i used several different dns in this test, amongst them google dns.
if you look at the situation right now, every dns server points to the same IP as the website's
Code:
; <<>> DiG 9.9.5-9-Debian <<>> liveupdate.flashfxp.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29985
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;liveupdate.flashfxp.com. IN A
;; ANSWER SECTION:
liveupdate.flashfxp.com. 296 IN A 96.30.5.209
;; Query time: 17 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Mar 25 09:57:27 CET 2015
;; MSG SIZE rcvd: 68
that said, i started disassembling the malware which was pushed via this hack and it looks very amateurish to me, i hardly believe that this was a targeted dns poison.