Skip to main content

Orbit Downloader Contains DDoS Malware, Report Finds

First launched in 2006, Orbit Downloader is a popular file downloading software that can integrate with nearly every popular web browser and speed up download of files over the Internet. With features like clipboard monitoring, peer-to-peer transfer to increase speed, and URL sniffing that enabled download of embedded videos from streaming websites made it one of the most successful download managers. Now a new research by security firm and anti-virus product manufacturer ESET has revealed that the program includes code designed to carry out distributed denial-of-service (DDoS) attacks on other machines.


The discovery came to light during a routine examination of the Orbit Downloader software package by the security firm. Apparently, when the main Orbit Downloader executable is run, it communicates with the site, silently downloading a DLL file and a configuration file containing a list of targets to attack and a randomly-generated IP address for each.

The program then conducts either a SYN flood attack or a wave of HTTP connection requests on port 80 (the HTTP port) and UDP datagrams on port 53 (DNS). The IP address that accompanied the URL in the config file is used as the source address for the attack.

On a test computer set up in their lab with a gigabit Ethernet port, HTTP connection requests were sent at a rate of about 140,000 packets per second, with falsified source addresses largely appearing to come from IP ranges allocated to Vietnam. These blocks of IP addresses were hardcoded into the DLL file.

At this point, nobody is sure who is to blame for its possible that the servers of Orbit Downloader were compromised unbeknown to them, although its apparent that the author has gone to some lengths to hide the malware, as explained by ESET:

The first step is that files are encoded in base64, an encoding scheme most often used to send binary files as file attachments.  After decoding, the data is then XORed with a fixed 32-character string.  That 32-character string is actually the MD5 hash of a 9-character password that is hardcoded into the DLL file.  After this operation, each pair of consecutive bytes are XORed together to generate a single byte of plaintext.

While each download of the encrypted data from the server varies, the actual content, once converted to plaintext, has remained constant for considerably longer periods of time.

The additional malware code appears to be added sometime between the release of version (December 25, 2012) and version (January 10, 2013).

Following this news, many file download sites including BetaNews, Softpedia, Softonic and MajorGeeks have all removed Orbit Downloader from their sites. If you are using this program, you should uninstall it too.


  1. Soooo... any news on what legal action is being taken against the developers of Orbit Downloader?


Post a Comment

Popular posts from this blog

How to Record CPU and Memory Usage Over Time in Windows?

Whenever the computer is lagging or some application is taking too long to respond, we usually fire up task manager and look under the Performance tab or under Processes to check on processor utilization or the amount of free memory available. The task manager is ideal for real-time analysis of CPU and memory utilization. It even displays a short history of CPU utilization in the form of a graph. You get a small time-window, about 30 seconds or so, depending on how large the viewing area is.

How to Schedule Changes to Your Facebook Page Cover Photo

Facebook’s current layout, the so called Timeline, features a prominent, large cover photo that some people are using in a lot of different creative ways. Timeline is also available for Facebook Pages that people can use to promote their website or business or event. Although you can change the cover photo as often as you like, it’s meant to be static – something which you design and leave it for at least a few weeks or months like a redesigned website. However, there are times when you may want to change the cover photo frequently and periodically to match event dates or some special promotion that you are running or plan to run. So, here is how you can do that.

69 alternatives to the default Facebook profile picture

If you have changed the default Facebook profile picture and uploaded your own, it’s fine. But if not, then why not replace that boring picture of the guy with a wisp of hair sticking out of his head with something different and funny?