QSnatch Malware - What to do?

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
Post Reply
User avatar
OneCD
Ask me anything
Posts: 8088
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: QSnatch Malware - What to do?

Post by OneCD » Mon Jul 20, 2020 3:41 am

crypticc wrote:
Sun Jul 19, 2020 9:01 pm
I found the app in the "MultiMedia Add-ons" page of the app store.
A quick google suggests this is a QNAP app. Why is QNAP own software not recognised?
Because QNAP haven't digitally signed it yet. Someone at QNAP missed it. :roll:

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage

crypticc
Starting out
Posts: 20
Joined: Sat May 20, 2017 7:31 am

Re: QSnatch Malware - What to do?

Post by crypticc » Mon Jul 20, 2020 5:40 pm

Thank you OneCD

Now if only Malware remover kept a log of what they removed? But I can see that is an oft-repeated complaint.
:cry:

maffle
Starting out
Posts: 16
Joined: Thu Aug 31, 2017 9:30 pm

Re: QSnatch Malware - What to do?

Post by maffle » Wed Aug 26, 2020 2:07 am

I just booted my QNAP, after I always let it auto update firmware and I got this today:

https://i.imgur.com/ezscuqj.png

I also have this error log entry at the same day: https://i.imgur.com/dRLdSt9.png what to do about that?

I NEVER installed Music station (was removed the first day I got the device, before it was even on the internet) and I NEVER had the QNAP EVER opened to the internet since I bought it !!! I have TWO routers in my home, so it is 100% impossible, the station was EVER opened to the Internet! I would had manually opened ports on TWO routers, including adding manual firewall rules for this, because I am using a VPN connection on my OpenWRT router, and have to manually add firewall rules, to allow new devices.

Before 8/21 there was no detection, even I was always on latest malware remover and latest QNAP firmware. So it is totally not true, what is claimed.

Is this a false report and alam? I have this QNAP since 2 years or so, always had it auto update, never had ANY ports opened to the internet, never had music station installed!

Is there any log to be found what was found, where and what was removed?

User avatar
dolbyman
Guru
Posts: 20459
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: QSnatch Malware - What to do?

Post by dolbyman » Wed Aug 26, 2020 3:28 am

no logs .. only QNAP could investigate .. please open a ticket with them

AlastairStevenson
Experience counts
Posts: 2253
Joined: Wed Jan 08, 2014 10:34 pm

Re: QSnatch Malware - What to do?

Post by AlastairStevenson » Wed Aug 26, 2020 5:04 pm

I have TWO routers in my home, so it is 100% impossible, the station was EVER opened to the Internet!
There is a way that inbound access from the internet can be opened automatically without your knowledge.
Check the admin web GUI of both routers to see if 'UPnP' is enabled.
It often is enabled as a default setting.
If it is enabled, disable it.

But before you do so - check if any inbound access is possible using 'all service ports' scan from Shields Up! here :
https://www.grc.com/x/ne.dll?rh1dkyd2
TS-431+ for storage and media and a bunch of IP cams under Surveillance Station. TVS-473 as files backup and QVR Pro.

User avatar
jaysona
Easy as a breeze
Posts: 354
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: QSnatch Malware - What to do?

Post by jaysona » Wed Aug 26, 2020 10:30 pm

AlastairStevenson wrote:
Wed Aug 26, 2020 5:04 pm
There is a way that inbound access from the internet can be opened automatically without your knowledge.
Check the admin web GUI of both routers to see if 'UPnP' is enabled.
It often is enabled as a default setting.
If it is enabled, disable it.

But before you do so - check if any inbound access is possible using 'all service ports' scan from Shields Up! here :
https://www.grc.com/x/ne.dll?rh1dkyd2
You have never used OpenWRT, have you? ;)
H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig) / TS-509 Pro x2 / TS-569 Pro
H/W: TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig) / TVS-871 Pro (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.19
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.7
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)

User avatar
dolbyman
Guru
Posts: 20459
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: QSnatch Malware - What to do?

Post by dolbyman » Wed Aug 26, 2020 10:34 pm

I am not sure upnp could open ports past the first nat ...as requests are not handed over to wan (wan in this case another natted private lan)

User avatar
jaysona
Easy as a breeze
Posts: 354
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: QSnatch Malware - What to do?

Post by jaysona » Wed Aug 26, 2020 10:52 pm

dolbyman wrote:
Wed Aug 26, 2020 10:34 pm
I am not sure upnp could open ports past the first nat ...as requests are not handed over to wan (wan in this case another natted private lan)
This too!

OpenWRT does not have UPnP installed by default. The user needs to specifically download, install and enable UPnP, and the OpenWRT documentation mentions the risks of UPnP and recommends using firewall redirect rules instead of UPnP.

Given that maffle is using OpenVPN, double-NAT and explicit permit rules, has the knowledge to implement those and is clearly security conscious, enabling UPnP would be quite the surprise in this case.
H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig) / TS-509 Pro x2 / TS-569 Pro
H/W: TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig) / TVS-871 Pro (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.19
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.7
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)

User avatar
jaysona
Easy as a breeze
Posts: 354
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: QSnatch Malware - What to do?

Post by jaysona » Wed Aug 26, 2020 11:07 pm

maffle wrote:
Wed Aug 26, 2020 2:07 am
I just booted my QNAP, after I always let it auto update firmware and I got this today:

https://i.imgur.com/ezscuqj.png

I also have this error log entry at the same day: https://i.imgur.com/dRLdSt9.png what to do about that?

I NEVER installed Music station (was removed the first day I got the device, before it was even on the internet) and I NEVER had the QNAP EVER opened to the internet since I bought it !!! I have TWO routers in my home, so it is 100% impossible, the station was EVER opened to the Internet! I would had manually opened ports on TWO routers, including adding manual firewall rules for this, because I am using a VPN connection on my OpenWRT router, and have to manually add firewall rules, to allow new devices.

Before 8/21 there was no detection, even I was always on latest malware remover and latest QNAP firmware. So it is totally not true, what is claimed.

Is this a false report and alam? I have this QNAP since 2 years or so, always had it auto update, never had ANY ports opened to the internet, never had music station installed!

Is there any log to be found what was found, where and what was removed?
I had a similar occurrence a couple of months ago, and have not had to the time to dig into the issue and try to replicate it. I am not sure if the report is a false positive or not.

However, given QNAPs horrendous lack of transparency in the workings, logging and reporting of the Malware Scanner and QNAPs history of poor PHP coding, I would not discount that there actually is an issue.

From what you mention, it appears as though your NAS is able to perform auto-updates, which means it is able to establish an outbound session. There are several QTS apps that are enabled by default and make various calls home, and I am not convinced that there is some obscure compromised QTS app making a call out.

In my case, I purchased a used TS-853Pro, reflashed the DOM, did the typical first time install procedures, disabled/removed most (MusicStation, PhotoStation, VideoStation, etc) of the QTS apps, no port forwarding to that particular NAS, and two days later, on a still empty NAS the Malware Scanner reported that it removed some malware. :'

I hope to have some time in the coming weeks to perform some more methodical config testing and network traffic analysis to see if there something else that is being exploited.
H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig) / TS-509 Pro x2 / TS-569 Pro
H/W: TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig) / TVS-871 Pro (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.19
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.7
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)

maffle
Starting out
Posts: 16
Joined: Thu Aug 31, 2017 9:30 pm

Re: QSnatch Malware - What to do?

Post by maffle » Fri Aug 28, 2020 8:56 am

AlastairStevenson wrote:
Wed Aug 26, 2020 5:04 pm
I have TWO routers in my home, so it is 100% impossible, the station was EVER opened to the Internet!
There is a way that inbound access from the internet can be opened automatically without your knowledge.
Check the admin web GUI of both routers to see if 'UPnP' is enabled.
It often is enabled as a default setting.
If it is enabled, disable it.

But before you do so - check if any inbound access is possible using 'all service ports' scan from Shields Up! here :
https://www.grc.com/x/ne.dll?rh1dkyd2
Totally nonsense. Obviously I also never did use uPNP... uPNP... with OpenWRT... LOL

Let me be clear again: I have 2 routers, so I have DOUBLE NAT, PLUS using OpenVPN with IpVanish, so it is kinda triple NAT. My internet line is:

cable modem router NAT <-> openwrt router NAT (2 x OpenVPN NAT) <-> LAN <-> NAS (routed through OpenVPN).

Everything in LAN, including the NAS, cant reach router 1 directly, because of different subnet, and has to go through manual firewall and routing rules of the OpenWRT router, which also routes most of LAN devices through one of two OpenVPN tunnels to IpVanish.

Both routers have totally different subnets, OpenVPN too obviously. Port forwarding is also not possible through OpenVPN VPN using IpVanish.

This makes it a 100% case. ZERO ports have been EVER opened. ZERO. There is no chance in **, my NAS was ever opened to the Internet, ZERO CHANCE.

That means, either I got a false report of this MR1905, I cant find much about the MR190 version 5 actually, OR, there is another way, the NAS can get infected, which wasnt told by us by QNAP.

Found this post too some weeks ago via google search: viewtopic.php?f=50&t=156412&p=762048&si ... ac#p761892

When I bought this NAS 2,5 years ago, I removed ALL the nasty QNAP apps, photo, music, bla blub, disabled literally everything, all services, upnp, cloud bla, disabled the nasty multimedia app from day 1. Ect. No ftp, no telnet (lel). No services whatsoever but the Samba share locally, also changed to Samba v3 obviously from day 1, all with password, no public shares. The NAS was never opened to the internet, and yet here I am, being infected, where it was always pulling the latest firmware.

All I ever used this NAS for, was to put in LAN documents, videos and pictures on it, on an encrypted RAID1 (system SSD + encrypted 2 RAID1 HDD). No encryption keys saved.

I am 99% sure, if this alarm is true, there is some other way QNAP never told in the media about, maybe an inside job of one of their apps itself. I honestly started to hate this NAS from day 1 of all the annoying services and apps running on it, all the ** I had to disable. And I actually was after just 2 weeks of using it clear to myself, to never buy a QNAP product ever again.

User avatar
jaysona
Easy as a breeze
Posts: 354
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: QSnatch Malware - What to do?

Post by jaysona » Fri Aug 28, 2020 10:40 am

maffle wrote:
Fri Aug 28, 2020 8:56 am

Totally nonsense. Obviously I also never did use uPNP... uPNP... with OpenWRT... LOL
...
Ya, I more than smirked when the dude mentioned UPnP in response to your post that had the mention of OpenWRT. :P
....

I am 99% sure, if this alarm is true, there is some other way QNAP never told in the media about, maybe an inside job of one of their apps itself. I honestly started to hate this NAS from day 1 of all the annoying services and apps running on it, all the ** I had to disable. And I actually was after just 2 weeks of using it clear to myself, to never buy a QNAP product ever again.
This is my main beef with the newer QTS versions (and partially why I still rub 3.x on a couple of units), there are QTS elements that initiate outbound sessions that are not really necessary in my opinion. As for telling there media about vulnerabilities, there is no requirement to do so, and QNAP is notoriously silent and opaque about the security of their software.

Personally, I believe the reason QNAP "has the power to assign a CVE ID" is so they can control the narrative of the vulnerability discovered. QNAP even (I have no idea how) some security guy redact the vectors of some the the PHP code vulnerabilities once QNAP assigned a CVE number for the vulnerabilities he published.

You mention that you let the NAS perform the auto-update, so this highlights two areas that I have a concern with;
1. The NAS can initiate some outbound connections, have you looked at blocking outbound sessions initiated by the NAS?
2. Each time a QTS update is performed, QNAP - in their infinitely retarded wisdom - re-installs some of the apps that have been manually uninstalled (this really p.i.s.s.e.s me off), and perhaps it is one of those apps that is initiating an outbound session whereby some nasty poop hitches a ride back to the NAS. (I'm looking at you pos HelpDesk). :evil:

So, who knows if the Malware log entry you are seeing is a false positive of not, but given QNAPs lack of transparency and poor PHP coding skillz, I would not be surprised if the alert was true, and I also would not be surprised if QNAP tells you go an pound sand when you ask for details about the Malware log report. :roll:
Last edited by jaysona on Fri Aug 28, 2020 11:11 am, edited 2 times in total.
H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig) / TS-509 Pro x2 / TS-569 Pro
H/W: TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig) / TVS-871 Pro (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.19
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.7
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)

User avatar
OneCD
Ask me anything
Posts: 8088
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: QSnatch Malware - What to do?

Post by OneCD » Fri Aug 28, 2020 10:58 am

maffle wrote:
Fri Aug 28, 2020 8:56 am
Totally nonsense. Obviously I also never did use uPNP... uPNP... with OpenWRT... LOL
Alastair's suggestions are good general advice for those who may not know the inside of their router as well as they could.

It may not apply to you, but will apply to many others. :geek:

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage

User avatar
jaysona
Easy as a breeze
Posts: 354
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: QSnatch Malware - What to do?

Post by jaysona » Fri Aug 28, 2020 11:10 am

OneCD wrote:
Fri Aug 28, 2020 10:58 am
Alastair's suggestions are good general advice for those who may not know the inside of their router as well as they could.

It may not apply to you, but will apply to many others. :geek:
While that is true, Alastair was responding specifically to someone, someone that included specifics about their network environment. The mention of UPnP in Alastair's response was completely useless and not applicable in that context, it also demonstrated a lack of knowledge about the environment for which he was responding.

It is far more helpful for people to not respond to things they are unsure of vs just spewing out the typical check-list stuff of things to look at, even when a particular check-list item in not applicable.
H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig) / TS-509 Pro x2 / TS-569 Pro
H/W: TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig) / TVS-871 Pro (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.19
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.7
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)

P3R
Guru
Posts: 12379
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: QSnatch Malware - What to do?

Post by P3R » Fri Aug 28, 2020 2:48 pm

maffle wrote:
Fri Aug 28, 2020 8:56 am
I am 99% sure, if this alarm is true, there is some other way QNAP never told in the media about, maybe an inside job of one of their apps itself.
It's unlikely but definitely a possibility.

Did you buy the NAS new or used?
I honestly started to hate this NAS from day 1...
You didn't have to tell us, it shows in your posts.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!

AlastairStevenson
Experience counts
Posts: 2253
Joined: Wed Jan 08, 2014 10:34 pm

Re: QSnatch Malware - What to do?

Post by AlastairStevenson » Fri Aug 28, 2020 4:43 pm

While that is true, Alastair was responding specifically to someone, someone that included specifics about their network environment. The mention of UPnP in Alastair's response was completely useless and not applicable in that context, it also demonstrated a lack of knowledge about the environment for which he was responding.

It is far more helpful for people to not respond to things they are unsure of vs just spewing out the typical check-list stuff of things to look at, even when a particular check-list item in not applicable.
Who rattled your cage?
Sure, I hadn't linked the lack of UPnP in OpenWRT, but that's no reason to slag off a response which has applied to so many people who are unaware of the risks of UPnP being enabled by default.

Just chill, OK.
TS-431+ for storage and media and a bunch of IP cams under Surveillance Station. TVS-473 as files backup and QVR Pro.

Post Reply

Return to “Miscellaneous”