If WinPcap is installed, Orbit's DDoS component uses the tool to send TCP SYN packets on port 80 (HTTP) to the IP addresses specified in its configuration file. "This kind of attack is known as a SYN flood," the ESET researchers said.
If WinPcap is not present, the rogue component directly sends HTTP connection requests on port 80 to the targeted machines, as well as UDP packets on port 53 (DNS).
The attacks also use IP spoofing techniques, the source IP addresses for the requests falling into IP address ranges that are hardcoded in the DLL file.
"On a test computer in our lab with a gigabit Ethernet port, HTTP connection requests were sent at a rate of about 140,000 packets per second, with falsified source addresses largely appearing to come from IP ranges allocated to Vietnam," the ESET researchers said.
After adding a detection signature for the DLL component, the ESET researchers also identified an older file called orbitnet.exe that had almost the same functionality as the DLL file, but downloaded its configuration from a different website, not orbitdownloader.com.
This suggests that Orbit Downloader might have had DDoS functionality since before version 126.96.36.199. The orbitnet.exe file is not bundled with any older Orbit Downloader installers, but it might have been downloaded post-installation, like the DLL component.
This is a possibility, but it can't be demonstrated with certainty, Peter Kosinar, a technical fellow at ESET who was involved in the investigation, said Thursday. It might also be distributed though other means, he said.
Adding to the confusion is that an older version of orbitnet.exe than the one found by ESET is distributed with Orbit Downloader 188.8.131.52. The reason for this is unclear since Orbit Downloader 184.108.40.206 also downloads and uses the DLL DDoS component. However, it indicates a clear relationship between orbitnet.exe and Orbit Downloader.
The fact that a popular program like Orbit Downloader is used as a DDoS tool creates problems not only for the websites that it's used to attack, but also for the users whose computers are being abused.
According to Kosinar, there is no rate limit implemented for the packets sent by the DDoS component. This means that launching these attacks can easily consume the user's Internet connection bandwidth, affecting his ability to access the Internet through other programs.
Users who install Orbit Downloader expect the program to streamline their downloads and increase their speed, but it turns out that the application has the opposite effect.
Orbit Downloader is developed by a group called Innoshock, but it's not clear if this is a company or just a team of developers. Attempts to contact Innoshock for comment Thursday via two Gmail addresses listed on its website and the Orbit Downloader site, as well as via Twitter, remained unanswered.