Howdy y'all, (These notes will probably be obsolete by the time you read them, but so it goes. The TL;DR is that /bin/xmlsetc is the client for the D-Link backdoor.) Craig exposed a new D-Link backdoor today, so I took a look at all images in my local copy of their FTP site. His article describes the backdoor at the following URL explains how he found it and how to call it. I have just a little to add. http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/ The backdoor seems specific to eight firmware images, which I extracted from .bix files using binwalk. None of the .bin or .img files seem to contain the backdoor. % grep roodkcab `find . -name webs` Binary file ./_DIR100_v5.0.0EUb3_patch02.bix.extracted/squashfs-root/bin/webs matches Binary file ./_TM-G5240-alpha-v4-0-0b20.bix.extracted/squashfs-root/bin/webs matches Binary file ./_di604UP_firmware_103_BETA.bix.extracted/squashfs-root/bin/webs matches Binary file ./_tm-g5240-alpha-v4-0-0b17.bix.extracted/squashfs-root/bin/webs matches Binary file ./_TM-G5240-b26_320k.bix.extracted/squashfs-root/bin/webs matches Binary file ./_TM-G5240-4.0.0b28.bix.extracted/squashfs-root/bin/webs matches Binary file ./_TM-G5240-alpha-v4.0.0b23.bix.extracted/squashfs-root/bin/webs matches Binary file ./_TM-G5240-v4-0-0b29.bix.extracted/squashfs-root/bin/webs matches % In addition to /bin/webs containing the string "xmlset_roodkcableoj28840ybtide", it also appears in /bin/xmlsetc. Of my eight images, there are only two unique versions of xmlsetc, while every one of the eight webs copies is distinct. % md5sum `find . -name xmlsetc` | sort 5c79f358a60280248098db10d6446528 ./_tm-g5240-alpha-v4-0-0b17.bix.extracted/squashfs-root/bin/xmlsetc 5c79f358a60280248098db10d6446528 ./_TM-G5240-alpha-v4-0-0b20.bix.extracted/squashfs-root/bin/xmlsetc 5c79f358a60280248098db10d6446528 ./_TM-G5240-alpha-v4.0.0b23.bix.extracted/squashfs-root/bin/xmlsetc a443b1455ae3db9a572a685da51fabec ./_di604UP_firmware_103_BETA.bix.extracted/squashfs-root/bin/xmlsetc a443b1455ae3db9a572a685da51fabec ./_DIR100_v5.0.0EUb3_patch02.bix.extracted/squashfs-root/bin/xmlsetc a443b1455ae3db9a572a685da51fabec ./_TM-G5240-4.0.0b28.bix.extracted/squashfs-root/bin/xmlsetc a443b1455ae3db9a572a685da51fabec ./_TM-G5240-b26_320k.bix.extracted/squashfs-root/bin/xmlsetc a443b1455ae3db9a572a685da51fabec ./_TM-G5240-v4-0-0b29.bix.extracted/squashfs-root/bin/xmlsetc % md5sum `find . -name webs` | sort 07abc2afebb8fb90fd650a30f1f0b789 ./_TM-G5240-alpha-v4-0-0b20.bix.extracted/squashfs-root/bin/webs 46637832adbd4056e97ab38aaaf31da4 ./_DIR100_v5.0.0EUb3_patch02.bix.extracted/squashfs-root/bin/webs 78da0913e50b2deb93bc9fe3a8a8d1cd ./_TM-G5240-b26_320k.bix.extracted/squashfs-root/bin/webs 8fe0c80d230bf207bfaeb16b70ef8a45 ./_TM-G5240-v4-0-0b29.bix.extracted/squashfs-root/bin/webs 9318210953eb2dcd6895f091cdc847a1 ./_TM-G5240-alpha-v4.0.0b23.bix.extracted/squashfs-root/bin/webs 9e57fe42a4c1dad21460a13c22356096 ./_tm-g5240-alpha-v4-0-0b17.bix.extracted/squashfs-root/bin/webs e183a94c5f17bb186d663ac915fe71ff ./_di604UP_firmware_103_BETA.bix.extracted/squashfs-root/bin/webs ecc427017d2fa3d88faf65fc26d0ab5f ./_TM-G5240-4.0.0b28.bix.extracted/squashfs-root/bin/webs % A quick glance at xmlsetc in IDA shows that it is sending the backdoor User-Agent with printf(), rather than receiving it. Perhaps the backdoor serves some legitimate purpose, and Mystery Joel is only guilty of incompetence and not of malice? I'm too busy to look further, but I hope you neighbors have fun. Cheers from Philly, --TG