Synology Backdoor

[wedjat]

Synowedjat is a backdoor from Synology. When checking package updates, it is downloaded from the server and executed, no matter whether you are using a genuine Synology device or not. It is highly recommended to remove it.

Specifically:
1. When the background service checks for updates, "synopkg chkupgradepkg" is invoked
2. "synopkg chkupgradepkg" starts synowedjat-exec
3. synowedjat-exec
   - Uploads hardware info to account.synology.com/wedjat
   - Downloads and extracts synowedjat.sa, a synology archive which contains the backdoor
   - Runs the main binary "synowedjat protection"
4. synowedjat has several modes
   - Debugging modes (controlled by argv[1])
     - "collect" and "collect-enc" uploads a comprehensive set of host info to synology's server, in plain text, or encrypted
     - "punish" resets the login page's background, and sends a piracy notification
   - "protection" is the default mode
     - Runs /run/ai_tool.cpython-38.pyc to twiddle with the "Active Insight" package settings, periodically
     - Uploads a comprehensive set of host info to synology's server
     - Enters the "punish" mode according to the servers' response

 

Recommendations:
1. Stop the processes: killall -KILL synowedjat
2. Remove the package: rm /run/synowedjat*
3. Remove the configuration: rm /usr/syno/etc/wedjat.status
4. Remove the "Active Insight" package
5. Since synowedjat-exec is bundled with the OS, do not remove it. Instead, edit /etc/hosts to disable the access to account.synology.com and dlid.synology.com

[wedjat]

Attached are the original files from Geminilake. Feel free to drag them to IDA Pro, if you are interested in their behaviors.

ai_tool.pyc synowedjat synowedjat-exec synopkg