Friday, January 28, 2011

Is serving up malware drivers?

Hi guys,

D-Link have firmware drivers on their website, specifically the DSL-502T and DSL-504T that are showing as malware when I upload them to Virus Total to confirm.

Here is the 502T:

Here is the 504T:

(Be sure to download the  EXE and extract it).

I freely admit I have not tested these drivers out in a test environment (e.g. VM running procmon, or tried reversing them). But the reports from Virus Total are not thrilling:

502T driver report from Virus Total (17/43 vendors):

504T driver also reported infected with 20/43 known A/V products this time:

The 504T sample was also reported on Virus Total back in August 2010 (I have no idea if it made its way back to D-Link though):

Not just tiny vendors either: McAfee, Fortinet, Avast, AVG, VIPRE. Email from the technical support team has referred to them as "no name brands" as well. Very professional guys.

Why I am posting this here? Because I'd like independent testing (ok, I'll be honest - I lack a Windows VM to test).

I've also tried emailing and phoning D-Link technical support since Australia Day. I've been told on three occasions that the Anti Virus software attempting to stop me from installing is "normal" and I should "disable my A/V". I gave them all the steps needed to replicate the fault, asked what processes/checks they made to ensure that the drivers on the site have not been compromised. D-Link told me that this has been raised with their "Technical Support Manager". Despite a full business day... no response.

Funny, I would have thought someone reporting that your website might well be owned would be serious and warrant a more thorough investigation.

Oh well, I'll just put this out in the public eye and see what other people find.

Please note, I am not saying that the drivers on the site have been compromised as I cannot say that for certain.

What I am saying however is two files are reporting as malware with a SIGNIFICANT number of anti virus vendors and bears further investigation. When it has been raised with D-Link they seem highly disinterested in pursuing it further.

If anyone wants to take a further look, please post your findings here as I'd be very interested.


- J.

* Double thanks to Julio Canto & @Uglypackets for actually doing the real digging that I should have done. Julio has confirmed with several  AV vendors that this isn't malware. I guess its safe to call this a day. All the same the whole situation has certainly raised a lot more questions in my mind about how D-Link manage their security:

  • Why would you not escalate potential security quesitons? 
  • Why would you not answer questions about checking that the hash values on the fileserver repository haven't changed? 
  • Why would you tell your clients to disable A/V?
  • Why would they not want to work with well known A/V vendors to eliminate false positives on their products?
Anyway, thanks guys. I freely admit reversing is not my forte and as much as I want to get into it (got Eldad Elam's book in my bedroom right now sadly enough) there is no time for me these days.

* Props to GPLama for his suggestion that I run this through Their analysis can be found here and they confirm both samples as malware as well:

Publish Post



GPLama said...

Can you submit it to ? I've used that in the past and its given a nice breakdown of what the nasty attempted to do, when I didn't have the time to manually throw it at a VM.

IIRC they run it in an automated VM and diff the before/after.

the_knuckle said...

If D-link could supply the hash values of the original drivers, it'd be one way of quickly establishing whether the drivers on their site are kosher (assuming of course, they hashed the original files prior to posting them up!)

the_knuckle said...

...and assuming the original drivers weren't infected prior to them being uploaded to their site.

Paul said...

The results you have gotten from virustotal appear at first glance to be the standard result for exe files packed using the same compiler that may have been used by verified malware. This sort of thing happened a few years back to NSIS (used by many open source pojects to create scripted installers).

I did note that this may have been the case immediately when seeing the exe icon and then examining the exe in 7zip.

Saying that however I too agree that it is irresponsible that a vendor is not taking reports such as yours seriously - remember Apple who shipped infected ipods thanks to an infected QA machine at a 3rd party factory.

I've run the DSL-504T_V2.00B13.AU_20070425.exe app in a VM, noting strange immediately seen in procmon (eg, exe's appearing inside %localappdata%\

I've got the full log from app start to when the first UI window appears - but it's 40megs unfiltered!!!!

Jarrod said...

Hi @The_Knuckle,

I asked about the hash values to see if they had changed (. The dimissive response was:

"We checked the file with our own AV software and found no issues, our R & D team also ran their own tests."

I wonder if they are even using hash digests on their system, which would explain the reply. :(

GPLama - submitting now. I will post results when they become available.

- J.

Jarrod said...

Hi all

ThreatExpert has reported that both files contain malware:

Thanks for the link GPLama.

- J.

Jarrod said...

@Paul -

This did occur to me (and I must admit this is outside my field of expertise) but I would have though this issue with packers was relatively long in the tooth by now and MOST A/V vendors would be onto this by now and picked up their game. That issue alone would generate a significant number of false positives.

Anonymous said...

these files are all false/positives

Vikram Chauhan said...

Thanks for blog posting.

d-link support