back to article QNAP NAS user? You'd better check your hosts file for mystery anti-antivirus entries

Network attached storage maker QNAP's customers have reported being hit by a mystery malware that disables software updates by hijacking entries in host machines' hosts file. The full effects are, as yet, unknown – but users have reported that the most visible symptom is that some 700 entries are added to the /etc/hosts file …

  1. Korev Silver badge
    Alien

    Source of the NAStiness?

    Any idea how the Malware got onto the boxes in the first place?

    1. Steve K Silver badge

      Re: Source of the NAStiness?

      There were some QNAP firmware updates last year that plugged a couple of vulnerabilities to do with remote access.

      It's possible that this is how the malware got on to the box in the first place if they had not been applied.

      1. TeeCee Gold badge
        Black Helicopters

        Re: Source of the NAStiness?

        Or the reason that they're being so reticent on the subject is that one of said updates contained the malware in question.

        1. big_D Silver badge

          Re: Source of the NAStiness?

          All of my QNAPs are up to date and have not been infected, at least the hosts file hasn't been tampered with.

        2. Korev Silver badge
          Black Helicopters

          Re: Source of the NAStiness?

          I was wondering the same thing...

        3. Steve K Silver badge

          Re: Source of the NAStiness?

          From memory I think that might have actually happened with one version of the Malware Remover at some point last year....

          They rushed out an update very quickly which removed it and also fixed it if the update had been applied.

        4. Anonymous Coward
          Anonymous Coward

          Re: Source of the NAStiness?

          "Or the reason that they're being so reticent on the subject is that one of said updates contained the malware in question."

          Looking at the script that was given to users to fix the issue: (Derek Be Gone v1.2) makes me believe that you are correct in thinking there was a malicious update at some point.

          It would appear that there was a malicious module added to MalwareRemover written in Python.

          1. Anonymous Coward
            Anonymous Coward

            Re: Source of the NAStiness?

            Looking at this thread, I would suggest that the devices have been hacked and are using a flaw in the MalwareRemover package to allow them to remain active across a reboot.

            i.e. look at the scripts coped to pastebin from infected devices where they try to access apparently random host names:

            https://forum.qnap.com/viewtopic.php?f=25&p=704117&sid=4926e2d231670382cc96c16f50643b38

            "liveupdate.sh contained part of malicious code which downloads updates. https://pastebin.com/ksGWwbKy

            Newly downloaded file got executed and executes following script: https://pastebin.com/pnWcRNyR It seems to be disabling antivirus updates, pretends newest malware remover installed and clears logs about malware remover and antivirus. Also downloads chattr binary to change file attributes to be immutable to prevent deletion."

    2. chivo243 Silver badge
      Meh

      Re: Source of the NAStiness?

      Good question, our QNAP has firmware updates on a regular basis. I would also like to know how it gets on the system.

      1. Chz

        Re: Source of the NAStiness?

        I'll give them credit, my 7 year-old QNAP still gets regular updates. Or at least it did until recently - I rarely check for them. Such is the downfall of bits of kit that Just Work. I still don't have any compelling reason to replace it, though I'm tempted to upgrade to an x86 model just to run more things on it. But at that point it's no longer a simple enough device to just continue working flawlessly, so I hold back.

        1. phuzz Silver badge

          Re: Source of the NAStiness?

          The problem we find is having to reboot the Qnap to install newer firmware. It's fine in a home unit, but when you're using it as iSCSI storage for some VM hosts it tends to mess things up.

      2. Mark 65 Silver badge

        Re: Source of the NAStiness?

        From personal experience, updating QNAP firmware on a regular basis can be equally as problematic. I've had a couple remove my ability to run VM Station and Container Station. They fixed my UPS signalling it was on battery causing an instant power down but now that has resurfaced after a couple of updates. I like the functionality they have but I'd prefer they properly tested it before release.

        Fortunately my older device was outside support so I installed Debian Stretch on it with OpenMediaVault and Webmin. Doesn't have all the functionality of the later box but updates aren't a coin toss either.

    3. big_D Silver badge

      Re: Source of the NAStiness?

      I'm guessing they had some sort of portforwarding on the perimeter pointing to the NAS and they weren't fully patched and/or it was a zeroday.

      Just checked my QNAPs and they are fine, but none of them have any services set up to work over the Internet, everything is local network only.

      1. Korev Silver badge
        Terminator

        Re: Source of the NAStiness?

        This is why my Synology has none of the remote access stuff enabled...

  2. Wellyboot Silver badge
    Facepalm

    Script?

    >>>"If you remove these entries, the update runs fine but they return on after rebooting,"<<<

    To keep with '90s methods, I hope it's just a simple script putting the entries back.

  3. Doctor Syntax Silver badge

    "The normal non-malicious use is to enforce blocking of unwanted sites."

    The normal non-malicious use as far as I'm concerned is to resolve the addresses of stuff on my local network. Blocking is a comparatively recent twist.

  4. elvisimprsntr

    Problems like this occur when a user enables WAN facing services (port forwarding, UPnP, MyQNAPcloud, etc.) Hackers can profile the device based on responses, then gain access using known vulnerabilities.

    1. Fred Flintstone Gold badge

      The joy of a mass nmap -O run, I guess?

  5. jason 7

    I run a lot of QNAP boxes.

    First thing I do is switch off/uninstall every service and feature but the file sharing, encryption and antivirus . I feel that's how they should come out of the box really.

  6. Anonymous Coward
    Anonymous Coward

    "redirecting google to bing"

    what about redirecting it to duckduckgo?

    1. Fred Flintstone Gold badge
      Joke

      Re: "redirecting google to bing"

      "redirecting google to bing"

      what about redirecting it to duckduckgo?

      That would be useful, not funny :)

    2. as2003

      Re: "redirecting google to bing"

      Redirecting google to bing (or duckduckgo) may have worked a long long time ago, but it won't work now, for a variety of reasons. HSTS, invalid SSL certificates, unrecognised Host headers for example.

  7. a_mu

    windows 7

    And just think,

    the host file is still on windows 7,

    1. Sandtitz Silver badge
      WTF?

      Re: windows 7 @ a_mu

      "And just think, the host file is still on windows 7,"

      Hosts is probably in every OS that supports IP protocol. Was there since MSDOS gained networking and still lurks in Win10 and Win Server.

      Did you actually have a point?

    2. eldakka Silver badge
      FAIL

      Re: windows 7

      The hosts file is a standard part of using IP. Have a look at the wikipedia page on it for a light-reading overview.

      It has a non-exhaustive list of operating systems that use it with the files location. Basically, any system that uses IP generally also supports the hosts file.

      e.g.:

      Unix (AIX, Solaris, BSDs, etc.), Unix-like (Linux), POSIX, Windows (all from 3.11 onwards), MacOS, iOS, Android, Symbian - the list goes on.

      So there is nothing scandalous about Windows 7 having it. It would be scandalous to not support it.

  8. adnim Silver badge

    Need to upgrade

    My 9-10 year old Iomega IX2 Storcenter to something quicker and newer. I worry about a hardware fail. Not disks.

    I replaced 1 drive in that time.. I guess I is lucky.

    The thing has never really been switched off since I bought it. I have powered it down to move it a few times. It is isolated from the Internet.

    The new thing I get would also be isolated from the Internet.

    I can understand the average home user leaving default settings in place on a NAS and not configuring their router to block all WAN ingress to anything but a specified IP address or DMZ (I have a web/mail server under my desk) and actually needing an anti-virus solution because of the silly things they do though.

  9. Anonymous Coward
    Anonymous Coward

    Not the first time QNAP have forgotten to tell users..

    I kind of like the gear (it's not flashy, but has proven to be reliable, if slightly underpowered) - but their approach to security is awful. For reasons I don't understand, they always seem to wait for weeks before advising users (long after engaged users see the alerts on line). Can't wait until there are some decent punitive fines for not taking security seriously.

  10. XenonXZ

    Debian

    Some Qnap NAS's support installing Debian, highly recommended if your model supports it.

    1. sitta_europea

      Re: Debian

      "Some Qnap NAS's support installing Debian, highly recommended if your model supports it."

      As long as you don't let it install systemd of course...

    2. Mark 65 Silver badge

      Re: Debian

      I can vouch for that. Running Stretch on a TS-439 Pro with a systemd run script thingy to control the LCD panel. Absolutely rock-solid and acts as an on-site backup.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019