Numerous D-Link Routers have Backdoor in Firmware

Security researchers have found that some D-Link Routers have a completely open backdoor that will allow an attacker full administrator access to the router without ever logging in.

On Saturday Craig from the /dev/ttyS0 website posted an in-depth overview of the backdoor that was found when specific router firmware was reverse engineered and analyzed.

The firmware analyzed was v1.13 for the DIR-100 revA. The firmware seems to be used in several different routers. A Shodan search shows that several thousand routers could be affected. But only those that have remote administration enabled seem to be critical.

The following routers could have the vulnerable firmware:

  • DIR-100
  • DIR-120
  • DIR-615
  • DI-624S
  • DI-524UP
  • DI-604S
  • DI-604UP
  • DI-604+
  • TM-G5240

And some Planex routers could also be vulnerable:

  • BRL-04UR
  • BRL-04CW

Not all of the firmware versions are susceptible.  But on those that are, all the attacker needs to do is set one setting in his browser and it will take them right to the router admin page without logging in!

Setting the browser user agent to “xmlset_roodkcableoj28840ybtide” and then browsing to a vulnerable D-Link router will give you full admin rights to the device.

dlink backdoor

The best way to stop this attack until D-Link releases a patch (later this month) seems to be to turn off remote management.

According to The Register, D-Link has promised to fix the problem by Halloween. Advice from D-Link and any updates can be found on D-Link’s support page.

remote.jpg
But for now, turning OFF remote management is probably the safest (and smartest) option. Just go to your router setup and uncheck the box shown in the picture above. Check you user manual for directions.

One would have to wonder, why would a company put a backdoor into their product? Especially a product that is designed to keep intruders out.

Mac Virus “Backdoor.Flashback” Patch and Removal

Last week, Russian Anti-Virus company Doctor Web, found that the Flashback Mac Trojan has infected almost 600,000 systems. With many of those infected located in the US (see above chart from Dr. Web). The large infection rate has raised some eyebrows, especially since many believe that Macs can not get viruses.

The trojan uses a Java exploit to gain remote access, and possible keylogging capabilities. The malware programmers are targeting three seperate Java vulnerabilities in the attack.

Apple has since patched the vulnerability and according to an Apple security bulletin, the OS X Lion 2012-002 and Java for Mac OS X 10.6 Update 7 can be downloaded and installed via Software Update preferences, or from Apple Downloads.

Doctor Web has created an online tool to check to see if your machine is infected, and security software company F-Secure has released instructions on how to remove the virus if you are indeed infected.