Orbit Downloader Compromised with DDOS Trojan on Board
The ESET security folks discovered an extra component in the Orbit Downloader code (specifically, “orbitdm.exe”) that sends an HTTP GET request to an Orbit server, and the server spits back two URLs. One points to a version of a Win32 PE DLL file that the software downloads without the user knowing, and the other “seems to generate a response via HTTP POST based on the language parameter sent to the server in Step 1”. This was added at some point between December 25th, 2012 and January 10, 2013.
The Win32 PE DLL file is the nasty bit, because it both downloads a configuration file with a list of targets and then executes the attacks against the listed targets. ESET listed two types of attacks:
If WinPcap is present, specially crafted TCP SYN packets are sent to the targeted machines on port 80, with random source IP addresses. This kind of denial of service attack is known as a SYN flood. It should be noted that WinPcap is a legitimate third-party tool bundled with many programs and is otherwise unrelated to this attack.
If WinPcap is not present, TCP packets are sent containing an HTTP connection request on port 80 and UDP datagrams on port 53 to the targeted machines.
Example of the configuration file
ESET says that when investigating the attacks, they found that there were 140,000 packets per second flowing through the HTTP connection requests. The security team has also taken steps to protect its users from Orbit Downloader and stated that the software’s maker, Innoshock, has yet to comment on or explain this dangerous oddity.