periods of time.

Historical Orbits

Looking through older versions of Orbit Downloader, it appears that the DoS functionality has been present for some time, if not actively used, in a program file named orbitnet.exe, and not orbitDM.exe like current version.  Also, this older version downloaded its configuration file from static.koramgame.com and not from the orbitdownloader.com domain.  Curiously, the version of orbitnet.exe containing the DoS code (version 2.6.0.7) does not appear to be bundled with any of the installation packages released by Orbit Downloader, although an older version, 2.6.0.4, appears to be distributed with the current version of Orbit Downloader, version 4.1.1.18, released May 2, 2013.

 

Conclusion

While we are just as puzzled as everyone else as to why this popular file downloading utility now contains remotely-updating DDoS functionality, we are taking action to protect ESET’s users from it.  Beginning with virus signature database 8604, versions of Orbit Downloader with DoS functionality are detected by ESET’s software as Win32/DDoS.Orbiter.A.

In the meantime, until Innoshock, the developer of Orbit Download explains this behavior and/or releases an updated version without this unwanted functionality, we recommend uninstalling this program and using a different file downloader.

The following are the MD5 hashes of files analyzed in this article:

036b2f895fa1d64a1f1821ce9f61a56b
1896b319f5f5b101c028066c659c354e
1ce53a55317ae1f7eaef65b6241c66c8
28c22bac5621f058deb67ea9d7249de9
33544b3c3de8113847f8a676bbdf2db6
3988b798439e7d2deb03bb265cb9277a
3cbe133243e78e15445ad70fd33fc667
44d9dbe00e0396dbbac0efb3631bd8a1
809d5a4af232f08f88d315b116e47828
9e898210781061805844cc90cb77d3bd
9ef50486265891aff5542c3581934ab3
aaeb12d4b2498fb271d50fb31f4e1d5d
bd80f4eec1246289d3d735d8d0c7a57e
c21c7845b4f9510f9f18e4da284a5af5
d3a2438ee876a8780dfee73b8d266118
d8595fcc4ccbd7a742455ed30b156d69
e16366ee9ae1086bc86a719eaeebeb7b
f76c4e8ebcc79aa16f4254ed219a2857
f99c2446ddaa5ee9ebaf2abbc70d4a94

I would like to thank my colleagues Daniel, David, Hugo, Jean-Ian, Peter and Pierre-Marc for their research and assistance with this article.

 

Aryeh Goretsky, MVP, ZCSE
Distinguished Researcher

Author Aryeh Goretsky, ESET

  • Samuel Waugh

    thank you eset for keeping us updated and safe from viruses! you guys are the best

  • http://aqfl.net Ant

    I had to block the damn IP addresses to avoid the craziness. What’s a good downloader to download streaming media files? I wished GetRight was updated.

  • http://win.softpedia.com/ Giorgiana Arghire

    We strive to protect our users against malicious components, therefore, as a result of these security alerts, we have decided to remove Orbit Downloader from Softpedia, effective immediately http://bit.ly/19BqJqW

    • http://www.welivesecurity.com/author/goretsky/ Aryeh Goretsky

      Hello Giorgiana,

      Thank you for letting us know. I am in the process of adding an update to the article with this information.

      Regards,

      Aryeh Goretsky

  • Al

    Looking into the orbitdownloader website, it is possible to find some strange stuff like:

    http://www.orbitdownloader.com/timg5/

    Which is not accessible anymore but still readable with google cache => In russian and deal with crack and trojan if google translate is accurate enough (still, it looks like random sentence). And the fist timing item is 11 Jan 2013m, which could help to determine the timeline in this issues.

    Al

  • Jim

    What are some safe alternate file downloader programs to use instead of orbit?

    • http://www.welivesecurity.com/author/goretsky/ Aryeh Goretsky

      Hello Jim,

      We do not have any specific recommendations as to other file downloader programs to use. My suggestion would be to try a few out and see what works best for your specific needs.

      Regards,

      Aryeh Goretsky

    • http://dan.cx/ Daniel Lo Nigro

      Anything open source. JDownloader was pretty good back when I tried it out.

    • Raj_09

      Hi Jim,

      I use Freedownloadmanager which just downloads my files as effectively and is opensource too. I will recommend that as an alternative.

    • disqus_OYJ7gPZj7l

      Free Download Manager and DAP are good

      • http://dharley.wordpress.com/ David Harley

        As previously mentioned, we don’t have specific experience of these products, so approval of this comment doesn’t constitute endorsement by ESET of either product.

      • Terry Richards

        DAP has a problem when used for an extended period of time it (the program will freeze and shut down) and it will not reload when you attempt to do so. I had over 1.9GigaBites in that file and through the instructions from Speedbit , I lost all of it. If you try it , do so with caution.

  • http://bistudio.com David Foltyn

    very interesting … thanks for sharing it with world …

  • http://www.tweakbytes.com/ Bala

    I have also attached an important announcement to all my forum users so as to remove orbit downloader.
    Thanks for reporting guys.

  • blake83

    I’m interested in seeing the reasoning behind this and Innoshock’s explanation Should be entertaining…

  • http://ssupdater.b1.jcink.com/index.php Mark

    Is ESET going to check Innoshock’s other products like RaidCall, Free Music Zilla,
    Free Video Zilla, IE7pro? If Orbit Downloader had malicious code then so could their other products. Thanks.

    • http://dharley.wordpress.com/ David Harley

      Mark, the short answer is, I don’t know. I’ll forward your comments to the appropriate research team. .

      • http://dharley.wordpress.com/ David Harley

        And the response I received was that checking doesn’t seem to bear out a connection between Innoshock and Raidcall. If you have any further information on this perceived connection, by all means let us know and we’ll investigate further.

      • http://dharley.wordpress.com/ David Harley

        Thanks for your further information. I believe investigation is continuing.

  • Aaron

    try free download manager

    http://www.freedownloadmanager.org/

    • http://dharley.wordpress.com/ David Harley

      We’ve received several comments to this post that recommend this product. However, please note that I have no personal experience of the product (though I’m not aware of any problems with it), and this doesn’t represent any implied endorsement by ESET.

  • Max440

    Isn’t the KKK spelled Ku Klux Klan. You spelled Klan with a C instead of a k.

    • http://www.welivesecurity.com/author/goretsky/ Aryeh Goretsky

      Indeed, it is, and thank you for correcting me. I am afraid I let my word processor get a little too overzealous when writing the article. A correction should be appearing shortly in the article.

  • Yagi

    Interesting findings..

    I have suspicion toward a similar program called “Freemake Video Downloader”, everything about them doesn’t feel right, just look at their “colorful” website, especially the “About Us” page, no useful information at all, no names, no physical contact information, address etc. their program silently install the third-party WinPcap without the user consent and without a proper explanation why their program need it to function.

    I highly suggest that you give that program a deep analysis.

    • http://www.welivesecurity.com/author/goretsky/ Aryeh Goretsky

      Freemake Video Downloader is apparently part of the Freemake line of software developed by Ellora Assets Corporation, a Russian company. While it may be disconcerting that their web site does not have any contact information on their web site like a phone number or an office address and their whois data is hidden using an anonymizing service, this does not necessarily mean there is anything malicious about their software.

      Of course, many programs are bundled with potentially unwanted applications (PUAs), but those are not, by definition, malicious, just programs that some users may or may not want to install on their computers.

      Thanks for the report, though, and we’ll look into that.

  • http://koketsoresane.com/ Koketso Resane

    Jawdropping indeed

  • barney55

    I read this story a bit late: 9-2-13. And then visted Orbit Downloader forum. It’s mostly infested with spam. After a breif perusal of the General and Bug Reports forums, I saw no posts relating to this serious issue.

    … Avoid this program.

  • Gagan

    OMG … I was using this for about 1 year. After reading this it ook me almost 1 day to download this stupid software. Thanks. And keep the good work up…. God Bless.

  • http://www.trishtech.com/ Trisha P.

    So simple uninstallation is enough for Orbit Downloader? Does it store some files in App Data folder or values in the Registry that need to be cleaned?

    • http://www.welivesecurity.com/author/goretsky/ Aryeh Goretsky

      Hello,

      Uninstalling Orbit Downloader will prevent your computer from being used by the component for DDoS attacks. If there are any files left behind they can be manually removed.

      Regards,

      Aryeh Goretsky

  • YJ

    Are Previous versions (pre version 4.1.1.14) safe? I’m used to Orbit and ever since removing it I haven’t found any decent replacement.

  • JM

    Asking again, are previous versions, pre version 4.1.1.14, safe? I have all the DL files, could I install them without worring?

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

1 article related to:
Hot Topic
21 Aug 2013
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.