QSnatch Malware - What to do?

[jo4114]

I got nov 8 today at 12:56 a malware remover signal see attachment.
After that I looked in share/HDA_DATA/.qpkg/photostation2/cache.
There I saw strange files (modify date yesterday nov 7); see attachment.
Could photostation qpkg be the vector?

Anything is possible at this point.

I was exposed to the internet and had a few services running:

Admin Login
QFILE
Photo Station
Music Station
Surveillance Station
Download Station
MyQNAPCloud
L2TP / IPSEC VPN

So I am assuming the attack vector is one of these services and therefore have blocked everything at this point in the "hopes" that QNAP will disclose the attack vector. It would be GREAT if you could specify the port EACH service could operate on (MusicStation:8091, PhotoStation:9645, etc.) this would make it easier to hide the Admin Login page but just forwarding the EXACT services I wanted. I suppose with a Enterprise class FW I could based on destination URL but this is just my house....

It COULD be something in the qpkg as after I was hit and cleaned and then updated all apps MR hit again on the Media Streaming Add-on App. Thing is, before this I had not updated an App in sometime so the initial infection had to come in thru one of the services listed. Also, my crontab was a mess and I had not cleaned it up prior to these logs so I heavily suspect that whatever was running as part of the Malware just infected the Media Streaming Add-on app on net new installation.

Anyway, See here:

[jo4114]

After multiple MR scans, cleanme.sh and reboots last night, I was hopeful that I squashed it, however a manual MR scan this morning came up with infections.

The fact that MR does not indicate what/where if found is pathetic. My NAS is currently blocked from getting out to the internet, but I'm stumped what to do. I will put in a ticket with QNAP, but this is seriously troubling.

have you checked and verified everything in Crontab?

[ncnmra]

have you checked and verified everything in Crontab?

Yes, see 3rd post on page 16

[addwal]

have you checked and verified everything in Crontab?

Yes, see 3rd post on page 16

For the lazy viewtopic.php?f=50&t=151402&start=225#p733489

[convergent]

After multiple MR scans, cleanme.sh and reboots last night, I was hopeful that I squashed it, however a manual MR scan this morning came up with infections.

The fact that MR does not indicate what/where if found is pathetic. My NAS is currently blocked from getting out to the internet, but I'm stumped what to do. I will put in a ticket with QNAP, but this is seriously troubling.

If its coming back, then it will probably keep coming back. I opened a ticket with QNAP when I started this thread, and I've yet to hear back from them, so I wouldn't expect any help there. I have two QNAP boxes. Both showed malware infection when I got the ISP email, but looked differently. One cleaned with the processes here and hasn't come back. The other one cleaned with processes here and comes back twice a day. Neither has ever been exposed to the open internet (sitting behind double NAT routers with no ports open, and now has invalid default gateway). So the suggestions about passwords and such don't apply unless the hacker has moved into my attic.

My conclusion is thing is either somehow masquerading as a valid cron entry; or it must have infected firmware or something. After I get a chance to do another backup so I have two, I am thinking about disabling every entry in crontab and see what happens.

One thing no one has mentioned yet. How do I see what processes are running like with Task Manager in Windows? I have two boxes here... one repeatedly infecting, the other not. I would like to compare the running processes to see if something looks bad there.

[xavierh]

So far no-one has mentioned:
If they had IP Access Protection on?
If they were using a strong password policy?

In my opinion the internet exposed systems are less interesting. They're sitting ducks no matter what. Brute force is only one of several possible attack vectors and with QSnatch I very much doubt that's the primary one used.

The unique and very dangerous thing with QSnatch is that we have indications of at least some non-exposed systems being infected.

looking at this further, the scenarios are interesting

1. NAS Exposed to the web with no firewall or proxy in between: nothing more to say here other than exposing ANYTHING to the internet without taking the necessary precautions is a recipe for disaster.

2. NAS not exposed and still getting infected. The vector could be a compromised app that was able to communicate before tot he internet, got replaced with malware and now it is just infecting the NAS hoping that it will be exposed again to the internet so that it can connect to C2. We have only been looking at the cron jobs but nobody has been looking at services as far as a know (/etc/daemon_mgr.conf). that would explain certain devices whihc onve not exposed their services to the web have been infected.

3. Possible Myqnapcloud compromise. this might be related to #1 in the sense that if people are using this service again without proper security measures (long password, 2FA, etc.)

I agree that qnap should be more forthcoming with information (for the sake of transparency), but we as users need to do our due diligence.

[dolbyman]

processes can be seen via qts (top right speed indicator dashboard and then click above the cpu speed to see the system processes)

or "top" via ssh

[jo4114]

After I get a chance to do another backup so I have two, I am thinking about disabling every entry in crontab and see what happens.

This is a good idea.

One thing no one has mentioned yet. How do I see what processes are running like with Task Manager in Windows? I have two boxes here... one repeatedly infecting, the other not. I would like to compare the running processes to see if something looks bad there.

Control Panel / System Status / Resource Monitor / Process

[xavierh]

After multiple MR scans, cleanme.sh and reboots last night, I was hopeful that I squashed it, however a manual MR scan this morning came up with infections.

The fact that MR does not indicate what/where if found is pathetic. My NAS is currently blocked from getting out to the internet, but I'm stumped what to do. I will put in a ticket with QNAP, but this is seriously troubling.

If its coming back, then it will probably keep coming back. I opened a ticket with QNAP when I started this thread, and I've yet to hear back from them, so I wouldn't expect any help there. I have two QNAP boxes. Both showed malware infection when I got the ISP email, but looked differently. One cleaned with the processes here and hasn't come back. The other one cleaned with processes here and comes back twice a day. Neither has ever been exposed to the open internet (sitting behind double NAT routers with no ports open, and now has invalid default gateway). So the suggestions about passwords and such don't apply unless the hacker has moved into my attic.

My conclusion is thing is either somehow masquerading as a valid cron entry; or it must have infected firmware or something. After I get a chance to do another backup so I have two, I am thinking about disabling every entry in crontab and see what happens.

One thing no one has mentioned yet. How do I see what processes are running like with Task Manager in Windows? I have two boxes here... one repeatedly infecting, the other not. I would like to compare the running processes to see if something looks bad there.

login via ssh and issue the ps command

[ncnmra]

You can use "ps" or "top" in SSH. Alternatively, there is a resource monitor in the upper right of the web GUI. You can open it and display the running processes.

I've done this multiple times though and it never showed anything useful. I suspect that this Malware has deeply embedded itself into some system process.

[convergent]

I used the commands shared here - viewtopic.php?f=50&t=151577 to stop cron from running after verifying that MR ran clean. I'll now wait and see what happens. If it reinfects again this afternoon on schedule, then it confirms that nothing in crontab is doing it I believe.

I will play around with the list of running processes to see if anything stands out.

[ncnmra]

Please keep us posted. I have my NAS on my desk, unplugged, awaiting full recovery. This is a super time consuming process, so I'd prefer to avoid it if possible.

[xavierh]

the thing, as you will discover, is that you will need tools to figure this out:

Ps for looking at processes
on another ssh session check netstat for TCP connections either listening or established.

start (disablign services and apps on the gui) and look at those 2 windows and start tracking bevaviour (takes notes of what you see)
start enabling apps or services and look at the them specially if there are established connections that were not there before the service was enabled.

one thing to keep in mind and bear with me if you already know this:

when you stop forwarding ports or disable upnp, the only thing that you are stopping is for a connection to be initiated form the internet to you device. if there is malware already on the device the malware can initiate the connection (just like you can do when you browse the web from your computer). Malware can then connect to their C2 (Command & Control) host, and with that connection re-infect you again.

I am thinking that looking at cron jobs is only half the picture here, and that also explains why even after deleting them you still get infected. there has to be another executable that it is either estabishing that C2 connection or creating those cron jobs to gain persistence.

[ncnmra]

when you stop forwarding ports or disable upnp, the only thing that you are stopping is for a connection to be initiated form the internet to you device. if there is malware already on the device the malware can initiate the connection (just like you can do when you browse the web from your computer). Malware can then connect to their C2 (Command & Control) host, and with that connection re-infect you again.

This makes sense, but in the case of the OP, and myself, we disabled outgoing internet access through an invalid gateway configuration, and (for myself at least) a router filter to prevent internet access for my NAS.

Therefore, the malware must be constrained either to the NAS itself or (highly unlikely) to another device on the local network.

[xavierh]

when you stop forwarding ports or disable upnp, the only thing that you are stopping is for a connection to be initiated form the internet to you device. if there is malware already on the device the malware can initiate the connection (just like you can do when you browse the web from your computer). Malware can then connect to their C2 (Command & Control) host, and with that connection re-infect you again.

This makes sense, but in the case of the OP, and myself, we disabled outgoing internet access through an invalid gateway configuration, and (for myself at least) a router filter to prevent internet access for my NAS.

Therefore, the malware must be constrained either to the NAS itself or (highly unlikely) to another device on the local network.

very unlikely that it would be hosted on another (non qnap device). if that were the case... that is a very scary scenario