Download Manager Orbit Downloader is used for DDoS attacks
The program Orbit Downloader (Innoshock) is a download manager (download manager) and is used to speed up the download of files from the Internet, and also contains the ability to download videos from popular services, such as YouTube. It has been released at least since 2006 and, like many other programs, is available for use free of charge. The developer of this download manager earns revenue from installers, such as OpenCandy , which is used to install third-party software and allows you to display advertisements for profit.
This type of advertising is a fairly typical phenomenon and is one of the reasons why ESET analysts can classify such software as a family of “ Potentially Unwanted Application (PUA)”. This process of classifying programs to PUA is a fairly routine work for analysts and requires careful study of all the details, since the reasons for which software can be assigned to PUA are determined individually.
')
Cybercriminals understand that many users may fall for the phishing bait when they are offered the opportunity to download files from video hosting services and use this for their own purposes, so you need to be careful when you try to download a program or browser extension that is presented as a download manager. In the case of Orbit Downloader, we found that some of its versions contain malicious code for Denial of Service (DoS) attacks. Given the popularity of this program (Orbit Downloader is listed as one of the most downloaded applications on several popular web sites that distribute software), it can be assumed that with the help of it a huge amount of network traffic could be generated for DDoS attacks. Malicious versions of Orbit Downloader are detected by ESET as Win32 / DDoS.Orbiter.A .
Malicious code was added to the orbitdm.exe executable file between versions 4.1.1.14 (December 25, 2012) and 4.1.1.15 (January 10, 2013). This file is the main module of the boot manager and performs the following actions. Sends an HTTP GET request to its hXXp server : //obupdate.orbitdownloader.com/update/myinfo.php . The server then responds with two URLs that contain the following information. The first URL with the name “url” looks like hXXp: //obupdate.orbitdownloader.com/update/ido.ipl and points to the Win32 PE DLL file that will be secretly loaded. Note that we have discovered more than ten versions of this file. The second URL called “param” looks like this hXXp: //obupdate.orbitdownloader.com/update/rinfo.php? Lang = language . The attackers used another template - hXXp: //obupdate.orbitdownloader.com/update/param.php? Lang = language .
We managed to get the following response from the server:
Honestly, we did not quite understand why the attackers chose a website with that name as the URL for the answer. Perhaps it was just a test of the authors on the performance of the service. Below is a screenshot of the program's network interaction with the server, during which the configuration file and the DLL library are requested.
After analyzing the DLL, it turned out that it contains the export function SendHTTP , which performs two actions. It downloads an encrypted configuration file hXXp: //obupdate.orbitdownloader.com/update/il.php , containing a list of addresses to attack. Next, it performs the attack on the targets listed in the configuration file. Below is a screenshot of part of the il.php configuration file.
Entries in this file are in the URL = IP format, for example, as shown below.
bbs1.tanglongs.com/2DClient_main.swf=210.245.122.119
tanglongs.com/static/script/jquery-1.7.1.min.js=118.69.169.103
The first part of the file entry, that is, the URL, is the purpose of a DoS attack. The second part is the IP address substituted as the source for the sent IP packet. The file itself is encrypted using base64 and the XOR algorithm using a 32-character string. The string is an MD5 from a special password that is hard-wired into a DLL file.
We found two types of attacks. If WinPcap is present on a compromised system, TCP-SYN-generated packets in a special way are sent to the remote system via port 80 with an arbitrary IP address as the source. This type of attack is known as SYN flood. It should be emphasized that WinPcap is a legitimate tool for creating network packets, working with the network and has nothing to do with intruders. In the absence of WinPcap, TCP packets are sent to establish an HTTP connection on port 80. When using UDP, port 53 is used on the remote system.
Such attacks are quite effective due to the bandwidth of modern communication channels. On the test system with a Gigabit Ethernet port in our laboratory, about 140 thousand packets per second were sent. At the same time, it was noted that the falsified IP addresses of the sources belong to Vietnam. These blocks of IP addresses were hard-wired into a DLL file loaded as ido.ipl.
This type of advertising is a fairly typical phenomenon and is one of the reasons why ESET analysts can classify such software as a family of “ Potentially Unwanted Application (PUA)”. This process of classifying programs to PUA is a fairly routine work for analysts and requires careful study of all the details, since the reasons for which software can be assigned to PUA are determined individually.
')
Cybercriminals understand that many users may fall for the phishing bait when they are offered the opportunity to download files from video hosting services and use this for their own purposes, so you need to be careful when you try to download a program or browser extension that is presented as a download manager. In the case of Orbit Downloader, we found that some of its versions contain malicious code for Denial of Service (DoS) attacks. Given the popularity of this program (Orbit Downloader is listed as one of the most downloaded applications on several popular web sites that distribute software), it can be assumed that with the help of it a huge amount of network traffic could be generated for DDoS attacks. Malicious versions of Orbit Downloader are detected by ESET as Win32 / DDoS.Orbiter.A .
Malicious code was added to the orbitdm.exe executable file between versions 4.1.1.14 (December 25, 2012) and 4.1.1.15 (January 10, 2013). This file is the main module of the boot manager and performs the following actions. Sends an HTTP GET request to its hXXp server : //obupdate.orbitdownloader.com/update/myinfo.php . The server then responds with two URLs that contain the following information. The first URL with the name “url” looks like hXXp: //obupdate.orbitdownloader.com/update/ido.ipl and points to the Win32 PE DLL file that will be secretly loaded. Note that we have discovered more than ten versions of this file. The second URL called “param” looks like this hXXp: //obupdate.orbitdownloader.com/update/rinfo.php? Lang = language . The attackers used another template - hXXp: //obupdate.orbitdownloader.com/update/param.php? Lang = language .
We managed to get the following response from the server:
[update]
url = http: //www.kkk.com
exclude =
param = 200
Honestly, we did not quite understand why the attackers chose a website with that name as the URL for the answer. Perhaps it was just a test of the authors on the performance of the service. Below is a screenshot of the program's network interaction with the server, during which the configuration file and the DLL library are requested.
After analyzing the DLL, it turned out that it contains the export function SendHTTP , which performs two actions. It downloads an encrypted configuration file hXXp: //obupdate.orbitdownloader.com/update/il.php , containing a list of addresses to attack. Next, it performs the attack on the targets listed in the configuration file. Below is a screenshot of part of the il.php configuration file.
Entries in this file are in the URL = IP format, for example, as shown below.
bbs1.tanglongs.com/2DClient_main.swf=210.245.122.119
tanglongs.com/static/script/jquery-1.7.1.min.js=118.69.169.103
The first part of the file entry, that is, the URL, is the purpose of a DoS attack. The second part is the IP address substituted as the source for the sent IP packet. The file itself is encrypted using base64 and the XOR algorithm using a 32-character string. The string is an MD5 from a special password that is hard-wired into a DLL file.
We found two types of attacks. If WinPcap is present on a compromised system, TCP-SYN-generated packets in a special way are sent to the remote system via port 80 with an arbitrary IP address as the source. This type of attack is known as SYN flood. It should be emphasized that WinPcap is a legitimate tool for creating network packets, working with the network and has nothing to do with intruders. In the absence of WinPcap, TCP packets are sent to establish an HTTP connection on port 80. When using UDP, port 53 is used on the remote system.
Such attacks are quite effective due to the bandwidth of modern communication channels. On the test system with a Gigabit Ethernet port in our laboratory, about 140 thousand packets per second were sent. At the same time, it was noted that the falsified IP addresses of the sources belong to Vietnam. These blocks of IP addresses were hard-wired into a DLL file loaded as ido.ipl.
Source: https://habr.com/ru/post/191354/
All Articles