SoylentNews is people
SoylentNews
UK/US Governments Warn of QNAP NAS Malware:
The UK and US governments have issued another joint cybersecurity alert, this time warning organizations about a strain of malware targeting network attached storage (NAS) devices from QNAP.
As of mid-June, the QSnatch malware (aka "Derek") had infected 62,000 devices worldwide, including 3900 in the UK and 7600 in the US, according to the notice from GCHQ's National Cyber Security Center (NCSC) and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA).
This is the result of two campaigns, one running from 2014 to mid-2017 and the other starting in late 2018.
[...] QSnatch apparently features a credential scraper, SSH backdoor, CGI password logger, webshell functionality and the ability to exfiltrate a predetermined list of files, including system configs and log files.
It is said to achieve persistence by modifying the system host's file to redirect domain names to out-of-date versions in order to prevent updates from installing on the NAS device itself.
The NCSC/CISA urged administrators to follow the guidance issued by QNAP last November.
[...] "Organizations that are still running a vulnerable version must run a full factory reset on the device prior to completing the firmware upgrade to ensure the device is not left vulnerable."
(Score: 3, Interesting) by JoeMerchant on Wednesday July 29 2020, @03:46PM (13 children)
That's how I got my first virus: Happy '99 - displayed a little firework animation, and fucked with your system sending itself to your e-mail contacts as if it came from you. I was expecting photos from my contact, and clicked on an .exe attachment sent from their address without thinking about it (I knew better, but had never-ever been infected with anything before that....)
🌻🌻 [google.com]
(Score: 2) by RS3 on Wednesday July 29 2020, @04:05PM (12 children)
Numerous much-too-easy jabs aside (since you are so forthcoming), there were a few .exe files that were a legit pic show.
That said, not sure if I remember correctly, but I thought somewhere I've read that even .jpg can contain executable code, or be an exe and WinDope will run it, but I may be full of summer's hot air.
(no that wasn't a reference to a stripper named "Summer"... :)
(Score: 2) by JoeMerchant on Wednesday July 29 2020, @05:24PM (8 children)
Something to remember:
7+ billion people on this planet
Even if I.Q. is a meaningless overall statistic, something like it still applies in pretty much every area of life. This means (as George Carlin pointed out) 3.5 billion people with an I.Q. of 100, or lower.
What kind of "virus safe behavior" I.Q. do you think it takes to not accidentally launch an executable attachment? I'd go with top 10% of most computer users for that one... leaving literally billions of vulnerable targets out there.
In my own defense, my I.Q. in any particular area tends to vary based on all kinds of things including focus and fatigue... that particular night I think I was only 10% focused on what I was doing with the e-mail (supposed to be relaxing in the evening) and 70% fatigued.
It's the same with operating motor vehicles - we tend to expect drivers to have a driving I.Q. of 70 or better when they're behind the wheel, DUI can easily depress that number below 70.
🌻🌻 [google.com]
(Score: 3, Interesting) by RS3 on Wednesday July 29 2020, @06:52PM (7 children)
I'm sorry, you took me too seriously. We're all human and do things we wonder what were we thinking? Force of habit, tired, distracted, etc. Sometimes I do things (including writing on SN) in an almost adventurous way.
First virus I remember getting was around 1995. Not sure who brought it into the company nor how. All I know is I used to have a habit of write-protecting floppies, and I was simply reading from a floppy but got a "write protect" error. Hmmm, that's odd I thought. I don't remember the steps I took to figure it out, but one was looking at raw sectors and disassembling the boot loader code in the floppy. I was somewhat familiar with what it was supposed to look like and do, and this very clever code did many things including "undocumented DOS" calls that seemed to copy it into all boot loaders of all available disks. And maybe the calls were in fact virus code hooks (?). One of the available virus scanners identified it right away. I don't know if the virus did any harm though.
In general I like having visual indication of network activity- an LED, etc. I use a little toolbar app in Windows for example. One day years ago I downloaded something iffy and just flat-out ran it. I started noticing network activity- when I wasn't calling for any. Pulled the HD, scanned it with another machine, cleansed it, and now I scan most downloads on virustotal or jotti.
My ISP has had a pretty good email scanner that has caught a few. Between computer malware and human malware I'm growing weary, as I think we all are.
(Score: 3, Interesting) by JoeMerchant on Wednesday July 29 2020, @07:25PM (6 children)
The stoned floppy virus circulated pretty widely at my University in the late 1980s - I don't think I ever got it on a floppy of mine, but I certainly knew lots of people who did. It would embed in the partition table of the host machine and spread to every floppy inserted.
The days of knowing something is wrong when you see a little disk or network activity are long gone on the "normal" desktop - maybe some specialized systems, but around my house those network activity lights never stop.
The big one in my house is my wife opening malicious websites, particularly Facebook related. She (or maybe Chrome) has gotten pretty good at recognizing them, hasn't called me in in over a year, but there was a period where every few days I'd have to handle shutdown of her browser/computer lest she get caught in the infinite loop of some malware offering to fix itself if you just call this number or send them $39.95 for a virus cleaning service...
🌻🌻 [google.com]
(Score: 2) by RS3 on Wednesday July 29 2020, @09:11PM (5 children)
It may well have been "stoned". All I know is I saved one of them for future research and put a skull and crossbones on it. :)
I use a toolbar extension called "netspeed monitor". You may well like it. I turn off the SQLite traffic monitoring.
Would your wife be okay with 2 machines? Or maybe you could set up a Docker or something else for Facebook, etc? Or maybe that's most of what she does- no banking (cough cough) or online buying on that machine for example. (Cough cough- hope I'm not catching something... /s )
I use a lot of blockers in my Chrome-derived Vivaldi, but it just hit me- I wonder if there are anti-malware extensions... I'll search later when I might have time...
(Score: 2) by JoeMerchant on Thursday July 30 2020, @12:07AM (4 children)
She's on a Windows laptop, not likely to use a 2nd machine much... just how our physical layout works here.
We've never, ever run anything like Kaspersky or Norton Antivirus - over the past 30 years I think I can safely say: viruses have caused me MUCH less headache than those antivirus programs have caused the people who use them.
On the other hand, the DSL later cable modem isolation by a router/NAT firewall has been golden armor - once I had a router that defaulted uPnP active and that left an IP camera unintentionally exposed to the internet for a couple of years before I noticed, not that it mattered, but it was pretty shocking when I discovered it.
🌻🌻 [google.com]
(Score: 2) by RS3 on Thursday July 30 2020, @04:35AM (3 children)
Same here re: anti-virus. Well, I've run a few now and then- ones I'm pretty confident of. I don't let them make decisions for me. ClamAV is pretty good but well known to have many false-positives.
I've run several on other people's computers, certainly various work / office clients. I had one on my mom's computer some years ago that really stayed out of the way, and that was P3 days, and I can't remember its name. One place I do work at was using Avast. After that Avast spyware scandal I wanted them to remove it. They didn't renew the license and someone removed it recently. They're really in no danger, although they got hit with ransomware 3 years ago (before I met them) and it caused a huge mess.
I've been using McAfee "Real Protect" and I don't mean to be a shill, but it's awesome. It does not churn and grind- rather it just watches Windows' key system files and RAM, and flags if something tries to make a change. I've very rarely had it raise a flag, but it felt good that it really does what they say it does. You might check it out. You have to download "McAfee Stinger" and run it and it'll install Real Protect, which is very easy to remove. Real Protect will run until there's a new version, then you just won't see the lower right-hand icon anymore and you have to download and run Stinger again. It's a good deal.
As a rule I turn off pretty much all unneeded Windows services, certainly UPNP and SSDP and Peer Name crap and HomeGroup and pretty much everything that does some kind of dangerous network stuff. Yeah, same goes for gateway/router- no ports open.
I wonder how many people found your camera... :)
(Score: 2) by JoeMerchant on Thursday July 30 2020, @01:25PM (2 children)
I found the uPnP hole because of a couple of outside connections to the camera I found while reviewing the logs, I think they originated in eastern Europe. There are bots that scan for those things all over... they got a good look at my yard outside - maybe saw the UPS man drive up, that's what we use it for.
🌻🌻 [google.com]
(Score: 2) by ledow on Thursday July 30 2020, @02:55PM (1 child)
uPNP is a stupid idea. Turn it off on your router.
On your local network, UPNP can be used for clients to discover each other on the local subnet. No problem. Your Chromecast will find your NAS, or your XBOX will find your router.
What's STUPID is the part of uPNP that sits on the router and - and this is not exaggeration -:
- Accepts any packet from the local network with a uPNP request.
- Opens the port on the router from the outside world as specified in that packet.
- Redirects all traffic to/from that port to the device that asked for it, on the port that it asks for.
- Never, at any point, asks for authorisation for this.
- Often, with most routers, silently, without warning, and without record, log or page where you can check what it's forwarding and for whom.
So literally one packet on your local network, and I expose your Samba port to the Internet, or poke myself a direct hole to your Samba port on your machine, or the admin port on the local router, or anything I like. Literally any outside IP, any incoming port, to any internal IP, on any internal port.
Without you knowing.
It's ridiculous, stupid, dangerous and unnecessary. Turn it off on all your routers. No, not the *client* part on your laptop. On the router. Everything else can have uPNP stay on, that's an entirely different part of the protocol.
And watch as all your torrents, XBoxes, online gaming, matchmaking, Skype, whatever.... don't care a jot and work perfectly well without it.
(Score: 2) by JoeMerchant on Thursday July 30 2020, @03:44PM
Yeah, I was pretty shocked that such a "feature" existed on a box that amounts to 99% of my home cybersecurity plan.
It's the sort of thing that should come with a BLACKBOX warning on page 1 of the manual, repeating at the start of the chapter it's in, again on the page, along with a flashing red message on the PDF versions, and with all that, it should still be off by default.
I'm sure it was created for the "plug and play, just works" crowd, and 90% of the world will write great reviews for products that all they have to do is plug it into the wall and their widgets are doing whatever it is they expected them to do when they bought them, without having to read (or know) anything about how it works.
🌻🌻 [google.com]
(Score: 2) by PartTimeZombie on Wednesday July 29 2020, @11:09PM (2 children)
Windows has always turned file extensions off by default, so scammers know that if their worm is named nudevolleyball.exe.jpg every man and his dog will try to open it because everyone knows .jpgs are pictures.
That is how the Anna Kournikova virus was spread so widely.
(Score: 2) by RS3 on Thursday July 30 2020, @04:09AM
Nyet comrade. In Soviet Russia, Anna Kournikova virus spreads YOU!
(Score: 2) by Booga1 on Thursday July 30 2020, @06:03AM
I remember a virus that tried to dodge that even for people that had file extensions set to visible. It was brilliantly long enough to make it truncated even when viewing it in File Explorer.
It had the program icon of a Realplayer media file and a name like: HotTeens3sum.rm__________________________________________.exe
P.S. Your example is slightly backwards. I should be "nudevolleyball.jpg.exe"