Go Back   FlashFXP Forums > >

Website Comments, Suggestions, Questions, Concerns, Fan mail, Hate mail, Whatever goes.

Closed Thread
 
Thread Tools Rate Thread Display Modes
Old 03-24-2015, 12:04 PM   #1
owahfxp
Junior Member
FlashFXP Registered User
 
Join Date: Sep 2014
Posts: 3
Exclamation update server dns records were spoofed on google public DNS servers

Hello,

for the majority of the day, I wasn't able to resolve www.flashfxp.com

Code:
; <<>> DiG 9.9.5-9-Debian <<>> www.flashfxp.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39840
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.flashfxp.com.              IN      A
Later the domain was reachable again:

Code:
; <<>> DiG 9.9.5-9-Debian <<>> www.flashfxp.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44427
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.flashfxp.com.              IN      A

;; ANSWER SECTION:
www.flashfxp.com.       3600    IN      A       96.30.5.209
But upon running the autoupdater I receive an update that is not listed on the website:

FlashFXP5_3822_Setup.exe

Upon further inspection of the update process, I saw that the liveupdate server has a different ip than the website, that in itself is not weird (update server could belong to some CDN), but I also analyzed the HTTP request for the update and found the following:

Code:
; <<>> DiG 9.9.5-9-Debian <<>> liveupdate.flashfxp.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43156
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;liveupdate.flashfxp.com.       IN      A

;; ANSWER SECTION:
liveupdate.flashfxp.com. 30     IN      A       104.207.143.175
Code:
hxxp://m-stone.co.jp/install/FlashFXP5_3822_Setup.exe FlashFXP5_3822_Setup.exe 5.1.0 (build 3822) March 22, 2015 3822 0
m-stone.co.jp does NOT look like a legit update source.

https://www.virustotal.com/en-gb/fil...is/1427215454/

[Edited by bigstar, removed some images]

Last edited by bigstar; 03-26-2015 at 02:10 PM.
owahfxp is offline  
Old 03-25-2015, 12:12 AM   #2
MxxCon
Super Duper
FlashFXP Beta Tester
 
Join Date: Oct 2001
Location: Brooklyn, NY
Posts: 3,830
Default

What DNS servers are you using?
__________________
[Sig removed by Administrator: Signature can not exceed 20GB]
MxxCon is offline  
Old 03-25-2015, 03:59 AM   #3
owahfxp
Junior Member
FlashFXP Registered User
 
Join Date: Sep 2014
Posts: 3
Default

i used several different dns in this test, amongst them google dns.

if you look at the situation right now, every dns server points to the same IP as the website's

Code:
; <<>> DiG 9.9.5-9-Debian <<>> liveupdate.flashfxp.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29985
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;liveupdate.flashfxp.com.       IN      A

;; ANSWER SECTION:
liveupdate.flashfxp.com. 296    IN      A       96.30.5.209

;; Query time: 17 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Mar 25 09:57:27 CET 2015
;; MSG SIZE  rcvd: 68
that said, i started disassembling the malware which was pushed via this hack and it looks very amateurish to me, i hardly believe that this was a targeted dns poison.
owahfxp is offline  
Old 03-25-2015, 06:55 AM   #4
bigstar
FlashFXP Developer
FlashFXP Administrator
ioFTPD Beta Tester
 
bigstar's Avatar
 
Join Date: Oct 2001
Posts: 8,012
Default

Thank you very much for bringing this to our attention. This is a very serious problem and I am working to get it resolved ASAP.

flashfxp.com was not compromised and this does appear to be some type of DNS poisoning/spoofing attack.

104.207.143.175 is NOT one of our servers.

liveupdate.flashfxp.com should resolve to the same IP as FlashFXP - Secure FTP Client Software for Windows. Upload, Download, and Synchronize your files. (96.30.5.209)

When you download an update from within FlashFXP after the download has completed the first thing we do is verify the digital signature on the exe, if the file has been tampered with the download will be deleted and we report the download as incomplete.

I am currently investigating this situation and I will provide more information as I know more.

Last edited by bigstar; 03-25-2015 at 07:35 AM.
bigstar is offline  
Old 03-25-2015, 07:30 AM   #5
bigstar
FlashFXP Developer
FlashFXP Administrator
ioFTPD Beta Tester
 
bigstar's Avatar
 
Join Date: Oct 2001
Posts: 8,012
Default

At the moment it appears that just liveupdate.flashfxp.com is affected by this issue, I am still verifying addresses and domains via multiple sources.

Last edited by bigstar; 03-25-2015 at 07:35 AM.
bigstar is offline  
Old 03-25-2015, 08:32 AM   #6
MxxCon
Super Duper
FlashFXP Beta Tester
 
Join Date: Oct 2001
Location: Brooklyn, NY
Posts: 3,830
Default

owahfxp, I see that you connected to this forum through tor. Were you connect to tor when this problem happened as well? Could there be a malicious exit node designed to target FlashFXP?(and possibly many other software packages)
__________________
[Sig removed by Administrator: Signature can not exceed 20GB]
MxxCon is offline  
Old 03-25-2015, 09:01 AM   #7
owahfxp
Junior Member
FlashFXP Registered User
 
Join Date: Sep 2014
Posts: 3
Default

this is a valid concern, I only use TOR for HTTP browsing though. FlashFXP autoupdate directly connects via my network.

I probed liveupdate.flashfxp.com from various (non-TOR) nodes within Europe (via curl and dig)

Last edited by owahfxp; 03-25-2015 at 09:07 AM.
owahfxp is offline  
Old 03-26-2015, 08:31 AM   #8
ecksteinn
Member
FlashFXP Beta Tester
 
Join Date: Jul 2005
Posts: 32
Default

I noticed the same, my ESET killed an announced update yesterday.
Wonder how many users without a proper antivirus caught up a trojan yesterday

2015-03-25 15:05:20 HTTP filter file http://m-stone.co.jp/install/FlashFXP5_3823_Setup.exe a variant of Generik.MUZSLXR trojan connection terminated - quarantined Threat was detected upon access to web by the application: C:\program\FlashFXP\FlashFXP.exe.
ecksteinn is offline  
Old 03-26-2015, 02:03 PM   #9
bigstar
FlashFXP Developer
FlashFXP Administrator
ioFTPD Beta Tester
 
bigstar's Avatar
 
Join Date: Oct 2001
Posts: 8,012
Default

I have released an update 5.1.0 build 3824 to better protect our users from any future dns hi-jacking attempts.

Below are some of the specific changes I've implemented

When preforming an update check the update check reply messages now include a digital signature, if the digital signature is missing or invalid then the server reply is discarded.

FlashFXP will only process the server reply if the digital signature can be verified.

After downloading the program updates additional checking is performed to ensure that the digital signature is owned by us, if the digital signature fails validation or doesn't match then the downloaded content is deleted.
bigstar is offline  
Closed Thread

Tags
9.9.5-9-debian, dig, flashfxp, global, www.flashfxp.com, flashfxp, hacked, domain

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 11:36 AM.

Parts of this site powered by vBulletin Mods & Addons from DragonByte Technologies Ltd. (Details)