Hidden DDoS Code Discovered In Orbit Downloader

Most free apps that are available for download on the Google Play Store generate revenue with adware, which are the irritating ads that you agree to suffer through in lieu for free use of the app. Most games on the Play Store work this way, and the value judgement that goes into deciding whether all the adware is worth the functionality of the app is for the user to decide.

However, there may be cases when this tradeoff is taken too far, the most recent example being spider io’s recent expose on Sambreel last month, and most often this judgement is made after looking at the code for the application that could reveal what could be potentially undesired and figure out exactly what they do. The very popular Orbit Downloader, a popular Windows program for downloading embedded media content and other types of files from the internet, has now become caught up in the most recent such inquisition as ESET is reporting that in evaluating Orbit’s code, it has found something unexpected.

The Orbit downloader app has been around since 2006 and it has been free on the Play Store. The developer of the Orbit app, Innoshock, say that the revenue from the app is generated from bundled offers like OpenCandy which are in turn used to install third party software and show users ads. While this is standard accepted practice (the user can decide for herself if the tradeoff is worth the app), what ESET discovered was less acceptable – additional code for performing Denial of Service (DoS) attacks in the app code.

DDos code attack, ddos code discovered in orbit downloader

DDoS can be defined as an attack which functions by denying the distribution of service. It usually is led by saturation of bandwidths/resources for multiple systems of their target system, which are mostly web servers. The fluke traffic is most often caused by multiple compromised systems(like a botnet) flooding the attacked system with traffic. The extra bit of predatory code was added to the main file orbitdm.exe somewhere between December 25, 2012 when the version was released, and January 10, 2013 when was released. What the code does is communicate with the servers at orbitdownloader.com and be instructed on what URLs to attack.


While ESET has not specified whether the attack was used or how often, it has emphatically stressed the effectiveness with which it can be done. Orbit Downloader is one of the most popular downloader softwares in the Android universe, being consistently listed as one of the top downloads in its category on most of the popular software websites, and the program may very well be generating gigabits or more of net network traffic.

This makes it a very effective tool for Distributed Denial of Service(DDOS) attacks. ESET performed its own tests and HTTP connection requests were made at rates of about 140,000 packets in a second, with unauthenticated source addresses mostly seemingly coming from IP ranges set in the country of Vietnam. The blocks of IP addresses were then hardcored into the DLL file that was downloaded from ido.pl. ESET also said that it was quite possible that different ranges may have been utilised in the past and this could also change in the future versions of the DLL file.

ESET has elected to block Orbit Downloader that are functioning on DOS code and has recommended that all users uninstall the program on their devices until the developers Innoshock explain their behavior, as well as release updates that remove this unwanted feature, however Innoshock has not yet come out with a public statement defending itself.


Let us know in comments below what you think about this whole DDoS fiasco and how you ensure your cyber security as well as how you stay updated on the recent threats.

Add Comment