The attacks also use IP spoofing techniques, the source IP addresses for the requests falling into IP address ranges that are hardcoded in the DLL file.
"On a test computer in our lab with a gigabit Ethernet port, HTTP connection requests were sent at a rate of about 140,000 packets per second, with falsified source addresses largely appearing to come from IP ranges allocated to Vietnam," the ESET researchers said.
After adding a detection signature for the DLL component, the ESET researchers also identified an older file called orbitnet.exe that had almost the same functionality as the DLL file, but downloaded its configuration from a different website, not orbitdownloader.com.
This suggests that Orbit Downloader might have had DDoS functionality since before version 22.214.171.124. The orbitnet.exe file is not bundled with any older Orbit Downloader installers, but it might have been downloaded post-installation, like the DLL component.
This is a possibility, but it can't be demonstrated with certainty, Peter Kosinar, a technical fellow at ESET who was involved in the investigation, said Thursday. It might also be distributed though other means, he said.
Adding to the confusion is that an older version of orbitnet.exe than the one found by ESET is distributed with Orbit Downloader 126.96.36.199. The reason for this is unclear since Orbit Downloader 188.8.131.52 also downloads and uses the DLL DDoS component. However, it indicates a clear relationship between orbitnet.exe and Orbit Downloader.
The fact that a popular program like Orbit Downloader is used as a DDoS tool creates problems not only for the websites that it's used to attack, but also for the users whose computers are being abused.
According to Kosinar, there is no rate limit implemented for the packets sent by the DDoS component. This means that launching these attacks can easily consume the user's Internet connection bandwidth, affecting his ability to access the Internet through other programs.
Users who install Orbit Downloader expect the program to streamline their downloads and increase their speed, but it turns out that the application has the opposite effect.
Orbit Downloader is developed by a group called Innoshock, but it's not clear if this is a company or just a team of developers. Attempts to contact Innoshock for comment Thursday via two Gmail addresses listed on its website and the Orbit Downloader site, as well as via Twitter, remained unanswered.
The program's users also seem to have noticed its DDoS behavior judging by comments left on Download.com and the Orbit Downloader support forum.
Orbit Downloder version 184.108.40.206 is generating a very high amount of DDoS traffic, a user named raj_21er said on the support forum on June 12. "The DDoS flooding is so huge that it just hangs the gateway devices/network switches completely and breaks down the entire network operation."
Sign up for CIO Asia eNewsletters.