Dear customer, critters are crawling through your precious files

Abstract

As the IoT is widely deployed in people’s homes, adversaries are busy exploiting the vulnerabilities of these devices. One kind of such device is the NAS device made by the company QNAP. Unfortunately, these devices are prone to the QSnatch malware. Unlike previous malware such as Mirai has this nasty habit, it settles deeper into the machine. In this way, the malware gains reboot persistence. Therefore, we consider the malware as persistent IoT malware compared to the non-persistent IoT malware. This affects the clean-up of the virus, as changing the passwords and rebooting the device is not enough to remove the virus. As a result, other steps are needed to get rid of the virus. If we take a look at the NAS device market, we see that the manufacturers of these devices have little incentive to invest a lot in the security of the devices. It is then challenging for the customer to estimate which devices are secure and are mainly tempted by discounts and devices that can be configured quickly. Then, the ISP is the link in the process that, with the help of the non-profit organisation Shadow Server, can determine which of its customers may be infected with certain malware. Shadow Server uses servers to receive the malicious traffic and forwards the corresponding IP addresses to the ISP. The ISP then knows which customer is dealing with possible infection and can inform them. This also happens for the QSnatch malware. The ISP sends the infected customer a notification informing them about the infection and providing steps to clean their device. These steps are a simplified and Dutch-translated version of the steps provided by QNAP. From that moment on, it is up to the infected customer to take action. Previous research has made a tremendous effort in understanding the efforts of infected customers in remediating the issue and showed that various resources could be used by the ISP to improve the results of this process.