update server dns records were spoofed on google public DNS servers

owahfxp · 03-24-2015, 12:04 PM

Hello,

for the majority of the day, I wasn't able to resolve www.flashfxp.com

Code:

; <<>> DiG 9.9.5-9-Debian <<>> www.flashfxp.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39840
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.flashfxp.com.              IN      A

Later the domain was reachable again:

Code:

; <<>> DiG 9.9.5-9-Debian <<>> www.flashfxp.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44427
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.flashfxp.com.              IN      A

;; ANSWER SECTION:
www.flashfxp.com.       3600    IN      A       96.30.5.209

But upon running the autoupdater I receive an update that is not listed on the website:

FlashFXP5_3822_Setup.exe

Upon further inspection of the update process, I saw that the liveupdate server has a different ip than the website, that in itself is not weird (update server could belong to some CDN), but I also analyzed the HTTP request for the update and found the following:

Code:

; <<>> DiG 9.9.5-9-Debian <<>> liveupdate.flashfxp.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43156
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;liveupdate.flashfxp.com.       IN      A

;; ANSWER SECTION:
liveupdate.flashfxp.com. 30     IN      A       104.207.143.175

Code:

hxxp://m-stone.co.jp/install/FlashFXP5_3822_Setup.exe FlashFXP5_3822_Setup.exe 5.1.0 (build 3822) March 22, 2015 3822 0

m-stone.co.jp does NOT look like a legit update source.

https://www.virustotal.com/en-gb/fil...is/1427215454/

[Edited by bigstar, removed some images]

MxxCon · 03-25-2015, 12:12 AM

What DNS servers are you using?

owahfxp · 03-25-2015, 03:59 AM

i used several different dns in this test, amongst them google dns.

if you look at the situation right now, every dns server points to the same IP as the website's

Code:

; <<>> DiG 9.9.5-9-Debian <<>> liveupdate.flashfxp.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29985
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;liveupdate.flashfxp.com.       IN      A

;; ANSWER SECTION:
liveupdate.flashfxp.com. 296    IN      A       96.30.5.209

;; Query time: 17 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Mar 25 09:57:27 CET 2015
;; MSG SIZE  rcvd: 68

that said, i started disassembling the malware which was pushed via this hack and it looks very amateurish to me, i hardly believe that this was a targeted dns poison.

bigstar · 03-25-2015, 06:55 AM

Thank you very much for bringing this to our attention. This is a very serious problem and I am working to get it resolved ASAP.

flashfxp.com was not compromised and this does appear to be some type of DNS poisoning/spoofing attack.

104.207.143.175 is NOT one of our servers.

liveupdate.flashfxp.com should resolve to the same IP as FlashFXP - Secure FTP Client Software for Windows. Upload, Download, and Synchronize your files. (96.30.5.209)

When you download an update from within FlashFXP after the download has completed the first thing we do is verify the digital signature on the exe, if the file has been tampered with the download will be deleted and we report the download as incomplete.

I am currently investigating this situation and I will provide more information as I know more.

bigstar · 03-25-2015, 07:30 AM

At the moment it appears that just liveupdate.flashfxp.com is affected by this issue, I am still verifying addresses and domains via multiple sources.

MxxCon · 03-25-2015, 08:32 AM

owahfxp, I see that you connected to this forum through tor. Were you connect to tor when this problem happened as well? Could there be a malicious exit node designed to target FlashFXP?(and possibly many other software packages)

owahfxp · 03-25-2015, 09:01 AM

this is a valid concern, I only use TOR for HTTP browsing though. FlashFXP autoupdate directly connects via my network.

I probed liveupdate.flashfxp.com from various (non-TOR) nodes within Europe (via curl and dig)

ecksteinn · 03-26-2015, 08:31 AM

I noticed the same, my ESET killed an announced update yesterday.
Wonder how many users without a proper antivirus caught up a trojan yesterday

2015-03-25 15:05:20 HTTP filter file http://m-stone.co.jp/install/FlashFXP5_3823_Setup.exe a variant of Generik.MUZSLXR trojan connection terminated - quarantined Threat was detected upon access to web by the application: C:\program\FlashFXP\FlashFXP.exe.

bigstar · 03-26-2015, 02:03 PM

I have released an update 5.1.0 build 3824 to better protect our users from any future dns hi-jacking attempts.

Below are some of the specific changes I've implemented

When preforming an update check the update check reply messages now include a digital signature, if the digital signature is missing or invalid then the server reply is discarded.

FlashFXP will only process the server reply if the digital signature can be verified.

After downloading the program updates additional checking is performed to ensure that the digital signature is owned by us, if the digital signature fails validation or doesn't match then the downloaded content is deleted.