View Single Post
Old 03-24-2015, 12:04 PM  
owahfxp
Junior Member
 
Join Date: Sep 2014
Posts: 3
Exclamation update server dns records were spoofed on google public DNS servers

Hello,

for the majority of the day, I wasn't able to resolve www.flashfxp.com

Code:
; <<>> DiG 9.9.5-9-Debian <<>> www.flashfxp.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39840
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.flashfxp.com.              IN      A
Later the domain was reachable again:

Code:
; <<>> DiG 9.9.5-9-Debian <<>> www.flashfxp.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44427
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.flashfxp.com.              IN      A

;; ANSWER SECTION:
www.flashfxp.com.       3600    IN      A       96.30.5.209
But upon running the autoupdater I receive an update that is not listed on the website:

FlashFXP5_3822_Setup.exe

Upon further inspection of the update process, I saw that the liveupdate server has a different ip than the website, that in itself is not weird (update server could belong to some CDN), but I also analyzed the HTTP request for the update and found the following:

Code:
; <<>> DiG 9.9.5-9-Debian <<>> liveupdate.flashfxp.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43156
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;liveupdate.flashfxp.com.       IN      A

;; ANSWER SECTION:
liveupdate.flashfxp.com. 30     IN      A       104.207.143.175
Code:
hxxp://m-stone.co.jp/install/FlashFXP5_3822_Setup.exe FlashFXP5_3822_Setup.exe 5.1.0 (build 3822) March 22, 2015 3822 0
m-stone.co.jp does NOT look like a legit update source.

https://www.virustotal.com/en-gb/fil...is/1427215454/

[Edited by bigstar, removed some images]

Last edited by bigstar; 03-26-2015 at 02:10 PM.
owahfxp is offline