Synowedjat is a backdoor from Synology. When checking package updates, it is downloaded from the server and executed, no matter whether you are using a genuine Synology device or not. It is highly recommended to remove it.
Specifically:
1. When the background service checks for updates, "synopkg chkupgradepkg" is invoked
2. "synopkg chkupgradepkg" starts synowedjat-exec
3. synowedjat-exec
- Uploads hardware info to account.synology.com/wedjat
- Downloads and extracts synowedjat.sa, a synology archive which contains the backdoor
- Runs the main binary "synowedjat protection"
4. synowedjat has several modes
- Debugging modes (controlled by argv[1])
- "collect" and "collect-enc" uploads a comprehensive set of host info to synology's server, in plain text, or encrypted
- "punish" resets the login page's background, and sends a piracy notification
- "protection" is the default mode
- Runs /run/ai_tool.cpython-38.pyc to twiddle with the "Active Insight" package settings, periodically
- Uploads a comprehensive set of host info to synology's server
- Enters the "punish" mode according to the servers' response
Recommendations:
1. Stop the processes: killall -KILL synowedjat
2. Remove the package: rm /run/synowedjat*
3. Remove the configuration: rm /usr/syno/etc/wedjat.status
4. Remove the "Active Insight" package
5. Since synowedjat-exec is bundled with the OS, do not remove it. Instead, edit /etc/hosts to disable the access to account.synology.com and dlid.synology.com
