Support Announcements
GhostDNS :: DNS Changer :: DNS Hijacking Vulnerability

On January 24, 2019, D-Link became aware that security experts had discovered that GhostDNS, a sophisticated DNS hijacking system for data theft, is affecting more than 100,000 routers with a majority of them in Brazil. According to Netlab, a company specializing in information security, malware has been found in a wide variety of consumer and carrier IP routers models, including D-Link and others.

 

The malware reported by Netlab at 360 performs an attack known as DNSchange. Generally, this scam attempts to guess the router password on the web configuration page using IDs defined by manufacturers, such as admin / admin, root / root, etc. Another way is to skip authentication by scanning dnscfg.cgi.With access to the router's settings, malware changes the default DNS address - which translates URLs from desirable sites, such as banks - to malicious site IPs.


GhostDNS is a much improved version of this tactic. It has three versions of DNSChanger, called in the shell itself DNSChanger, DNSChanger, and PyPhp DNSChanger. The PyPhp DNSChanger is the main module among the three, having been deployed on more than 100 servers, mostly Google Cloud. Together, they bring together more than 100 attack scripts, intended for routers in the Internet and intranet networks.

 

The following D-Link affected products by three DNSChanger exploits included with GhostDNS are:

 

DNSChanger Shell:

 

     • D-LINK DSL-2640T (Non-US:: End of Service Life)
     • D-LINK DSL-2740R (Non-US:: End of Service Life)
     • D-LINK DSL-500 (Non-US:: End of Service Life)
     • D-LINK DSL-500G / DSL-502G  (Non-US & US:: End of Service Life) 

DNSChanger Js

 

      • D-Link DIR-905L :: (Non-US :: End of Service Life)

PyPhp DNSChanger:

  • D-Link DIR-600 (US :: End of Service Life :: LINK)
  • D-Link DIR-600 (Non-US :: Rev. B :: End of Service Life :: Patch Below)
  • D-Link DIR-608  (Non-US :: Patch Below)
  • D-Link DIR-610  (Non-US :: Patch Below)
  • D-Link DIR-611  (Non-US :: Patch Below)
  • D-Link DIR-615  (Non-US :: Rev Tx ::Patches Below)
  • D-Link DIR-905L :: (Non-US :: End of Service Life)
  • D-Link ShareCenter (US :: End of Service Life :: LINK)

Fimware Patches

 Affected Product  Region  HW Rev. Affected Version Corrected Version Last Updated

DIR-600

US Bx Legacy Website End of Service Life 07/22/2019
DIR-600 Non-US Bx   LINK :: See Non-US Regional Site 07/22/2019
DIR-608 Worldwide Ax  

LINK :: See Non-US Regional Site

07/22/2019
DIR-610 Brazil Bx    LINK :: See Non-US Regional Site 07/22/2019
DIR-610 Latin America Bx    LINK :: See Non-US Regional Site 07/22/2019
DIR-611 Worldwide Bx    LINK :: See Non-US Regional Site 07/22/2019
DIR-615 Taiwan T3    LINK :: See Non-US Regional Site 07/22/2019
DIR-615 Non-US T3    LINK :: See Non-US Regional Site 07/22/2019
DIR-615 Brazil T1    LINK :: See Non-US Regional Site 07/22/2019
DIR-615 India T1    LINK :: See Non-US Regional Site 07/22/2019
DIR-615 Latin America T1    LINK :: See Non-US Regional Site 07/22/2019
DNS-320/325/345 Worldwide All Legacy Website End of Sevice Life 07/22/2019
DIR-905 Non-US All   Non-US :: End of Sevice Life 07/22/2019
DSL-2640T Non-US All   Non-US :: End of Sevice Life 07/22/2019
DSL-2740 Non-US All   Non-US :: End of Sevice Life 07/22/2019
DSL-500 Non-US All   Non-US :: End of Sevice Life 07/22/2019
DSL-500G Non-US All   Non-US :: End of Sevice Life 07/22/2019
DSL-502G Non-US All   Non-US :: End of Sevice Life 07/22/2019

 

Security Patches

 

These updates address the security vulnerabilities in affected D-Link software package. D-Link will update this continually and we strongly recommend all users to install the relevant updates.

 

To update we reccomend saving your configuration, uninstall the old package, then install the new update.  Further assistance  can be found via chat or email at http://support.dlink.com