QSnatch Malware - What to do?

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
Post Reply
Qnasguy
Starting out
Posts: 42
Joined: Wed May 03, 2017 3:32 am

Re: QSnatch Malware - What to do?

Post by Qnasguy » Wed Jan 08, 2020 7:35 pm

What if the infection is coming from my laptop?

AnalogEngineer
Starting out
Posts: 18
Joined: Mon Oct 22, 2018 6:52 am

Re: QSnatch Malware - What to do?

Post by AnalogEngineer » Tue Jan 14, 2020 2:28 am

Qnasguy wrote:
Wed Jan 08, 2020 7:35 pm
What if the infection is coming from my laptop?
I think your on to something. Reading about who and who has not been infected I am thinking the vector is not direct to the NAS from outside. The infection is either a PC or Phone app that has admin access to the NAS on the local network that is compromised that has access to the outside. I have one NAS that was not infected despite doing probably everything conceivable wrong. But there were no phone apps that had access to the NAS Admin. The one I know that did get infected had everything right, but there were remote apps that also had access.
I'm guessing the vector is Qfile, Qmanager, Qsync, QVPN QVR-Pro, Vmobile, Qsirch or something like that loaded on a phone or other device.

@convergent were you running any apps on your phone or tablet that had access to the NAS?

FSC830
Getting the hang of things
Posts: 57
Joined: Thu Mar 03, 2016 1:11 am

Re: QSnatch Malware - What to do?

Post by FSC830 » Fri Jan 17, 2020 8:16 pm

To be honest:
I dont believe that the vector is an app at a smartphone!
Most affected users have using an internet service like myqnapcloud or any other app like photostation and did not protect the NAS against access from external.
I am using also Qfile at several Android devices and Qsync at multiple PCs, so I for myself can exclude this software as I am not affected by QSnatch malware.

regards

Dic3man
Getting the hang of things
Posts: 65
Joined: Thu Dec 19, 2019 4:57 am

Re: QSnatch Malware - What to do?

Post by Dic3man » Sat Jan 18, 2020 1:34 am

I have read on reddit that even users with their NAS not exposed to the internet at all has gotten infected (ofcourse I cannot verofy this but people have reported this atleast).

P3R
Guru
Posts: 12350
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: QSnatch Malware - What to do?

Post by P3R » Sat Jan 18, 2020 5:23 am

Dic3man wrote:
Sat Jan 18, 2020 1:34 am
I have read on reddit that even users with their NAS not exposed to the internet at all has gotten infected (ofcourse I cannot verofy this but people have reported this atleast).
Yes, there have been some reports here as well of course that users with claimed non-exposed units have been affected. Maybe a few of them may actually have unknowingly been exposed by the dangerous defaults in the NAS configuration in addition to having UPnP enabled in their routers (another dangerous default from other manufacturers)?

There are probably still a handful of users though that have had their truly non-exposed systems infected and that's as far as I know a first in all the different malware outbursts that have targeted Qnaps over the years. It was shown in the only brief public analysis of QSnatch that I've seen that it had multiple attack vectors. It wasn't shown that non-exposed systems could be affected but I'm convinced that there is at least some still unknown way for the infection to spread also to non-exposed Qnaps. I also see the smartphone vector being presented here as very improbable and if it's through infected software my money would much rather be on a third-party app that the affected non-exposed systems have in common.

The overwhelming majority of affected users have had their NASes exposed and it's pretty telling that Qnap in the latest QSnatch security advisory now for the first time tell users to disable UPnP router configuration and set their myQNAPcloud/CloudLink NAS access to private, which go completely against all their marketing and default configuration options for the last few years that have been promoting sharing resources from your NAS on the internet.

The best advice to be secure is to only keep the NAS accessible on the internal network. If remote access is absolutely necessary, the only relatively secure way to do it is through a remote access VPN solution, preferably implemented on the internet-facing firewall/router.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!

non-serviam
Starting out
Posts: 48
Joined: Sun Nov 03, 2013 2:18 am

Re: QSnatch Malware - What to do?

Post by non-serviam » Sun Jan 19, 2020 9:06 am

I have literally the machine running (until someone does the mistake to take it from me) without doing anything at all, and today I got the notice (not even a warning):
Malware Remover cannot be executed because Python2 is not installed or enabled.
The only solution was to reinstall the Malware Remover app, which could easily be a "new" infected version.
What exactly is QNAP doing?

P3R
Guru
Posts: 12350
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: QSnatch Malware - What to do?

Post by P3R » Sun Jan 19, 2020 10:43 am

non-serviam wrote:
Sun Jan 19, 2020 9:06 am
I have literally the machine running (until someone does the mistake to take it from me) without doing anything at all..
Your unit seem to be already infected and Qnap can't by themselves disinfect it without your cooperation. Please contact Qnap support so that they can help yourself to get back to a non-infected unit.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!

non-serviam
Starting out
Posts: 48
Joined: Sun Nov 03, 2013 2:18 am

Re: QSnatch Malware - What to do?

Post by non-serviam » Sun Jan 19, 2020 10:24 pm

P3R wrote:
Sun Jan 19, 2020 10:43 am
non-serviam wrote:
Sun Jan 19, 2020 9:06 am
I have literally the machine running (until someone does the mistake to take it from me) without doing anything at all..
Your unit seem to be already infected and Qnap can't by themselves disinfect it without your cooperation. Please contact Qnap support so that they can help yourself to get back to a non-infected unit.
The system was "cleaned" with QNAP's methods...

P3R
Guru
Posts: 12350
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: QSnatch Malware - What to do?

Post by P3R » Sun Jan 19, 2020 11:09 pm

non-serviam wrote:
Sun Jan 19, 2020 10:24 pm
The system was "cleaned" with QNAP's methods...
That you would be reinfected through standard Qnap apps is completely unrealistic as you're one of the very few infected (if you still are?) and several hundred thousands of other Qnaps run the same standard Qnap apps without being reinfected.

Maybe something else in your network is compromised so that the bad guys control everything and reinfect your Qnap after every reinstallation?
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!

convergent
Know my way around
Posts: 142
Joined: Fri Mar 05, 2010 5:13 am

Re: QSnatch Malware - What to do?

Post by convergent » Tue Jan 28, 2020 5:29 am

Dic3man wrote:
Sat Jan 18, 2020 1:34 am
I have read on reddit that even users with their NAS not exposed to the internet at all has gotten infected (ofcourse I cannot verofy this but people have reported this atleast).
I am one of the folks that got infected with no outside exposure of my QNAP boxes, and I'm the one that started this thread here... so its definitely happening.

As for infections starting from laptops or mobile devices. I suppose its possible. I used some of the apps like QFile on my mobile devices, but only on my local network. Someone in the thread ruled that out because they use these apps and weren't infected. That doesn't rule it out.

Qnasguy
Starting out
Posts: 42
Joined: Wed May 03, 2017 3:32 am

Re: QSnatch Malware - What to do?

Post by Qnasguy » Wed Jan 29, 2020 7:11 am

Any infected user using this script to update godaddy dns?

https://github.com/michaudg/godaddy-ddn ... godaddy.sh

P3R
Guru
Posts: 12350
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: QSnatch Malware - What to do?

Post by P3R » Wed Mar 18, 2020 11:32 pm

RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!

User avatar
peelos
Been there, done that
Posts: 507
Joined: Sun Jun 26, 2016 9:28 pm

Re: QSnatch Malware - What to do?

Post by peelos » Thu Mar 19, 2020 5:45 am

Thanks for sharing

Sent from my SM-N975F using Tapatalk

NAS: TVS-1282-i7K-40G / 4 x 500GB SSD 2.5" / 2 x 500GB M.2 SSD / 8 x 4TB WD Red 3.5" / Corsair H5-SF Watercooling / 3 x 80mm PWM Noctua fans / Corsair 600W PSU / Asus Turbo GTX 1060 6GB GPU
Software: Plex Media Server / QTransmission / Sonarr / Radarr / Jackett / QMono / Tautulli / OpenHAB / Resilio Sync / QPython / QJDK 8 / NetData / Qapache / SortMyQPKGs
pfSense Firewall / OpenVPN Server: QOTOM Fanless Mini PC / Core i5 / 8GB RAM / 128GB SSD / 4 Gigabit NICs / AES-NI
Wireless Routers: 2 x Netgear AC1900 R7000 Nighthawk / Advanced Tomato Firmware

P3R
Guru
Posts: 12350
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: QSnatch Malware - What to do?

Post by P3R » Thu Mar 19, 2020 6:59 am

peelos wrote:
Thu Mar 19, 2020 5:45 am
Thanks for sharing
It was Moogle that brought it to this forum so he really deserves that credit more than me. I just added it to some of the Qsnatch-threads.

That Qnap choose another channel for their first response on the subject is in my opinion a both surprising and disappointing decision.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!

User avatar
OneCD
Ask me anything
Posts: 7968
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: QSnatch Malware - What to do?

Post by OneCD » Thu Mar 19, 2020 7:05 am

P3R wrote:
Thu Mar 19, 2020 6:59 am
That Qnap choose another channel for their first response on the subject is in my opinion a both surprising and disappointing decision.
The first name I recognised in that reddit post was @QNAP_Daniel, who is known to be a poor communicator, so I wasn't that surprised. His communiqués on this forum have not been well-received. :lol:

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage

Post Reply

Return to “Miscellaneous”