Sponsored by..

Tuesday 11 October 2011

Cyanogenmod.com compromised with warlikedisobey.org injection

Cyanogenmod.com is a site offering legitmate custom firmware for Android devices. It's a popular site, pulling in about 100,000 unique US users per day according to compete.com and it has an Alexa rank of 6728.

Unfortunately, the site has been compromised in an injection attack with a hard-to-diagnose piece of malware attempting to load code from warlikedisobey.org/coehegzxw8xgahtrb on 66.197.158.102. The code seems resistant to several common analysis tools. The injection attack is hidden on the very first line of HTML on the home page.. you have to scroll a long way right to see it.

Update 12/10: it looks like the site is currently clean, but it might get re-infected if the core problem hasn't been fixed.

Update 20/10:  it turns out that it isn't clean at all, but the exploit code is not present all the time. It could be that something is going on at Cloudflare who provide load balancing for the site, but I've never seen that sort of issue with Cloudflare before.

I haven't been able to analyse the payload yet. There is a possibility that it might target Android devices.

The domain is registered through Bizcn.com in China to the following registrant:

Registrant ID:orgff14354361081
Registrant Name:Henry Nguyen Gong
Registrant Organization:Privacy-Protect.cn
Registrant Street1:Rue la produit 34
Registrant Street2:
Registrant Street3:
Registrant City:Nimes
Registrant State/Province:Languedoc-Roussillon
Registrant Postal Code:30189
Registrant Country:FR
Registrant Phone:+33.466583875
Registrant Phone Ext.:
Registrant FAX:+33.466583875
Registrant FAX Ext.:
Registrant Email:contact@privacy-protect.cn


privacy-protect.cn is very commonly used by criminals to cover their tracks.A Google search for 66.197.158.102 indicates that the IP address is in use by several malicious domains (listed below).

A look at the Cyanogenmod.com forums indicates that similar attacks have been happening since September 25th:


Does anyone know what this is? I got a warning from Norton with High severity saying I was attacked by sloughsputter.org and warlikedisobey.org from 66.197.158.102:80 when I entered into the touchpad forum for this website. The IPS alert name is: web attack malicious exploit kit website at High risk 

Blocking traffic to 66.197.158.102 is probably a good idea. It looks like there may be other problems in 66.197.158.0/24 so you could block the whole range as a precaution.

The following domains are hosted on 66.197.158.102:


acclaimpump.org
acreafloat.org
aeroadore.org
affairmedley.org
afraiddown.org
againindorse.org
alertworsted.org
analyseshort.org
ardorloathe.org
arraigngarment.org
assortsetto.org
bakedemure.org
balloontroops.org
baskettubular.org
beandown.org
bedridpollute.org
benttopple.org
bequestramble.org
blazefiddle.org
blisswilds.org
boardbutts.org
bringgreed.org
bunkscamp.org
burntbrought.org
butchermeetm.org
bywordtoll.org
cackleshaggy.org
capsuletrapeze.org
carptheirs.org
cellarprank.org
cellchin.org
cementshout.org
choreuphold.org
clamourunion.org
classiclily.org
clerkinure.org
comechirp.org
crafttexture.org
damaskslab.org
declaimtaunt.org
decreecattle.org
delayabrige.org
desisthateful.org
deskoccur.org
devoidshed.org
dimsadden.org
dirttouchy.org
discernpitcher.org
divingpeddle.org
dotingbouquet.org
eclipsedensity.org
economyjersey.org
elateexample.org
elkrecline.org
embraceniece.org
enigmaflutter.org
enjoyocean.org
enrolcaw.org
estril.org
eventliving.org
evermist.org
eyescanty.org
facingsinvade.org
factionchurch.org
fallacypour.org
fangwrath.org
fiancesardine.org
fishingbeet.org
flaxnap.org
foggystudent.org
foresttruck.org
fuzzoffal.org
gailyflounce.org
gazettesay.org
ghatlend.org
ghatreds.org
gibbetshook.org
gladespilt.org
godliketourist.org
goodantics.org
grandetidings.org
grenadeabove.org
gruver.org
gulpillegal.org
halcyonet.com
hamcadet.org
heronuntrue.org
hideousmindful.org
hillocksaunter.org
horntreason.org
hotspurequal.org
hourmesh.org
hulknutmeg.org
hungermouth.org
hymnrough.org
idearevel.org
ignservice.com
inclosegem.org
incurhealth.org
inducttrunk.org
innentry.org
innersoloist.org
inroadperish.org
installherb.org
intentbell.org
ironingonset.org
itemizefir.org
jarabroad.org
javarequest.com
javatooltip.com
jewishdin.org
jocularputrefy.org
jstooltip.com
juicecaulk.org
justlysubtle.org
kalmup.org
kinoutlaw.org
lambkinclad.org
laundrysudden.org
leanspeck.org
letconsul.org
libelconvoy.org
lieweld.org
likesfetter.org
linseedpaste.org
lodgersow.org
loitercash.org
longingashamed.org
lowlymeaty.org
lowsnooze.org
maniashow.org
mashscamp.org
maximumnone.org
memoirsmatrix.org
milletavoid.org
miserytenure.org
modernbin.org
morphiaseaside.org
movingsnip.org
mummeryscales.org
musterydecoy.org
muzzleastute.org
nationearn.org
naughtgrubby.org
nestjolt.org
netllookup.com
nightlyseeds.org
nodeconvert.org
noisomechicane.org
nominalunwary.org
nullcandy.org
numbuse.org
oatmealfrisk.org
oatmealshatter.org
opticmoving.org
orationyou.org
orderdid.org
orhanhundred.org
otspark.org
overrunwooden.org
pactcelery.org
pastrydug.org
pedalslacken.org
pentfinite.org
pentmull.org
phantombecame.org
phantomsell.org
pigskinturn.org
pilgrimstrut.org
plentyvicious.org
plumtreacle.org
pompousdenial.org
ponderbelong.org
popestrict.org
portionchagrin.org
posyhatch.org
potseclude.org
prancecontour.org
praysad.org
precededynamic.org
primacyresin.org
prosaiccube.org
provereject.org
puristar.org
purposestupid.org
quartpliancy.org
racialfreshe.org
rashcrowd.org
readerocular.org
rebirthfalcon.org
rectoryfeign.org
refereeshe.org
reflexpan.org
refundwine.org
remissdeceive.org
repentavow.org
repulsemaximum.org
riddensoot.org
rsstooltip.com
runletlanky.org
saintlunatic.org
sapammonia.org
savourotter.org
scumwoollen.org
seniormilage.org
shouldfasten.org
sinnerreflex.org
sirsize.org
skimlyrical.org
slopestipend.org
sorrelramble.org
sprutnetwork.com
squealflirt.org
staideconomy.org
starryplank.org
stowgranary.org
stripescud.org
studentfairly.org
stuffwrestle.org
stuntedvote.org
subdueshone.org
suctionbanking.org
suitebillion.org
sunnyscythe.org
superbhotbed.org
taintfurl.org
talkerrun.org
tasteleg.org
tensionwarble.org
testradiant.org
timelymaze.org
titledrutty.org
toiletarchway.org
torturetactful.org
totaltwelfth.org
trafficgarland.org
trashnote.org
trickleivy.org
trivialappears.org
tunebask.org
turbidworship.org
undoingperfect.org
unduedome.org
unitepulpit.org
unshipreckon.org
usheronce.org
vacancyagainst.org
veinassert.org
vileisolate.org
visapeer.org
votegroggy.org
voyagebud.org
vultureoffer.org
waivertouch.org
warlikedisobey.org
waspad.org
wastefuzz.org
wedanthem.org
wettrend.org
whimperchart.org
widowerfeeble.org
wivestemple.org
woecake.org
woverecruit.org
wretchninny.org
zippuny.org

4 comments:

Rogunix said...

Here the malicious script over the original code: http://pastebin.com/7mihn8ak

Conrad Longmore said...

It's weird that it's still there.. sometimes.

pal4life said...

Hi,
Our site has been attacked with the similar code, how was the website ale to resolve this.

Conrad Longmore said...

@pal4life: apparently it was a Wordpress plugin. What made the malware hard to diagnose was that it only seemed to get served once per IP address. Unforunately I don't know what the plug was.

There are several threads on the Cyanogenmod site, this might be the most useful (click at your own risk!)
hxxp://forum.cyanogenmod.com/topic/36611-why-is-cyanogenmod-distributing-malware/