New crypto-currency malware targets NAS devices running Linux: Here’s how to protect network-attached storage from Dovecat

Network Attached Storage Dovecat malware
The Dovecat malware latches on to NAS drives to mine crypto-currency. Pic credit: Hämmerle S/Wikimedia Commons

A new malware strain targets NAS drives. There’s a new security advisory for users of Network Attached Storage (NAS) devices about Dovecat. It is a new malware strain that latches on to NAS devices to mine crypto-currency.

NAS drives aren’t powerful computing devices. However, users often relegate them to a dark closet. Now a new strain of older malware is silently infecting NAS drives and abusing its resources to mine crypto-currency.

NAS drive vendor issues security advisory about Dovecat malware strain:

Taiwanese hardware vendor QNAP published a security advisory about Dovecat. In addition to the slightly older strain of the malware, the new variant is actively targeting the company’s line of network-attached storage (NAS) devices.

While QNAP is one of the popular NAS drives or enclosure manufacturers, there are dozens of companies that make storage solutions that users can access through networks.

The new strain of Dovecat abuses local resources to mine cryptocurrency behind users’ backs. QNAP’s security advisory comes after the company began receiving reports from its users.

Incidentally, security researchers identified the first known strain of the Dovecat malware last year. Users of the company’s products had sent in complaints about two unknown processes.

Users observed two processes tagged as Dovecat and Dedpma were running non-stop and consuming the device’s memory.

Dovecat malware affecting NAS drives goes after Linux operating systems:

NAS drives aren’t computer systems in the traditional sense. They usually operate as “headless systems”. This basically means there’s no typical PC setup such as a monitor, keyboard, mouse, etc. NAS drives are connected to a network with an ethernet cable, and they run independently.

Incidentally, the majority of NAS solutions have a lightweight iteration of Linux OS. The OS manages the hard drives, the stored content, and its exchange to devices.

Matthew Ruffell, a Canonical software engineer and the founder of Dapper Linux, analyzed the malware last year. He had caught the malware running on an Ubuntu system.

Needless to mention, he claims the malware was capable of infecting any Linux system. However, the malware creators tweaked the code to go after the internal structure of QNAP NAS devices.

Incidentally, Dovecot is a legitimate email daemon that ships with the QNAP firmware and many Linux distros. Hence, the creators deliberately chose the name to make the malware appear as a legitimate process and evade detection.

Apart from QNAP, even a few Synology NAS devices have reportedly been affected by the Dovecat malware.

How to protect NAS drives from malware:

The malware manages to abuse system resources because NAS isn’t usually monitored closely. Hence, a sudden or consistent spike in resource usage is generally not flagged and reported through notifications. In this particular case, the malware appears to depend on poor password hygiene.

Simply put, security researchers linked the infection vector to weak passwords. Hence, experts have offered multiple security measures to prevent such attacks in the future:

  • Use stronger admin passwords.
  • Use stronger passwords for database administrators.
  • Disable SSH and Telnet services if not in use.
  • Disable unused services and apps.
  • Avoid using default port numbers (80, 443, 8080, and 8081).
  • Update QTS to the latest version.
  • Install the latest version of Malware Remover.
  • Deploy Security Counselor and run with Intermediate Security Policy (or above).
  • Install a firewall.
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x