On January 24, 2019, D-Link became aware that security experts had discovered that GhostDNS, a sophisticated DNS hijacking system for data theft, is affecting more than 100,000 routers with a majority of them in Brazil. According to Netlab, a company specializing in information security, malware has been found in a wide variety of consumer and carrier IP routers models, including D-Link and others.
The malware reported by Netlab at 360 performs an attack known as DNSchange. Generally, this scam attempts to guess the router password on the web configuration page using IDs defined by manufacturers, such as admin / admin, root / root, etc. Another way is to skip authentication by scanning dnscfg.cgi.With access to the router's settings, malware changes the default DNS address - which translates URLs from desirable sites, such as banks - to malicious site IPs.
GhostDNS is a much improved version of this tactic. It has three versions of DNSChanger, called in the shell itself DNSChanger, DNSChanger, and PyPhp DNSChanger. The PyPhp DNSChanger is the main module among the three, having been deployed on more than 100 servers, mostly Google Cloud. Together, they bring together more than 100 attack scripts, intended for routers in the Internet and intranet networks.
The following D-Link affected products by three DNSChanger exploits included with GhostDNS are:
DNSChanger Shell:
• D-LINK DSL-2640T (Non-US:: End of Service Life)
• D-LINK DSL-2740R (Non-US:: End of Service Life)
• D-LINK DSL-500 (Non-US:: End of Service Life)
• D-LINK DSL-500G / DSL-502G (Non-US & US:: End of Service Life)
DNSChanger Js
• D-Link DIR-905L :: (Non-US :: End of Service Life)
PyPhp DNSChanger:
- D-Link DIR-600 (US :: End of Service Life :: LINK)
- D-Link DIR-600 (Non-US :: Rev. B :: End of Service Life :: Patch Below)
- D-Link DIR-608 (Non-US :: Patch Below)
- D-Link DIR-610 (Non-US :: Patch Below)
- D-Link DIR-611 (Non-US :: Patch Below)
- D-Link DIR-615 (Non-US :: Rev Tx ::Patches Below)
- D-Link DIR-905L :: (Non-US :: End of Service Life)
- D-Link ShareCenter (US :: End of Service Life :: LINK)
Fimware Patches
| Affected Product |
Region |
HW Rev. |
Affected Version |
Corrected Version |
Last Updated |
|
DIR-600
|
US |
Bx |
Legacy Website |
End of Service Life |
07/22/2019 |
| DIR-600 |
Non-US |
Bx |
|
LINK :: See Non-US Regional Site |
07/22/2019 |
| DIR-608 |
Worldwide |
Ax |
|
LINK :: See Non-US Regional Site
|
07/22/2019 |
| DIR-610 |
Brazil |
Bx |
|
LINK :: See Non-US Regional Site |
07/22/2019 |
| DIR-610 |
Latin America |
Bx |
|
LINK :: See Non-US Regional Site |
07/22/2019 |
| DIR-611 |
Worldwide |
Bx |
|
LINK :: See Non-US Regional Site |
07/22/2019 |
| DIR-615 |
Taiwan |
T3 |
|
LINK :: See Non-US Regional Site |
07/22/2019 |
| DIR-615 |
Non-US |
T3 |
|
LINK :: See Non-US Regional Site |
07/22/2019 |
| DIR-615 |
Brazil |
T1 |
|
LINK :: See Non-US Regional Site |
07/22/2019 |
| DIR-615 |
India |
T1 |
|
LINK :: See Non-US Regional Site |
07/22/2019 |
| DIR-615 |
Latin America |
T1 |
|
LINK :: See Non-US Regional Site |
07/22/2019 |
| DNS-320/325/345 |
Worldwide |
All |
Legacy Website |
End of Sevice Life |
07/22/2019 |
| DIR-905 |
Non-US |
All |
|
Non-US :: End of Sevice Life |
07/22/2019 |
| DSL-2640T |
Non-US |
All |
|
Non-US :: End of Sevice Life |
07/22/2019 |
| DSL-2740 |
Non-US |
All |
|
Non-US :: End of Sevice Life |
07/22/2019 |
| DSL-500 |
Non-US |
All |
|
Non-US :: End of Sevice Life |
07/22/2019 |
| DSL-500G |
Non-US |
All |
|
Non-US :: End of Sevice Life |
07/22/2019 |
| DSL-502G |
Non-US |
All |
|
Non-US :: End of Sevice Life |
07/22/2019 |
Security Patches
These updates address the security vulnerabilities in affected D-Link software package. D-Link will update this continually and we strongly recommend all users to install the relevant updates.
To update we reccomend saving your configuration, uninstall the old package, then install the new update. Further assistance can be found via chat or email at http://support.dlink.com