Is D-Link.com.au serving up malware drivers?
Hi guys,
D-Link have firmware drivers on their website, specifically the DSL-502T and DSL-504T that are showing as malware when I upload them to Virus Total to confirm.
Here is the 502T:
http://www.dlink.com.au/tech/Download/download.aspx?product=DSL-502T&revision=REV_A&filetype=Firmware
Here is the 504T:
http://www.dlink.com.au/tech/Download/download.aspx?product=DSL-504T&revision=REV_A&filetype=Firmware
(Be sure to download the EXE and extract it).
I freely admit I have not tested these drivers out in a test environment (e.g. VM running procmon, or tried reversing them). But the reports from Virus Total are not thrilling:
502T driver report from Virus Total (17/43 vendors):
http://www.virustotal.com/
504T driver also reported infected with 20/43 known A/V products this time:
http://www.virustotal.com/
The 504T sample was also reported on Virus Total back in August 2010 (I have no idea if it made its way back to D-Link though):
http://www.virustotal.com/
Not just tiny vendors either: McAfee, Fortinet, Avast, AVG, VIPRE. Email from the technical support team has referred to them as “no name brands” as well. Very professional guys.
Why I am posting this here? Because I’d like independent testing (ok, I’ll be honest – I lack a Windows VM to test).
I’ve also tried emailing and phoning D-Link technical support since Australia Day. I’ve been told on three occasions that the Anti Virus software attempting to stop me from installing is “normal” and I should “disable my A/V”. I gave them all the steps needed to replicate the fault, asked what processes/checks they made to ensure that the drivers on the site have not been compromised. D-Link told me that this has been raised with their “Technical Support Manager”. Despite a full business day… no response.
Funny, I would have thought someone reporting that your website might well be owned would be serious and warrant a more thorough investigation.
Oh well, I’ll just put this out in the public eye and see what other people find.
Please note, I am not saying that the drivers on the site have been compromised as I cannot say that for certain.
What I am saying however is two files are reporting as malware with a SIGNIFICANT number of anti virus vendors and bears further investigation. When it has been raised with D-Link they seem highly disinterested in pursuing it further.
If anyone wants to take a further look, please post your findings here as I’d be very interested.
Thanks,
– J.
EDIT:
* Double thanks to Julio Canto & @Uglypackets for actually doing the real digging that I should have done. Julio has confirmed with several AV vendors that this isn’t malware. I guess its safe to call this a day. All the same the whole situation has certainly raised a lot more questions in my mind about how D-Link manage their security:
- Why would you not escalate potential security quesitons?
- Why would you not answer questions about checking that the hash values on the fileserver repository haven’t changed?
- Why would you tell your clients to disable A/V?
- Why would they not want to work with well known A/V vendors to eliminate false positives on their products?
Anyway, thanks guys. I freely admit reversing is not my forte and as much as I want to get into it (got Eldad Elam’s book in my bedroom right now sadly enough) there is no time for me these days.
* Props to GPLama for his suggestion that I run this through Threatexpert.com. Their analysis can be found here and they confirm both samples as malware as well:
http://www.threatexpert.com/report.aspx?md5=36f54bb39f8dc1464f743045eeadd0b6
DSL-504T:
http://www.threatexpert.com/report.aspx?md5=2cb3247fae790f79960bc1780cc39e97
*** This is a Security Bloggers Network syndicated blog from /dev/null - ramblings of an infosec professional authored by Jarrod. Read the original post at: http://jarrodloidl.blogspot.com/2011/01/is-d-linkcomau-serving-up-malware.html
