QSnatch Malware - What to do?

[convergent]

I recently received a notice from AT&T (my ISP) that my account is exhibiting traffic consistent with a malware infection and identified qsnatch as the malware. Looks like this is a malware designed to attack QNAP products. I am shocked that there is no mention of it in the forum yet.

Anyone seen this? Not sure what I should do. I have two QNAP NAS boxes, one backing up the other. I don't even know which one is supposedly infected. Nothing is open on my network, in fact I have double routers... the AT&T box and then a Netgear Orbi and I never setup the AT&T as passthrough. I'm only using the QNAP boxes as file sharing so nothing on there that anyone should have been able to get into.

Help appreciated...

https://www.kyberturvallisuuskeskus.fi/ ... as-devices

UPDATES:
This thread seems to be heating up, so I'll try to pull some info to the top to save people from having to read the whole thread.

Both of my QNAP boxes showed that they were infected, but exhibited very different symptoms and took slightly different steps to eradicate the malware. I also note, (since its been asked numerous times in this thread) both are behind two routers (double NAT), which my understanding is that its near impossible to get a port opened with this setup. I have never opened ports or used the QNAP cloud VPN access. I use them only on my internal network as a file share, so also don't use any of the apps other than the backup apps to backup one to the other, and one of them backs up to Amazon. So its highly unlikely someone hacked into it from outside.

QNAP's warning post about Qsnatch - https://www.qnap.com/en/security-adviso ... 8umkRQYkC4
QNAP's updated service advisory about Qsnatch - https://www.qnap.com/th-th/security-adv ... -201911-01
(I've followed these steps on one of my QNAP boxes TS-659, and it is clean and then several hours later it is reinfected. On my other QNAP TS-231, the cleanme.sh steps below are what seems to have cleaned it.)

This post by Schlabschi worked for me. On my TS-231, I went through this and was good to go (so far) after updating everything. On my TS-659 (older), which also had a failing drive that slowed things down, it was a slower process to get there. I ran this and it didn't look like it fixed anything, but I was then able to run an update to the firmware. I then took several tries to get the Malware Remover installed, and finally that found a lot of things. I have rebooted a couple of times and so far it hasn't come back. No more emails from AT&T yet either.

I spent the whole day today to get rid of the malware and this is what finally helped:

1. Navigate to "Control Panel -> Hardware" and uncheck the checkbox at "run user defined processes during startup"
2. Connect to your QNAP via ssh: https://www.qnap.com/en-uk/how-to/knowl ... nas-by-ssh
3. Execute the following command at the command line:

   Code: Select all

   curl https://download.qnap.com/Storage/tsd/utility/cleanme.sh | sh

   This downloads and executes a removal script from QNAP support that can be used for various infections. It successfully cleaned my infection. It especially helped to get rid of the corrupted autorun.sh file that kept the malware coming back after reboots.
4. Reboot your QNAP and (re-)install the latest firmware: qnap.com/en/how-to/tutorial/article/how ... s-firmware
5. Navigate to the App Center and make sure you update everything to the newest version (remove all apps that you didn't install and that seem suspicious)
6. Reboot again and run the latest version of the app "Malware Remover"
7. If it didn't find anything, go ahead and change all passwords of your local users (the malware is sending user names and passwords to a remote server)

Hope this helps.

Crontab & If you are getting reinjected
On my older QNAP box, after successfully getting rid of the malware, it kept reinjecting several times a day. I discovered that the following line in the Crontab which looks legit, is what is causing it to reinject, and others have confirmed this.

Code: Select all

#59 23,7,15 * * * /mnt/HDA_ROOT/.qpkg/.log/qpkg_util -z rotate

Also, if you have other lines in your Crontab that have jibberish looking names, then they are almost certainly related and also should be deleted. They would look similar to this one, but with different jibberish...

Code: Select all

10 * * * * /share/MD0_DATA/.FpuHGn/xnZwxwIjwvhqty.sh >/dev/null 2>&1

You can not simply edit the Crontab file, you must follow the procedure listed in this link to edit Crontab and restart cron. https://wiki.qnap.com/wiki/Add_items_to_crontab


Malware Remover Versions
Current versions that were updated for Qsnatch are here is now a 3.5.4.1 and 4.5.4.1, depending on your firmware version. https://www.qnap.com/en/app_releasenote ... areRemover
On one of my boxes I was able to update from App Center. On the other I had to remove it and then install manually, downloading from https://www.qnap.com/en-us/app_center/

[AlastairStevenson]

I'm only using the QNAP boxes as file sharing so nothing on there that anyone should have been able to get into.

First of all - check for any inbound access using something like ShieldsUp! https://www.grc.com/x/ne.dll?bh0bkyd2
The full port scan, then the UPnP check.

Check if your router has UPnP enabled.
If it does, disable it and reboot it.
Then check for UPnP enabled on either of the NAS boxes - or any other device on your LAN, in particular CCTV cameras.

[Toxic17]

report it to QNAP since we know nothing about your unknown NAS models, setup, or applications used.

https://www.qnap.com/en-uk/security-advisory/report

maybe QNAP might take note of it.

[AlastairStevenson]

You might find this article useful :
https://www.kyberturvallisuuskeskus.fi/ ... as-devices
Oops - sorry, it's the same one that you already quoted.

[convergent]

I'm only using the QNAP boxes as file sharing so nothing on there that anyone should have been able to get into.

First of all - check for any inbound access using something like ShieldsUp! https://www.grc.com/x/ne.dll?bh0bkyd2
The full port scan, then the UPnP check.

Check if your router has UPnP enabled.
If it does, disable it and reboot it.
Then check for UPnP enabled on either of the NAS boxes - or any other device on your LAN, in particular CCTV cameras.

Thanks... I ran both tests and they passed. I don't have an CCTV cameras. I have yanked the network cables on both QNAP boxes so when I get a moment to test further I'll check for UPnP.

Is there a way to scan the QNAP boxes for malware? All the tools provided by the ISP are for a Windows computer which is zero help.

[dolbyman]

you can download malware remover, most infection compromise the system in a way that you cannot run it anymore after the infection

a complete wipe (including DOM, if you unspecified NAS model has one) and then a restore from backups is th e safest method

[convergent]

you can download malware remover, most infection compromise the system in a way that you cannot run it anymore after the infection

a complete wipe (including DOM, if you unspecified NAS model has one) and then a restore from backups is th e safest method

Thanks, My NAS boxes are TS-659 and TS-232.

I have opened an incident with QNAP support.

The report from AT&T was indicating that it was "receiving traffic" that indicated a malware infection, so if that were the case then I'd boxes are still running, but need to verify. I logged into one of them when I posted this and it seemed to be working. I am rebooting them now so will check again when they are back online.

I am not positive that this malware is on the QNAP boxes... I'm just making an assumption because AT&T mentioned "qsnatch" which the one page on Google about it says its QNAP. I'm not sure how to scan to verify if anything is even on them. I'm a bit inexperienced on this stuff because they've basically run since I took them out of the boxes years ago.

[convergent]

I am able to log in to both systems and they seem to be functioning correctly. I am going to enable the Antivirus system on both... it was disabled. Not sure if this can detect malware. And do system updates on both. UPnP is not enabled on either one.

[dolbyman]

malware remover is what you want (as said before) .. antivirus is for your file shares .. not so much for the NAS OS

[jo4114]

If infected Malware Remover is not available in the App Center, making it impossible to run. If it is listed (meaning you have installed in previously) it will not run due to the malware.

I also received the same message from ATT and confirmed infection via outbound DNS calls from the QNAP to various control boxes. I have disabled outbound & inbound internet access from my QNAP and have opened a ticket with support for assistance with removal (if possible).

Model TS-659 Pro II

[AlastairStevenson]

confirmed infection via outbound DNS calls from the QNAP to various control boxes.

If you could give some details of how you did this and what you found, it would help others who may have the same problem to confirm and deal with.

[convergent]

If infected Malware Remover is not available in the App Center, making it impossible to run. If it is listed (meaning you have installed in previously) it will not run due to the malware.

I also received the same message from ATT and confirmed infection via outbound DNS calls from the QNAP to various control boxes. I have disabled outbound & inbound internet access from my QNAP and have opened a ticket with support for assistance with removal (if possible).

Model TS-659 Pro II

Did you disable inbound/outbound traffic in the Router?

I am pretty confident that the malware I'm dealing with is on the QNAP box because I pulled the network cables from them for a couple of days and didn't get any message from AT&T. As soon as I plugged them back in, I got another message from them. So they are pulled for now. I'll have to figure out how to disable them getting to the internet at all.

[convergent]

If infected Malware Remover is not available in the App Center, making it impossible to run. If it is listed (meaning you have installed in previously) it will not run due to the malware.

I also received the same message from ATT and confirmed infection via outbound DNS calls from the QNAP to various control boxes. I have disabled outbound & inbound internet access from my QNAP and have opened a ticket with support for assistance with removal (if possible).

Model TS-659 Pro II

One more question... everything in the control panel seems to be working fine so then why would malware remover not load and run? The malware here seems to be a way for them to use the box as part of attacks... it doesn't seem to be disabling QNAP functions from working.

[dolbyman]

The malware here seems to be a way for them to use the box as part of attacks... it doesn't seem to be disabling QNAP functions from working.

If they want to use your NAS as a botnet node or crypto slave, their goal is to keep it hidden from you as long as possible, disabling the NAS functionality would be counterproductive for that task

[jo4114]

If infected Malware Remover is not available in the App Center, making it impossible to run. If it is listed (meaning you have installed in previously) it will not run due to the malware.

I also received the same message from ATT and confirmed infection via outbound DNS calls from the QNAP to various control boxes. I have disabled outbound & inbound internet access from my QNAP and have opened a ticket with support for assistance with removal (if possible).

Model TS-659 Pro II

Did you disable inbound/outbound traffic in the Router?

I am pretty confident that the malware I'm dealing with is on the QNAP box because I pulled the network cables from them for a couple of days and didn't get any message from AT&T. As soon as I plugged them back in, I got another message from them. So they are pulled for now. I'll have to figure out how to disable them getting to the internet at all.

The quickest way to disable access to the internet from the QNAP would be to change the default gateway config on the QNAP to something else other than the actual default gateways as well as change the DNS Servers on the QNAP to 0.0.0.0. This way the QNAP will only be able to communicate on the local network via IP.