Is serving up malware drivers?

Hi guys,

D-Link have firmware drivers on their website, specifically the DSL-502T and DSL-504T that are showing as malware when I upload them to Virus Total to confirm.

Here is the 502T:

Here is the 504T:

(Be sure to download the  EXE and extract it).

I freely admit I have not tested these drivers out in a test environment (e.g. VM running procmon, or tried reversing them). But the reports from Virus Total are not thrilling:

502T driver report from Virus Total (17/43 vendors):

504T driver also reported infected with 20/43 known A/V products this time:

The 504T sample was also reported on Virus Total back in August 2010 (I have no idea if it made its way back to D-Link though):

Not just tiny vendors either: McAfee, Fortinet, Avast, AVG, VIPRE. Email from the technical support team has referred to them as “no name brands” as well. Very professional guys.

Why I am posting this here? Because I’d like independent testing (ok, I’ll be honest – I lack a Windows VM to test).

I’ve also tried emailing and phoning D-Link technical support since Australia Day. I’ve been told on three occasions that the Anti Virus software attempting to stop me from installing is “normal” and I should “disable my A/V”. I gave them all the steps needed to replicate the fault, asked what processes/checks they made to ensure that the drivers on the site have not been compromised. D-Link told me that this has been raised with their “Technical Support Manager”. Despite a full business day… no response.

Funny, I would have thought someone reporting that your website might well be owned would be serious and warrant a more thorough investigation.

Oh well, I’ll just put this out in the public eye and see what other people find.

Please note, I am not saying that the drivers on the site have been compromised as I cannot say that for certain.

What I am saying however is two files are reporting as malware with a SIGNIFICANT number of anti virus vendors and bears further investigation. When it has been raised with D-Link they seem highly disinterested in pursuing it further.

If anyone wants to take a further look, please post your findings here as I’d be very interested.


– J.

* Double thanks to Julio Canto & @Uglypackets for actually doing the real digging that I should have done. Julio has confirmed with several  AV vendors that this isn’t malware. I guess its safe to call this a day. All the same the whole situation has certainly raised a lot more questions in my mind about how D-Link manage their security:

  • Why would you not escalate potential security quesitons? 
  • Why would you not answer questions about checking that the hash values on the fileserver repository haven’t changed? 
  • Why would you tell your clients to disable A/V?
  • Why would they not want to work with well known A/V vendors to eliminate false positives on their products?

Anyway, thanks guys. I freely admit reversing is not my forte and as much as I want to get into it (got Eldad Elam’s book in my bedroom right now sadly enough) there is no time for me these days.

* Props to GPLama for his suggestion that I run this through Their analysis can be found here and they confirm both samples as malware as well:


Publish Post


*** This is a Security Bloggers Network syndicated blog from /dev/null - ramblings of an infosec professional authored by Jarrod. Read the original post at: