Hello,
for the majority of the day, I wasn't able to resolve www.flashfxp.com
Code:
; <<>> DiG 9.9.5-9-Debian <<>> www.flashfxp.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39840
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.flashfxp.com. IN A
Later the domain was reachable again:
Code:
; <<>> DiG 9.9.5-9-Debian <<>> www.flashfxp.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44427
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.flashfxp.com. IN A
;; ANSWER SECTION:
www.flashfxp.com. 3600 IN A 96.30.5.209
But upon running the autoupdater I receive an update that is not listed on the website:
FlashFXP5_3822_Setup.exe
Upon further inspection of the update process, I saw that the liveupdate server has a different ip than the website, that in itself is not weird (update server could belong to some CDN), but I also analyzed the HTTP request for the update and found the following:
Code:
; <<>> DiG 9.9.5-9-Debian <<>> liveupdate.flashfxp.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43156
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;liveupdate.flashfxp.com. IN A
;; ANSWER SECTION:
liveupdate.flashfxp.com. 30 IN A 104.207.143.175
Code:
hxxp://m-stone.co.jp/install/FlashFXP5_3822_Setup.exe FlashFXP5_3822_Setup.exe 5.1.0 (build 3822) March 22, 2015 3822 0
m-stone.co.jp does NOT look like a legit update source.
https://www.virustotal.com/en-gb/fil...is/1427215454/
[Edited by bigstar, removed some images]
update server dns records were spoofed on google public DNS servers
Threaded Mode