Malware changes host files so users can’t update their antivirus

Company customers ignore whether this flaw brings more serious consequences

According to network security and ethical hacking experts from the International Institute of Cyber Security, multiple users of QNAP, the manufacturer of storage systems connected to the network, report having been affected by an unknown error that disables the automatic updating of users’ antivirus software.

The consequences that this incident caused are still unknown, but the affected clients report that the most visible effect at first sight is the aggregation of about 700 entries to the /etc/hosts file that redirects a request package to the IP address

A QNAP client, identified in the company’s forum as ianch99, stated that this incident prevented their antivirus software from updating automatically, as all requests for updating to the vendor’s site were hidden. Some other users say that MalwareRemover, a tool included in all QNAP devices, has multiple flaws, although specialists in network security have not been able to confirm whether there is any relationship between these two security issues. 

“Updates can be installed if additional entries are removed, but they will be re-activated after the system is rebooted,” reports user ianch99. A Reddit user subsequently published a script, allegedly developed by QNAP itself, to correct this error; apparently this is the only known solution for this incident so far.

Multiple clients of the company externalized their concern about the company’s lack of communication about this incident; “Many of QNAP users might be able to do something to correct the problem if the company shared more information,” a user posted in the company’s public chat.

Outstanding members of the cybersecurity community have asked QNAP for an official statement, but the company has not yet responded to these requests.

According to specialists in network security, a couple of years ago a critical failure was discovered in the firmware of the Taiwan established company, which caused severe damage to the data of the RAID units “due to wrong performed calculations”. Weeks later this glitch was corrected with a software update.

The /etc/hosts file causes domain searches made from the host machine to go to specific IP addresses; the regular use that customers give it on a regular basis is to force the blocking of unwanted sites.

Although this is very easy to use, this same simplicity makes it an interesting target for malicious program developers, who try to disable anti-malware solution updates to have a greater rate of success in their attacks.