QSnatch Malware - What to do?

[OneCD]

I found the app in the "MultiMedia Add-ons" page of the app store.
A quick google suggests this is a QNAP app. Why is QNAP own software not recognised?

Because QNAP haven't digitally signed it yet. Someone at QNAP missed it.

[crypticc]

Thank you OneCD

Now if only Malware remover kept a log of what they removed? But I can see that is an oft-repeated complaint.

[maffle]

I just booted my QNAP, after I always let it auto update firmware and I got this today:

https://i.imgur.com/ezscuqj.png

I also have this error log entry at the same day: https://i.imgur.com/dRLdSt9.png what to do about that?

I NEVER installed Music station (was removed the first day I got the device, before it was even on the internet) and I NEVER had the QNAP EVER opened to the internet since I bought it !!! I have TWO routers in my home, so it is 100% impossible, the station was EVER opened to the Internet! I would had manually opened ports on TWO routers, including adding manual firewall rules for this, because I am using a VPN connection on my OpenWRT router, and have to manually add firewall rules, to allow new devices.

Before 8/21 there was no detection, even I was always on latest malware remover and latest QNAP firmware. So it is totally not true, what is claimed.

Is this a false report and alam? I have this QNAP since 2 years or so, always had it auto update, never had ANY ports opened to the internet, never had music station installed!

Is there any log to be found what was found, where and what was removed?

[dolbyman]

no logs .. only QNAP could investigate .. please open a ticket with them

[AlastairStevenson]

I have TWO routers in my home, so it is 100% impossible, the station was EVER opened to the Internet!

There is a way that inbound access from the internet can be opened automatically without your knowledge.
Check the admin web GUI of both routers to see if 'UPnP' is enabled.
It often is enabled as a default setting.
If it is enabled, disable it.

But before you do so - check if any inbound access is possible using 'all service ports' scan from Shields Up! here :
https://www.grc.com/x/ne.dll?rh1dkyd2

[jaysona]

There is a way that inbound access from the internet can be opened automatically without your knowledge.
Check the admin web GUI of both routers to see if 'UPnP' is enabled.
It often is enabled as a default setting.
If it is enabled, disable it.

But before you do so - check if any inbound access is possible using 'all service ports' scan from Shields Up! here :
https://www.grc.com/x/ne.dll?rh1dkyd2

You have never used OpenWRT, have you?

[dolbyman]

I am not sure upnp could open ports past the first nat ...as requests are not handed over to wan (wan in this case another natted private lan)

[jaysona]

I am not sure upnp could open ports past the first nat ...as requests are not handed over to wan (wan in this case another natted private lan)

This too!

OpenWRT does not have UPnP installed by default. The user needs to specifically download, install and enable UPnP, and the OpenWRT documentation mentions the risks of UPnP and recommends using firewall redirect rules instead of UPnP.

Given that maffle is using OpenVPN, double-NAT and explicit permit rules, has the knowledge to implement those and is clearly security conscious, enabling UPnP would be quite the surprise in this case.

[jaysona]

I just booted my QNAP, after I always let it auto update firmware and I got this today:

https://i.imgur.com/ezscuqj.png

I also have this error log entry at the same day: https://i.imgur.com/dRLdSt9.png what to do about that?

I NEVER installed Music station (was removed the first day I got the device, before it was even on the internet) and I NEVER had the QNAP EVER opened to the internet since I bought it !!! I have TWO routers in my home, so it is 100% impossible, the station was EVER opened to the Internet! I would had manually opened ports on TWO routers, including adding manual firewall rules for this, because I am using a VPN connection on my OpenWRT router, and have to manually add firewall rules, to allow new devices.

Before 8/21 there was no detection, even I was always on latest malware remover and latest QNAP firmware. So it is totally not true, what is claimed.

Is this a false report and alam? I have this QNAP since 2 years or so, always had it auto update, never had ANY ports opened to the internet, never had music station installed!

Is there any log to be found what was found, where and what was removed?

I had a similar occurrence a couple of months ago, and have not had to the time to dig into the issue and try to replicate it. I am not sure if the report is a false positive or not.

However, given QNAPs horrendous lack of transparency in the workings, logging and reporting of the Malware Scanner and QNAPs history of poor PHP coding, I would not discount that there actually is an issue.

From what you mention, it appears as though your NAS is able to perform auto-updates, which means it is able to establish an outbound session. There are several QTS apps that are enabled by default and make various calls home, and I am not convinced that there is some obscure compromised QTS app making a call out.

In my case, I purchased a used TS-853Pro, reflashed the DOM, did the typical first time install procedures, disabled/removed most (MusicStation, PhotoStation, VideoStation, etc) of the QTS apps, no port forwarding to that particular NAS, and two days later, on a still empty NAS the Malware Scanner reported that it removed some malware.

I hope to have some time in the coming weeks to perform some more methodical config testing and network traffic analysis to see if there something else that is being exploited.

[maffle]

I have TWO routers in my home, so it is 100% impossible, the station was EVER opened to the Internet!

There is a way that inbound access from the internet can be opened automatically without your knowledge.
Check the admin web GUI of both routers to see if 'UPnP' is enabled.
It often is enabled as a default setting.
If it is enabled, disable it.

But before you do so - check if any inbound access is possible using 'all service ports' scan from Shields Up! here :
https://www.grc.com/x/ne.dll?rh1dkyd2

Totally nonsense. Obviously I also never did use uPNP... uPNP... with OpenWRT... LOL

Let me be clear again: I have 2 routers, so I have DOUBLE NAT, PLUS using OpenVPN with IpVanish, so it is kinda triple NAT. My internet line is:

cable modem router NAT <-> openwrt router NAT (2 x OpenVPN NAT) <-> LAN <-> NAS (routed through OpenVPN).

Everything in LAN, including the NAS, cant reach router 1 directly, because of different subnet, and has to go through manual firewall and routing rules of the OpenWRT router, which also routes most of LAN devices through one of two OpenVPN tunnels to IpVanish.

Both routers have totally different subnets, OpenVPN too obviously. Port forwarding is also not possible through OpenVPN VPN using IpVanish.

This makes it a 100% case. ZERO ports have been EVER opened. ZERO. There is no chance in hell, my NAS was ever opened to the Internet, ZERO CHANCE.

That means, either I got a false report of this MR1905, I cant find much about the MR190 version 5 actually, OR, there is another way, the NAS can get infected, which wasnt told by us by QNAP.

Found this post too some weeks ago via google search: viewtopic.php?f=50&t=156412&p=762048&si ... ac#p761892

When I bought this NAS 2,5 years ago, I removed ALL the nasty QNAP apps, photo, music, bla blub, disabled literally everything, all services, upnp, cloud bla, disabled the nasty multimedia app from day 1. Ect. No ftp, no telnet (lel). No services whatsoever but the Samba share locally, also changed to Samba v3 obviously from day 1, all with password, no public shares. The NAS was never opened to the internet, and yet here I am, being infected, where it was always pulling the latest firmware.

All I ever used this NAS for, was to put in LAN documents, videos and pictures on it, on an encrypted RAID1 (system SSD + encrypted 2 RAID1 HDD). No encryption keys saved.

I am 99% sure, if this alarm is true, there is some other way QNAP never told in the media about, maybe an inside job of one of their apps itself. I honestly started to hate this NAS from day 1 of all the annoying services and apps running on it, all the crap I had to disable. And I actually was after just 2 weeks of using it clear to myself, to never buy a QNAP product ever again.

[jaysona]

Totally nonsense. Obviously I also never did use uPNP... uPNP... with OpenWRT... LOL
...

Ya, I more than smirked when the dude mentioned UPnP in response to your post that had the mention of OpenWRT.

....

I am 99% sure, if this alarm is true, there is some other way QNAP never told in the media about, maybe an inside job of one of their apps itself. I honestly started to hate this NAS from day 1 of all the annoying services and apps running on it, all the ** I had to disable. And I actually was after just 2 weeks of using it clear to myself, to never buy a QNAP product ever again.

This is my main beef with the newer QTS versions (and partially why I still rub 3.x on a couple of units), there are QTS elements that initiate outbound sessions that are not really necessary in my opinion. As for telling there media about vulnerabilities, there is no requirement to do so, and QNAP is notoriously silent and opaque about the security of their software.

Personally, I believe the reason QNAP "has the power to assign a CVE ID" is so they can control the narrative of the vulnerability discovered. QNAP even (I have no idea how) some security guy redact the vectors of some the the PHP code vulnerabilities once QNAP assigned a CVE number for the vulnerabilities he published.

You mention that you let the NAS perform the auto-update, so this highlights two areas that I have a concern with;
1. The NAS can initiate some outbound connections, have you looked at blocking outbound sessions initiated by the NAS?
2. Each time a QTS update is performed, QNAP - in their infinitely retarded wisdom - re-installs some of the apps that have been manually uninstalled (this really p.i.s.s.e.s me off), and perhaps it is one of those apps that is initiating an outbound session whereby some nasty poop hitches a ride back to the NAS. (I'm looking at you pos HelpDesk).

So, who knows if the Malware log entry you are seeing is a false positive of not, but given QNAPs lack of transparency and poor PHP coding skillz, I would not be surprised if the alert was true, and I also would not be surprised if QNAP tells you go an pound sand when you ask for details about the Malware log report.

[OneCD]

Totally nonsense. Obviously I also never did use uPNP... uPNP... with OpenWRT... LOL

Alastair's suggestions are good general advice for those who may not know the inside of their router as well as they could.

It may not apply to you, but will apply to many others.

[jaysona]

Alastair's suggestions are good general advice for those who may not know the inside of their router as well as they could.

It may not apply to you, but will apply to many others.

While that is true, Alastair was responding specifically to someone, someone that included specifics about their network environment. The mention of UPnP in Alastair's response was completely useless and not applicable in that context, it also demonstrated a lack of knowledge about the environment for which he was responding.

It is far more helpful for people to not respond to things they are unsure of vs just spewing out the typical check-list stuff of things to look at, even when a particular check-list item in not applicable.

[P3R]

I am 99% sure, if this alarm is true, there is some other way QNAP never told in the media about, maybe an inside job of one of their apps itself.

It's unlikely but definitely a possibility.

Did you buy the NAS new or used?

I honestly started to hate this NAS from day 1...

You didn't have to tell us, it shows in your posts.

[AlastairStevenson]

While that is true, Alastair was responding specifically to someone, someone that included specifics about their network environment. The mention of UPnP in Alastair's response was completely useless and not applicable in that context, it also demonstrated a lack of knowledge about the environment for which he was responding.

It is far more helpful for people to not respond to things they are unsure of vs just spewing out the typical check-list stuff of things to look at, even when a particular check-list item in not applicable.

Who rattled your cage?
Sure, I hadn't linked the lack of UPnP in OpenWRT, but that's no reason to slag off a response which has applied to so many people who are unaware of the risks of UPnP being enabled by default.

Just chill, OK.