 |
| A sample il.php config file for the DDOS in Orbit Downloader
Researchers at security
software company ESET have found a remotely-updating DDOS functionality built into a
popular Windows download manager, Orbit Downloader.
The DDOS function appears to have been in the program for some
time. When the orbitdm.exe program is run, it starts a series of communications
with the servers at orbitdownloader.com, the end result of which is that the
client system silently downloads via HTTP a Win32 PE DLL and a configuration
file containing a list of URLs and a randomly-generated IP address for each.
This program and the list are used to conduct either a SYN flood
attack or a wave of HTTP connection requests on port 80 (the HTTP port) and UDP
datagrams on port 53 (DNS). The IP address that accompanied the URL in the
config file is used as the source address for the attack.
In ESET's tests they have seen about a dozen versions of the DLL
and the contents of the config file change frequently. This indicates that the
DDOS net of Orbit Downloader users is being actively managed. Below is a sample
of one of the config files.
ESET
expresses surprise that such an attack would be included in such a popular
program. It is a distinct possibility that the company's web site has been
compromised by an outside attacker who is using it and the software unbeknownst
to the proprietors of Orbit Downloader.
At the time of this writing, a vulnerable version (4.1.1.18) was
still available for download on the company's site, and the URLs used for
downloading the attack code and config file were still live.
|
previous article
Newer Post
No comments
Post a Comment