Detail Explain of QNAP Malware Remover 2.1.x


In recently issue mentioned in Check And Solve If Your QNAP NAS Has been Injected a CPUMiner Program, QNAP quickly release Malware Remover 2.1.0 to help. Let’s take a look at this program and go detail.

What Can It Help

If your are suffering by CPUMiner reported by esper on disk_manage.cgi hogging CPU usage and rf5000 on QNAP用戶注意! QTS 4.3.3 被植入XMR挖礦木馬,建議先不要升級!, it helps you to remove them completely.

Installation

You may install from [App Center] in your QTS directly or download from here which is a direct link to QNAP then manually install via ssh or [App Center]. Remember to unzip the download file to get QDK_2.2.14.qpkg.

Install from App Center

[App Center] may be launch in [Main Menu] on upper left corner. [Malware Remover] can be found in [Utilities] category or just search for “malware”.

If you decide to upload manually, click on the gear symbol on the upper-right corner in [App Center] to browse and install QDK_2.2.14.qpkg.

Install in Terminal Manually

Enable Allow SSH connection in [Control Panel] → [Network Services] → [Telnet/SSH] tab, ssh login to QTS as admin and find where you upload QDK_2.2.14.qpkg. Run this package and it begins to install.

Here is when you install Malware Remover 2.1.0 first time.

[/share/Public] # ./MalwareRemover_2.1.0.qpkg 
Install QNAP package on TS-NAS...
12+1 records in
12+1 records out
./
./qpkg.cfg
./qinstall.sh
./package_routines
./built_info
0+1 records in
0+1 records out
12+0 records in
12+0 records out
qinstall.sh: line 354: [: -gt: unary operator expected
qinstall.sh: line 356: [: -lt: unary operator expected
Firmware check is fine.
Link service start/stop script: MalwareRemover.sh
Set QPKG information in /etc/config/qpkg.conf
[App Center] Malware Remover 2.1.0 has been installed in /share/CACHEDEV1_DATA/.qpkg/MalwareRemover successfully.
[App Center] Malware Remover enabled.
[/share/Public] #

Here is when you have already install Malware Remover, it will upgrade existing version.

[/share/Public] # ./MalwareRemover_2.1.0.qpkg
Install QNAP package on TS-NAS...
12+1 records in
12+1 records out
./
./qpkg.cfg
./qinstall.sh
./package_routines
./built_info
0+1 records in
0+1 records out
12+0 records in
12+0 records out
MalwareRemover 2.1.0 is already installed. Setup will now perform package upgrading.
qinstall.sh: line 354: [: -gt: unary operator expected
qinstall.sh: line 356: [: -lt: unary operator expected
Firmware check is fine.
Link service start/stop script: MalwareRemover.sh
Set QPKG information in /etc/config/qpkg.conf
[App Center] Malware Remover 2.1.0 has been installed in /share/CACHEDEV1_DATA/.qpkg/MalwareRemover successfully.
[App Center] Malware Remover enabled.
[/share/Public] # 

Configuration File

The configuration file is saved in/mnt/HDA_ROOT/.config/qpkg.conf as:

[MalwareRemover]
Build = 20170504
Name = MalwareRemover
Display_Name = Malware Remover
Version = 2.1.0
Author = QNAP Systems, Inc.
QPKG_File = MalwareRemover.qpkg
Date = 2017-05-04
Shell = /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/MalwareRemover.sh
Install_Path = /share/CACHEDEV1_DATA/.qpkg/MalwareRemover
RC_Number = 101
Enable = TRUE

What Have Been Installed

MalwareRemover_2.1.0.qpkg contains everything it installs. To extract qpkg, you have to install QDK (QNAP Development Kit) which may be download from GitHub. But I suggest to follow the [Install QDK] section in QDK Quick Start Guide to manually install in [App Center], get QDK 2.2.14, unzip this file, and upload QDK_2.2.14.qpkg is much easier.

If install successfully, you will see QDK 2.2.14 in [MyApps].

Next, ssh as admin and run qbuild to extract MalwareRemover_2.1.0.qpkg:

[/share/Public] # qbuild --extract MalwareRemover_2.1.0.qpkg ./MalwareRemover
./
./qpkg.cfg
./qinstall.sh
./package_routines
./built_info

When you open [MallwareRemover], you will see data.tar.gz which is not on above list. We needs to be decompressed to know what it contains.

Because this file has been tar then zip compressed, use following command to unzip then untar. If you are interested, Unpacking or uncompressing gz files under Linux and UNIX systems on nixCraft has detail explain on this type of compressed file.

[/share/Public] # tar -zxvf data.tar.gz 
./
./MalwareRemover.sh
./.qpkg_icon_gray.gif
./.qpkg_icon.gif
./.gitkeep
[/share/Public] # 

Okay, now we know MalwareRemover_2.1.0.qpkg contains following files:

  1. qpkg.cfg
  2. qinstall.sh
  3. package_routines
  4. built_info
  5. MalwareRemover.sh (in data.tar.gz)
  6. .qpkg_icon_gray.gif (in data.tar.gz)
  7. .qpkg_icon.gif (in data.tar.gz)
  8. .gitkeep (in data.tar.gz)

As we may see, qinstall.sh is for installation while MalwareRemover.sh is the real removal shell script. Nothing specific to x86-64 only. If you want to run this script on NAS based on ARM architecture, it is totally possible. But on a different NAS brand, you need to modify environment variables and relative directories.

One-Time-Only Shell Script

QNAP actually rely on only MalwareRemover.sh to remove malware process, related files, and report to [System Logs]. But it’s apply for this case only, it’s not modern antivirus to separate scan and virus database. I suggest you download MalwareRemover_2.1.0.qpkg and keep it in a safe place.

According to Link service start/stop script section in qinstall.sh, it will be executed every restart or turn on automatically by a symbolic link /etc/init.d/MalwareRemover.sh which links to /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/MalwareRemover.sh*.

Update: 2.1.1 Adds Regular Scan at 3:00AM Everyday

QNAP release a new minor version update within 15 hours. I notice more message in system log and will execute at 3:00AM in the morning everyday.

More Message With Schedule Scan

After comparing the two MalwareRemover.sh, I notice 2.1.1 has an extra variable $ISCLEAN and more message to log – “[MalwareRemover] Scan completed.” and “[MalwareRemover] Scan completed and malware deleted.”.

These extra should be related to the new schedule scan task.

Schedule Scan Everyday

In package_routines, extra scripts have been added to cron. It will scan every 3:00AM in the morning everyday. You will see a new schedule task as below:

0 3 * * * /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/MalwareRemover.sh start

You may learn more about customize cron in Admin’s Choice’s “Crontab – Quick Reference”.

What If my NAS is not Turn-On at the Given Time Period

Don’t worry, MalwareRemover.sh will be executed when you turn-on next time because there is a symbolic link to it in /etc/init.d.

Update: 2.1.2 Removes another Malware

QNAP release a new minor version update after 8 days. It remove more malware this time. I notice a lot of new scripts has been found in MalwareRemover.sh.

Identify Models

I notice it needs to identify models and assign a DEV_NAS_CONFIG value. Here is an example for TS-269H:

if [ x`/sbin/getcfg system model -f /etc/default_config/uLinux.conf` = xTS-269H ]; then
 DEV_NAS_CONFIG=/dev/mmcblk0p6
fi

Remove Another Malware

It also removes following files when Malware being detected:

  1. $QPKG_DIR/.myQNAPcloud
  2. $DEF_VOLMP/.log/.cgi_log
  3. /home/httpd/cgi-bin/authLogin.cgi
  4. /home/httpd/cgi-bin/syncTime.cgi

Rename a file:

  1. Change /home/httpd/cgi-bin/QauthLogin.cgi into /home/httpd/cgi-bin/authLogin.cgi

And kill some process

pid=`lsof | grep qcloud_ag | tr -s " " | cut -d' ' -f2 | uniq`
for p in $pid; do
  ISCLEAN="N"
  kill -9 $p > /dev/null 2>&1
  /sbin/write_log "[MalwareRemover] Malwares process killed: qcloud_ag ($p)" 4
done

Update: 2.1.3 is a Fix for TS-269H Only

In [求救] QNAP 中咗malware on HKEPC , TS-269H users reports high CPU utilization after installing/upgrading to the latest Malware Remover 2.1.2. Because of this, everything becomes extremely slow.

The solutions is to roll back to 2.1.1. tcbyxx shared his experience in #63 of this post as below:

Malware Removal 2.1.3 has been released to TS-269H users on 2017/5/16 quickly to fix this issue. Other models cannot see this new update.

I notice just a few difference in MalwareRemover.sh.

Difference

On 2.1.2, following code has been replaced:

/sbin/ldd /home/httpd/cgi-bin/authLogin.cgi >/dev/null 2>&1

It has been replace in 2.1.3 by:

LDD=`which ldd`
$LDD /home/httpd/cgi-bin/authLogin.cgi >/dev/null 2>&1

ldd prints shared object dependencies. which will identify executable path. Seems there is a path issue in 2.1.2 which I cannot confirmed.

Reference

  1. Admin’s Choice: Crontab – Quick Reference
  2. Check And Solve If Your QNAP NAS Has been Injected a CPUMiner Program
  3. GitBook: QDK – QPKG Development Kit
  4. GitBook: QDK Quick Start Guide
  5. GitHub: QDK
  6. HKEPC: [求救] QNAP 中咗malware
  7. Mobile01: QNAP用戶注意! QTS 4.3.3 被植入XMR挖礦木馬,建議先不要升級!
  8. nixCraft: Unpacking or uncompressing gz files under Linux and UNIX systems
  9. QNAP Forum: disk_manage.cgi hogging CPU usage
  10. QNAP: Malware Removal 2.1.0
  11. QNAP: Malware Removal 2.1.3
  12. QNAP: QDK 2.2.14
  13. QNAP: QTS
  14. QNAP: TS-269H
  15. Wiki: ARM architecture
  16. Wiki: Cron
  17. Wiki: ldd (Unix)
  18. Wiki: Secure Shell
  19. Wiki: Shell script
  20. Wiki: vi
  21. Wiki: which (Unix)
  22. Wiki: x86-64

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s