Website Comments, Suggestions, Questions, Concerns, Fan mail, Hate mail, Whatever goes. |
03-24-2015, 12:04 PM
|
#1
|
Junior Member
FlashFXP Registered User
Join Date: Sep 2014
Posts: 3
|
update server dns records were spoofed on google public DNS servers
Hello,
for the majority of the day, I wasn't able to resolve www.flashfxp.com
Code:
; <<>> DiG 9.9.5-9-Debian <<>> www.flashfxp.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39840
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.flashfxp.com. IN A
Later the domain was reachable again:
Code:
; <<>> DiG 9.9.5-9-Debian <<>> www.flashfxp.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44427
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.flashfxp.com. IN A
;; ANSWER SECTION:
www.flashfxp.com. 3600 IN A 96.30.5.209
But upon running the autoupdater I receive an update that is not listed on the website:
FlashFXP5_3822_Setup.exe
Upon further inspection of the update process, I saw that the liveupdate server has a different ip than the website, that in itself is not weird (update server could belong to some CDN), but I also analyzed the HTTP request for the update and found the following:
Code:
; <<>> DiG 9.9.5-9-Debian <<>> liveupdate.flashfxp.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43156
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;liveupdate.flashfxp.com. IN A
;; ANSWER SECTION:
liveupdate.flashfxp.com. 30 IN A 104.207.143.175
Code:
hxxp://m-stone.co.jp/install/FlashFXP5_3822_Setup.exe FlashFXP5_3822_Setup.exe 5.1.0 (build 3822) March 22, 2015 3822 0
m-stone.co.jp does NOT look like a legit update source.
https://www.virustotal.com/en-gb/fil...is/1427215454/
[Edited by bigstar, removed some images]
Last edited by bigstar; 03-26-2015 at 02:10 PM.
|
|
|
03-25-2015, 12:12 AM
|
#2
|
Super Duper
FlashFXP Beta Tester
Join Date: Oct 2001
Location: Brooklyn, NY
Posts: 3,881
|
What DNS servers are you using?
__________________
[Sig removed by Administrator: Signature can not exceed 20GB]
|
|
|
03-25-2015, 03:59 AM
|
#3
|
Junior Member
FlashFXP Registered User
Join Date: Sep 2014
Posts: 3
|
i used several different dns in this test, amongst them google dns.
if you look at the situation right now, every dns server points to the same IP as the website's
Code:
; <<>> DiG 9.9.5-9-Debian <<>> liveupdate.flashfxp.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29985
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;liveupdate.flashfxp.com. IN A
;; ANSWER SECTION:
liveupdate.flashfxp.com. 296 IN A 96.30.5.209
;; Query time: 17 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Mar 25 09:57:27 CET 2015
;; MSG SIZE rcvd: 68
that said, i started disassembling the malware which was pushed via this hack and it looks very amateurish to me, i hardly believe that this was a targeted dns poison.
|
|
|
03-25-2015, 06:55 AM
|
#4
|
FlashFXP Developer
FlashFXP Administrator ioFTPD Beta Tester
Join Date: Oct 2001
Posts: 8,012
|
Thank you very much for bringing this to our attention. This is a very serious problem and I am working to get it resolved ASAP.
flashfxp.com was not compromised and this does appear to be some type of DNS poisoning/spoofing attack.
104.207.143.175 is NOT one of our servers.
liveupdate.flashfxp.com should resolve to the same IP as FlashFXP - Secure FTP Client Software for Windows. Upload, Download, and Synchronize your files. (96.30.5.209)
When you download an update from within FlashFXP after the download has completed the first thing we do is verify the digital signature on the exe, if the file has been tampered with the download will be deleted and we report the download as incomplete.
I am currently investigating this situation and I will provide more information as I know more.
Last edited by bigstar; 03-25-2015 at 07:35 AM.
|
|
|
03-25-2015, 07:30 AM
|
#5
|
FlashFXP Developer
FlashFXP Administrator ioFTPD Beta Tester
Join Date: Oct 2001
Posts: 8,012
|
At the moment it appears that just liveupdate.flashfxp.com is affected by this issue, I am still verifying addresses and domains via multiple sources.
Last edited by bigstar; 03-25-2015 at 07:35 AM.
|
|
|
03-25-2015, 08:32 AM
|
#6
|
Super Duper
FlashFXP Beta Tester
Join Date: Oct 2001
Location: Brooklyn, NY
Posts: 3,881
|
owahfxp, I see that you connected to this forum through tor. Were you connect to tor when this problem happened as well? Could there be a malicious exit node designed to target FlashFXP?(and possibly many other software packages)
__________________
[Sig removed by Administrator: Signature can not exceed 20GB]
|
|
|
03-25-2015, 09:01 AM
|
#7
|
Junior Member
FlashFXP Registered User
Join Date: Sep 2014
Posts: 3
|
this is a valid concern, I only use TOR for HTTP browsing though. FlashFXP autoupdate directly connects via my network.
I probed liveupdate.flashfxp.com from various (non-TOR) nodes within Europe (via curl and dig)
Last edited by owahfxp; 03-25-2015 at 09:07 AM.
|
|
|
03-26-2015, 08:31 AM
|
#8
|
Member
FlashFXP Beta Tester
Join Date: Jul 2005
Posts: 32
|
I noticed the same, my ESET killed an announced update yesterday.
Wonder how many users without a proper antivirus caught up a trojan yesterday
2015-03-25 15:05:20 HTTP filter file http://m-stone.co.jp/install/FlashFXP5_3823_Setup.exe a variant of Generik.MUZSLXR trojan connection terminated - quarantined Threat was detected upon access to web by the application: C:\program\FlashFXP\FlashFXP.exe.
|
|
|
03-26-2015, 02:03 PM
|
#9
|
FlashFXP Developer
FlashFXP Administrator ioFTPD Beta Tester
Join Date: Oct 2001
Posts: 8,012
|
I have released an update 5.1.0 build 3824 to better protect our users from any future dns hi-jacking attempts.
Below are some of the specific changes I've implemented
When preforming an update check the update check reply messages now include a digital signature, if the digital signature is missing or invalid then the server reply is discarded.
FlashFXP will only process the server reply if the digital signature can be verified.
After downloading the program updates additional checking is performed to ensure that the digital signature is owned by us, if the digital signature fails validation or doesn't match then the downloaded content is deleted.
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 04:49 AM.
|