20 de octubre de 2011

Cyanogenmod.com malware spread

Recently, the website Cyanogenmod.com has been compromised, and was spreading a piece of malware loaded from warlikedisobey.org/coehegzxw8xgahtrb, hosted on Indo Network Solutions, Scranton, Pennsylvania (USA) (66.197.158.102)

Whois info for 66.197.158.102
IP Information - 66.197.158.102

IP address:                     66.197.158.102
Reverse DNS:                    static-ip-102-158-197-66.host.cybernet.co.id.
ASN:                            21788
ASN Name:                       NOC
IP range connectivity:          7
Registrar (per ASN):            ARIN
Country (per IP registrar):     US [United States]
Country Currency:               USD [United States Dollars]
Country IP Range:               66.197.0.0 to 66.197.255.255
Country fraud profile:          Normal
City (per outside source):      Reno, Nevada
Country (per outside source):   US [United States]
Private (internal) IP?          No
IP address registrar:           whois.arin.net
Known Proxy?                    No
If we query on urlquery.net for the URL, we can see that this server has been used since 2011-09-27 to spread malware on multiple domains hosted.
2011-10-20 02:41:46 0 warlikedisobey.org/coehegzxw8xgahtrb 66.197.158.102
2011-10-11 01:20:45 0 warlikedisobey.org/osnp91icm/?5 66.197.158.102
2011-10-11 01:16:42 0 nestjolt.org/5gbd3jzxwfqjnp1eh/ 66.197.158.102
2011-10-11 01:14:31 0 nestjolt.org/5gbd3jzxwfqjnp1eh/ 66.197.158.102
2011-10-11 00:59:42 0 http://turbidworship.org/osnp91icm/?1 66.197.158.102
2011-10-06 20:24:52 0 nationearn.org 66.197.158.102
2011-09-27 12:45:01 0 http://starryplank.org/bp1tezzxwtauh 66.197.158.102
2011-09-27 12:35:14 0 http://starryplank.org/bp1tezzxwtauh 66.197.158.102
2011-09-27 12:02:07 0 http://starryplank.org/but3os0wp/ 66.197.158.102
2011-09-27 12:00:59 0 http://starryplank.org/but3os0wp/?3a75067eb1353ae040165 66.197.158.102

Its seems that Indo Network servers has been used to spread malware and spamming issues several times. If we search on the Proyect HoneyPot website for the offending IP, we can see that a number of servers withing Indo Network range has been used for spamming.

The cyanogenmod site has been target of attacks before,and maybe has been spreading malware quietly. These has been already commented on cyanogen's forum before (25 september 2011).

The original post at pastebin here

You should take a look at the last line of the following code: