As Dell SecureWorks’ network security analyst David Shear and I were continuing our security research involving digital currency, we spotted some interesting blog posts. As early as February 8th of this year, computer users began to notice their Synology Network Attached Storage (NAS) boxes were performing sluggishly and had a very high CPU usage. As a result, investigations ensued and eventually a Facebook post, directed at Synology, was made. Ultimately, it was discovered that the cause of the excessive resource consumption was due to illegitimate software that had infected the systems, which ironically, was stored in a folder labeled "PWNED".

Background

For clarification, Synology Inc. is a Taiwanese company well known for its NAS systems. NAS systems are file "servers" attached to a network. Synology NAS boxes are sought after for their simplicity in setup and usage. As a result, they have a large customer base, especially with home users. The DSM (DiskStation Manager), a custom Linux‐ based operating system designed for use on their products, had four unique vulnerabilities that allowed an attacker to breach the system and gain administrative privileges. Andrea Fabrizi disclosed these in September of 2013. In his disclosure, Fabrizidetailed which versions of the DSM were affected. According to Synology, patches for the vulnerabilities were released shortly after their disclosure. They also released a patch in February 2014 to help affected users resolve any issues stemming from the vulnerabilities. Further information on the release can be found on their website. Back in October of 2013, simply Googling for "site:synology.me" resulted in excess of one million results. While this doesn't sound like a lot of results (as far as the number of results that Google can return), it is unique in meaning.others). By going to "something.synology.me", the user is routed directly to their NAS. As news of the DSM vulnerabilities gained popularity in the media, the Internet Storm Center noted a sharp rise in scanning traffic to port 5000 (the default port that Synology NAS boxes listens on), as seen below.

Figure 1 : Scan activity for port 5000, as recorded by the Internet Storm Center, Feb 1 2013 through May 9 2014

Exploitation and Analysis

Analysis of the samples found in the "PWNED" folder results in several interesting pieces of information. To begin with, the configuration file was found to contain the following data:

... "_comment1" : "Any long‐format command line argument ", "_comment2" : "may be used in this JSON configuration file", "url" : "http://178.254.21.142:8332", "user" : "foilo.root3", "pass" : "test", "quiet" : true ...

This combination of parameters, coupled with the destination port (8332) screamed "Cryptocurrency". Upon further investigation, we were proven correct in our assumption ‐ we found that the malware was CPUMiner [1] [2], compiled specifically for the Synology platform. As the configuration above suggests, CPUMiner connected out to a server located at “178.254.21.142” on port 8332. This address was not known to any publicly available mining pools, and was thus likely a private pool used by the threat actor for personal gain. The Stratum Protocol is widely used and well documented. When a miner connects to the pool to get work (in this case, the enslaved Synology NAS units), the pool returns a JSON array of information, which we were able to leverage for further information. Seen below is a sample JSON array, sent as work to the miner.

{ "params": [ "6297", "4daa3d256a59a00e4c36881ae9376c7ceded2d67eac644006aa1b9baf813aa87", "010000000100000000000000000000000

00000000000000000000000000000000000000000

ffffffff2703977f01062f503253482f04d2ddfb5208", "0d2f7374726174756d506f6f6c2f0000000001d72c32dbe

31700001976a9143101d4546a4d8c58c0ce377dd9fb36a0d1d531ac88ac00000000", [ "139dc33379f83f8d06fe22d05372a3e87997ecbeb13c2b2208d62a82903a43f5", "f2bb0db263916d916fd1f20316589cdd4a922d5d65d72a20054b4f8d8c765d85", "5a9f77338e1c3fb3085c50d07628cdd099f6c7f5034a1a6fc7b10ac232df88d0", "15ce61179c7d6d593ad15634bf1ed7e2267b93e27ff676afe96df50bdd0a8ff2", "0b5a9eef6febbf563647eb39c71af0ea05de3c2a38e15c1580948adf73949d95" ], "00000002", "1b25cb1f", "52fbddd1", true ], "id": null, "method": "mining.notify" }

The first piece of information that is of importance is the string "4daa3d256a59a00e4c36881ae9376c7ceded2d67eac644006aa1b9baf813aa87", which is an encoded representation of the previous block on the blockchain.

This string is stored as 8 32-bit hex integers in reverse order. Once unpacked to a little-endian hex value, the resulting blockhash was found to be "f813aa876aa1b9baeac64400eded2d67e9376c7c4c36881a6a59a00e4daa3d25", which we then Googled and explored.

As is clear from the Google search, Bitcoin was not the currency being mined, Dogecoin was. Also contained in the work request from above is the botmaster's public key, which corresponds to the Dogecoin wallet address: "D9cDqmVjYXdeDjMtXSV7Z3LgiHvRZ12bPX".

By exploring the Dogecoin block chain for this address (as well as one other), we were able to tally a total mined value of over 500 Million Doge, or roughly $620,496 USD (the bulk of which was earned in January and February of this year).

Figure 2 : Inbound Dogecoin to Each Wallet, Tracked Daily

To date, this incident is the single most profitable, illegitimate mining operation. This conclusion is based in part on prior investigations and research done by the Counter Threat Unit™, as well as further searching of the Internet. As crypto-currencies continue to gain momentum, their popularity as a target for various malware will continue to rise (as can been seen here, in figure 1).

How to Remove the Dogecoin Mining Malware

Removal of the malware has been discussed at length in the Synology forums. We suggest checking out the forum thread for removal instructions and obtaining assistance.

Who is the Hacker or Hackers Behind this Synology Botnet?

Tracking a threat actor is frequently a wild goose chase that leads down many rabbit holes. In this case, we started our investigation by looking at the username found in the configuration file "foilo.root3". Scouring Google brought back several interesting results, namely the threat actor's Github and BitBucket account. In browsing through some of the hacker's publicly available code, it becomes quite clear that "Foilo" is not new to the world of exploitation and malware.

By correlating some of the strings found in other configurations posted around the net (as this breach was coming to light), coupled with his BitBucket page, the findings strongly indicate that the threat actor is of German descent. Regardless of whom he actually is, the fact that he has been able to amass well over $600,000 USD speaks entirely for itself.