D-Link have firmware drivers on their website, specifically the DSL-502T and DSL-504T that are showing as malware when I upload them to Virus Total to confirm.
Here is the 502T:
Here is the 504T:
(Be sure to download the EXE and extract it).
I freely admit I have not tested these drivers out in a test environment (e.g. VM running procmon, or tried reversing them). But the reports from Virus Total are not thrilling:
502T driver report from Virus Total (17/43 vendors):
504T driver also reported infected with 20/43 known A/V products this time:
The 504T sample was also reported on Virus Total back in August 2010 (I have no idea if it made its way back to D-Link though):
Not just tiny vendors either: McAfee, Fortinet, Avast, AVG, VIPRE. Email from the technical support team has referred to them as "no name brands" as well. Very professional guys.
Why I am posting this here? Because I'd like independent testing (ok, I'll be honest - I lack a Windows VM to test).
I've also tried emailing and phoning D-Link technical support since Australia Day. I've been told on three occasions that the Anti Virus software attempting to stop me from installing is "normal" and I should "disable my A/V". I gave them all the steps needed to replicate the fault, asked what processes/checks they made to ensure that the drivers on the site have not been compromised. D-Link told me that this has been raised with their "Technical Support Manager". Despite a full business day... no response.
Funny, I would have thought someone reporting that your website might well be owned would be serious and warrant a more thorough investigation.
Oh well, I'll just put this out in the public eye and see what other people find.
Please note, I am not saying that the drivers on the site have been compromised as I cannot say that for certain.
What I am saying however is two files are reporting as malware with a SIGNIFICANT number of anti virus vendors and bears further investigation. When it has been raised with D-Link they seem highly disinterested in pursuing it further.
If anyone wants to take a further look, please post your findings here as I'd be very interested.
* Double thanks to Julio Canto & @Uglypackets for actually doing the real digging that I should have done. Julio has confirmed with several AV vendors that this isn't malware. I guess its safe to call this a day. All the same the whole situation has certainly raised a lot more questions in my mind about how D-Link manage their security:
- Why would you not escalate potential security quesitons?
- Why would you not answer questions about checking that the hash values on the fileserver repository haven't changed?
- Why would you tell your clients to disable A/V?
- Why would they not want to work with well known A/V vendors to eliminate false positives on their products?
* Props to GPLama for his suggestion that I run this through Threatexpert.com. Their analysis can be found here and they confirm both samples as malware as well: