Source of the NAStiness?
Any idea how the Malware got onto the boxes in the first place?
Network attached storage maker QNAP's customers have reported being hit by a mystery malware that disables software updates by hijacking entries in host machines' hosts file. The full effects are, as yet, unknown – but users have reported that the most visible symptom is that some 700 entries are added to the /etc/hosts file …
"Or the reason that they're being so reticent on the subject is that one of said updates contained the malware in question."
Looking at the script that was given to users to fix the issue: (Derek Be Gone v1.2) makes me believe that you are correct in thinking there was a malicious update at some point.
It would appear that there was a malicious module added to MalwareRemover written in Python.
Looking at this thread, I would suggest that the devices have been hacked and are using a flaw in the MalwareRemover package to allow them to remain active across a reboot.
i.e. look at the scripts coped to pastebin from infected devices where they try to access apparently random host names:
"liveupdate.sh contained part of malicious code which downloads updates. https://pastebin.com/ksGWwbKy
Newly downloaded file got executed and executes following script: https://pastebin.com/pnWcRNyR It seems to be disabling antivirus updates, pretends newest malware remover installed and clears logs about malware remover and antivirus. Also downloads chattr binary to change file attributes to be immutable to prevent deletion."
I'll give them credit, my 7 year-old QNAP still gets regular updates. Or at least it did until recently - I rarely check for them. Such is the downfall of bits of kit that Just Work. I still don't have any compelling reason to replace it, though I'm tempted to upgrade to an x86 model just to run more things on it. But at that point it's no longer a simple enough device to just continue working flawlessly, so I hold back.
From personal experience, updating QNAP firmware on a regular basis can be equally as problematic. I've had a couple remove my ability to run VM Station and Container Station. They fixed my UPS signalling it was on battery causing an instant power down but now that has resurfaced after a couple of updates. I like the functionality they have but I'd prefer they properly tested it before release.
Fortunately my older device was outside support so I installed Debian Stretch on it with OpenMediaVault and Webmin. Doesn't have all the functionality of the later box but updates aren't a coin toss either.
I'm guessing they had some sort of portforwarding on the perimeter pointing to the NAS and they weren't fully patched and/or it was a zeroday.
Just checked my QNAPs and they are fine, but none of them have any services set up to work over the Internet, everything is local network only.
The hosts file is a standard part of using IP. Have a look at the wikipedia page on it for a light-reading overview.
It has a non-exhaustive list of operating systems that use it with the files location. Basically, any system that uses IP generally also supports the hosts file.
Unix (AIX, Solaris, BSDs, etc.), Unix-like (Linux), POSIX, Windows (all from 3.11 onwards), MacOS, iOS, Android, Symbian - the list goes on.
So there is nothing scandalous about Windows 7 having it. It would be scandalous to not support it.
My 9-10 year old Iomega IX2 Storcenter to something quicker and newer. I worry about a hardware fail. Not disks.
I replaced 1 drive in that time.. I guess I is lucky.
The thing has never really been switched off since I bought it. I have powered it down to move it a few times. It is isolated from the Internet.
The new thing I get would also be isolated from the Internet.
I can understand the average home user leaving default settings in place on a NAS and not configuring their router to block all WAN ingress to anything but a specified IP address or DMZ (I have a web/mail server under my desk) and actually needing an anti-virus solution because of the silly things they do though.
I kind of like the gear (it's not flashy, but has proven to be reliable, if slightly underpowered) - but their approach to security is awful. For reasons I don't understand, they always seem to wait for weeks before advising users (long after engaged users see the alerts on line). Can't wait until there are some decent punitive fines for not taking security seriously.
Biting the hand that feeds IT © 1998–2019