I’m going to go ahead and pat myself on the back for setting up a Google Alert for the words “Qnap” and “malware.” I use one of the company’s NAS boxes, as do many others, and now I have a chance to inoculate my device against a nasty new strain of malware that’s making the rounds.
QSnatch, as the malware is known, injects code into the firmware of your QNAP NAS box, which then has the power to call to command-and-control server to dump additional code onto your device. Ultimately, writes the Finnish National Cyber Security Centre, QSnatch can perform the following:
Change all passwords for all accounts on the device
Remove unknown user accounts from the device
Make sure the device firmware is up-to-date and all of the applications are also updated
Remove unknown or unused applications from the device
Install QNAP MalwareRemover application via the App Centre functionality
Set an access control list for the device (Control panel -> Security -> Security level)
In other words, your NAS box is basically hosed.
How can you prevent this? Fire up your NAS box, log into the web-based interface (which you can do, easy-mode, by installing Qfinder Pro), and update your device’s firmware. You’ll likely be prompted to do so, if an update is available, as soon as you log in. If not, there will be an option to check for updates within your NAS box’s Settings screen:
I’d click that just to make sure you’re running the latest version of QNAP’s firmware for your device. However, your NAS box might be old, like mine, and not have that update. Ugh. In that case, there are a few other steps you can try.
First, make sure you’re using the latest version of Qnap’s Security Counselor—if applicable. Pull up your Nas Box’s “App Centre.” If Security Counselor is installed, you should be able to update it; if not, you should be able to find it and install it. Either way, open up the latest version of the app and run a full scan on your system.
It’s possible your older NAS Box might not be able to run Security Counselor. If so, let’s continue. You should also be able to install and run the “Malware Remover” app from the Security section of Qnap’s App Centre. That’s at least a great way to remove QSnatch from your NAS box (even if nobody yet knows how it infects NAS boxes in the first place). Make sure you’re running version “18.104.22.168" or “22.214.171.124.” of the app, advises QNAP, to make sure it can detect and eliminate QSnatch.
QNAP also advises that you enable “IP and account access protection,” disable SSH and Telnet if you aren’t using these connections, and don’t use default port numbers on your NAS box—all settings you can easily change via QNAP’s helpful instructions.
Otherwise, if none of these solutions help—and you find your system infected—a full factory reset should clear the malware out. Don’t forget to back up your data elsewhere before you wipe everything.