PDA

View Full Version : update server dns records were spoofed on google public DNS servers


owahfxp
03-24-2015, 12:04 PM
Hello,

for the majority of the day, I wasn't able to resolve www.flashfxp.com

; <<>> DiG 9.9.5-9-Debian <<>> www.flashfxp.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39840
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.flashfxp.com. IN ALater the domain was reachable again:

; <<>> DiG 9.9.5-9-Debian <<>> www.flashfxp.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44427
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.flashfxp.com. IN A

;; ANSWER SECTION:
www.flashfxp.com. 3600 IN A 96.30.5.209But upon running the autoupdater I receive an update that is not listed on the website:

FlashFXP5_3822_Setup.exe

Upon further inspection of the update process, I saw that the liveupdate server has a different ip than the website, that in itself is not weird (update server could belong to some CDN), but I also analyzed the HTTP request for the update and found the following:

; <<>> DiG 9.9.5-9-Debian <<>> liveupdate.flashfxp.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43156
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;liveupdate.flashfxp.com. IN A

;; ANSWER SECTION:
liveupdate.flashfxp.com. 30 IN A 104.207.143.175hxxp://m-stone.co.jp/install/FlashFXP5_3822_Setup.exe FlashFXP5_3822_Setup.exe 5.1.0 (build 3822) March 22, 2015 3822 0m-stone.co.jp does NOT look like a legit update source.

https://www.virustotal.com/en-gb/file/60cdfeef65843e55e2c25dbb38c6f72f9f61249de4df5991e4 254cc7a28dbc3b/analysis/1427215454/

[Edited by bigstar, removed some images]

MxxCon
03-25-2015, 12:12 AM
What DNS servers are you using?

owahfxp
03-25-2015, 03:59 AM
i used several different dns in this test, amongst them google dns.

if you look at the situation right now, every dns server points to the same IP as the website's

; <<>> DiG 9.9.5-9-Debian <<>> liveupdate.flashfxp.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29985
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;liveupdate.flashfxp.com. IN A

;; ANSWER SECTION:
liveupdate.flashfxp.com. 296 IN A 96.30.5.209

;; Query time: 17 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Mar 25 09:57:27 CET 2015
;; MSG SIZE rcvd: 68

that said, i started disassembling the malware which was pushed via this hack and it looks very amateurish to me, i hardly believe that this was a targeted dns poison.

bigstar
03-25-2015, 06:55 AM
Thank you very much for bringing this to our attention. This is a very serious problem and I am working to get it resolved ASAP.

flashfxp.com was not compromised and this does appear to be some type of DNS poisoning/spoofing attack.

104.207.143.175 is NOT one of our servers.

liveupdate.flashfxp.com should resolve to the same IP as FlashFXP - Secure FTP Client Software for Windows. Upload, Download, and Synchronize your files. (https://oss.azurewebsites.net) (96.30.5.209)

When you download an update from within FlashFXP after the download has completed the first thing we do is verify the digital signature on the exe, if the file has been tampered with the download will be deleted and we report the download as incomplete.

I am currently investigating this situation and I will provide more information as I know more.

bigstar
03-25-2015, 07:30 AM
At the moment it appears that just liveupdate.flashfxp.com is affected by this issue, I am still verifying addresses and domains via multiple sources.

MxxCon
03-25-2015, 08:32 AM
owahfxp, I see that you connected to this forum through tor. Were you connect to tor when this problem happened as well? Could there be a malicious exit node designed to target FlashFXP?(and possibly many other software packages)

owahfxp
03-25-2015, 09:01 AM
this is a valid concern, I only use TOR for HTTP browsing though. FlashFXP autoupdate directly connects via my network.

I probed liveupdate.flashfxp.com from various (non-TOR) nodes within Europe (via curl and dig)

ecksteinn
03-26-2015, 08:31 AM
I noticed the same, my ESET killed an announced update yesterday.
Wonder how many users without a proper antivirus caught up a trojan yesterday

2015-03-25 15:05:20 HTTP filter file http://m-stone.co.jp/install/FlashFXP5_3823_Setup.exe a variant of Generik.MUZSLXR trojan connection terminated - quarantined Threat was detected upon access to web by the application: C:\program\FlashFXP\FlashFXP.exe.

bigstar
03-26-2015, 02:03 PM
I have released an update 5.1.0 build 3824 to better protect our users from any future dns hi-jacking attempts.

Below are some of the specific changes I've implemented

When preforming an update check the update check reply messages now include a digital signature, if the digital signature is missing or invalid then the server reply is discarded.

FlashFXP will only process the server reply if the digital signature can be verified.

After downloading the program updates additional checking is performed to ensure that the digital signature is owned by us, if the digital signature fails validation or doesn't match then the downloaded content is deleted.