A mysterious code prevents QNAP NAS devices to be updated

Pierluigi Paganini February 11, 2019

Users of QNAP NAS devices are reporting through QNAP forum discussions of mysterious code that adds some entries that prevent software update.

Users of the Network attached storage devices manufactured by QNAP  have reported a mystery string of malware attacks that disabled software updates by hijacking entries in host machines’ hosts file.

According to the users, the malicious code adds some 700 entries to the /etc/hosts file that redirects requests to IP address


The user ianch99 in the QNAP NAS community forum reported that the antivirus ClamAV was failing to update due to clamav.net host file entries.

“Since recent firmware updates, the ClamAV Antivirus fails to update due to 700+ clamav.net entries in /etc/hosts, all set to e.g.” wrote
the user ianch99.

“ bugs.clamav.net current.cvd.clamav.net database.clamav.net db.local.clamav.net update.nai.com db.ac.clamav.net db.ac.ipv6.clamav.net db.ac.big.clamav.net

As they are all set to, the ClamAV update fails. If you remove these entries, the update runs fine but they return on after rebooting.”

Other users reported similar problems with the MalwareRemover, but it is still unclear if the events are linked.

QNAP provided a script that could help users to restore normal operations deleting the mysterious entries.

QNAP hasn’t confirmed that the incidents were caused by a malware.

“Exposing your NAS on the internet (allowing remote access) is always a high risk thing to do (at least without a properly deployed remote access VPN and/or 2FA on all existing user accounts)!” wrote the user P3R.

“The real problems that I see with Qnap are:

  • The marketing is pushing the private cloud message and tell users that the Qnap solution is a secure way to deploy it. Unfortunately the first part is very attractive to users that doesn’t understand the risks and the last part is a lie.
  • Qnap have many dangerous things enabled by default and/or without sufficient warnings about the risks.”
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – NAS, hacking)

[adrotate banner=”5″] [adrotate banner=”13″]

you might also like

leave a comment