wedjat Posted March 17, 2023 Share #1 Posted March 17, 2023 Synowedjat is a backdoor from Synology. When checking package updates, it is downloaded from the server and executed, no matter whether you are using a genuine Synology device or not. It is highly recommended to remove it. Specifically: 1. When the background service checks for updates, "synopkg chkupgradepkg" is invoked 2. "synopkg chkupgradepkg" starts synowedjat-exec 3. synowedjat-exec - Uploads hardware info to account.synology.com/wedjat - Downloads and extracts synowedjat.sa, a synology archive which contains the backdoor - Runs the main binary "synowedjat protection" 4. synowedjat has several modes - Debugging modes (controlled by argv[1]) - "collect" and "collect-enc" uploads a comprehensive set of host info to synology's server, in plain text, or encrypted - "punish" resets the login page's background, and sends a piracy notification - "protection" is the default mode - Runs /run/ai_tool.cpython-38.pyc to twiddle with the "Active Insight" package settings, periodically - Uploads a comprehensive set of host info to synology's server - Enters the "punish" mode according to the servers' response Recommendations: 1. Stop the processes: killall -KILL synowedjat 2. Remove the package: rm /run/synowedjat* 3. Remove the configuration: rm /usr/syno/etc/wedjat.status 4. Remove the "Active Insight" package 5. Since synowedjat-exec is bundled with the OS, do not remove it. Instead, edit /etc/hosts to disable the access to account.synology.com and dlid.synology.com 4 2 Quote Link to comment Share on other sites More sharing options...
wedjat Posted March 17, 2023 Author Share #2 Posted March 17, 2023 Attached are the original files from Geminilake. Feel free to drag them to IDA Pro, if you are interested in their behaviors. ai_tool.pyc synowedjat synowedjat-exec synopkg 1 Quote Link to comment Share on other sites More sharing options...
john_matrix Posted March 25, 2023 Share #3 Posted March 25, 2023 On my Synobox DSM 7.1.1-42962 Update 4: Is this process built-in DSM? Quote Link to comment Share on other sites More sharing options...
IG-88 Posted April 2, 2023 Share #4 Posted April 2, 2023 (edited) On 3/25/2023 at 11:19 AM, john_matrix said: Is this process built-in DSM? synowedjat-exec is build-in imho this might need more attention and discussion On 3/17/2023 at 6:16 AM, wedjat said: Enters the "punish" mode according to the servers' response found the same post in a chinese forum https://imnks.com/7800.html i also found way older references like this from 2021 http://www.nasyun.com/thread-78105-1-1.html and there are some references about consuming cpu power on other forums wedjat seems to refer to "wedjat eye" aka "Eye of Horus" https://en.wikipedia.org/wiki/Eye_of_Horus "... that represents well-being, healing, and protection ...", so its synology's eye on "there" systems some people might see it more like this https://en.wikipedia.org/wiki/Palantír ? synowedjat-exec seems to be present since 2020 (DSM 7.0) DSM_7.0 beta 40850 came without it DSM 7.0 beta 41222 already came with it - that was 12/2020 so it looks like synology is actively collecting data for years and the question is what are they doing with this data and active (root) access to the systems as there are no information on what they collect (could even be the data you host on the nas as the content what is downloaded for collection or "punishment" can change at any point) it does rise some serious questions and seen from European law (GDPR) there could be interesting legal follow up's from that and who watches the watchers? edit: my gripe here is about synology making the rules, investigating, judging and punishing, all in one instance without control/transparency and in a democratic system there is a problem with that (or at least it should be or its not a democratic system), https://en.wikipedia.org/wiki/Separation_of_powers Edited April 2, 2023 by IG-88 3 Quote Link to comment Share on other sites More sharing options...
K4L0 Posted April 2, 2023 Share #5 Posted April 2, 2023 hxxps://www.synology.com/en-global/company/legal/Services_Data_Collection_Disclosure Quote Link to comment Share on other sites More sharing options...
IG-88 Posted April 2, 2023 Share #6 Posted April 2, 2023 4 minutes ago, K4L0 said: hxxps://www.synology.com/en-global/company/legal/Services_Data_Collection_Disclosure there is no consent about that, they just don't tell you about that function and its ability to variably change what is done on you system and the name "punish" for the function is a clear intention to do harm, active insight is that kind of collection but the synowedjat-exec is part of DSM itself and i'm pretty sure a lot of business customers will have compliance issues if synology can upload and execute code at any time, collect data at any time of any data stored on the system and can also "punish" for whatever they think is not within of there view of legal or compliant - and what happens if they get hacked? all units reachable by internet are at risk of a takeover - yeah sure they have consent about that from all customers btw. the link still works, you just removed the "tt" in the visible part (text of the link) Quote Link to comment Share on other sites More sharing options...
K4L0 Posted April 6, 2023 Share #7 Posted April 6, 2023 (edited) wedjat.sa download link https://global.synologydownload.com/download/Misc/Wedjat/1.0.3-00031/Wedjat-geminilake-1.0.3-00031.sa.spk upload the collect.json file to synology server. collect.json Edited April 6, 2023 by K4L0 1 Quote Link to comment Share on other sites More sharing options...
Orphée Posted April 6, 2023 Share #8 Posted April 6, 2023 Well, with this json, no any doubt about genuine or loader... Quote Link to comment Share on other sites More sharing options...
K4L0 Posted April 6, 2023 Share #9 Posted April 6, 2023 (edited) 1. extract Wedjat-geminilake-1.0.3-00031.sa.spk file, use Synology_Archive_Extractor "python3 sae.py -k WEDJAT -a Wedjat-geminilake-1.0.3-00031.sa.spk -d ." 2. run "synowedjat collect > collect.json" Edited April 6, 2023 by K4L0 2 Quote Link to comment Share on other sites More sharing options...
IG-88 Posted April 7, 2023 Share #10 Posted April 7, 2023 On 4/6/2023 at 12:29 PM, K4L0 said: upload the collect.json file to synology server. at least nothing "inappropriate" in that file but they will for sure be able to track users even when they change dsm type or serial, only way to reduce that would be using VM and virtual disks but whats combined in these file will expose any non legit system for sure and with the hardware id (hwid) they can target a specific system for punishment/piracy combined with these new AI like stuff it might take no effort to very safely target these systems, no matter how many there might be and how often systems change there id the binary of synowedjat in the package looks roughly the same as synowedjat-exec in dsm, the content of the spk is from 02.2023, so why that package if wedjat is already there and working? might be to have recent check with a new wedjat before going into punishment mode (if the system in question in not updated then the wedjat installed might be pretty old) synowedjat.jpg is kind of unnecessary big and the pictures content itself might make it easy to hide payload (steganography) ... one way to counter might be to keep a constant eye on wedjat changes and block the communication (at least to the systems where it would try to downloads something) how about removing the execut flag of synowedjat-exec? the file would still be there and can be checked by checksum but any call of the file might fail as its not executable anymore Quote Link to comment Share on other sites More sharing options...
K4L0 Posted April 19, 2023 Share #11 Posted April 19, 2023 Disable Internet access to the synowedjat-exec application: vi /etc/apparmor/usr.syno.bin.synowedjat-exec /usr/syno/bin/synowedjat-exec { deny network, deny capability net_raw, deny capability net_admin, } apparmor_parser -r /etc/apparmor/usr.syno.bin.synowedjat-exec Must be run again on restart. 1 Quote Link to comment Share on other sites More sharing options...
IG-88 Posted April 27, 2023 Share #12 Posted April 27, 2023 (edited) On 4/19/2023 at 11:09 AM, K4L0 said: Must be run again on restart. i came up with this (should survive updates?) create file: /etc/apparmor/usr.syno.bin.synowedjat-exec /usr/syno/bin/synowedjat-exec { deny network, deny capability net_raw, deny capability net_admin, } create file: /usr/local/bin/apparmor_add_start.sh (needs to be executable) #!/bin/sh apparmor_parser -r /etc/apparmor/usr.syno.bin.synowedjat-exec create file: /usr/local/bin/apparmor_add_stop.sh (needs to be executable) #!/bin/sh # apparmor_parser -R /etc/apparmor/usr.syno.bin.synowedjat-exec # no plan to remove that as long as the system is running create file: /usr/local/lib/systemd/system/apparmor_add.service # Service file for apparmor_add # copy this file to /usr/local/lib/systemd/system/apparmor_add.service [Unit] Description=Add Apparmore profile on boot [Service] Type=oneshot ExecStart=/bin/bash /usr/local/bin/apparmor_add_start.sh ExecStop=/bin/bash /usr/local/bin/apparmor_add_stop.sh RemainAfterExit=yes Restart=no [Install] WantedBy=syno-low-priority-packages.target test it: "systemctl start apparmor_add" to start it now check with "aa-status" that the new apparmor profile is active -> /usr/syno/bin/synowedjat-exec "systemctl enable apparmor_add" to make enable it at start of the system should result in this: "Created symlink from /etc/systemd/system/syno-low-priority-packages.target.wants/apparmor_add.service to /usr/local/lib/systemd/system/apparmor_add.service." reboot and check again with "aa-status" -> /usr/syno/bin/synowedjat-exec Edited April 27, 2023 by IG-88 Quote Link to comment Share on other sites More sharing options...
Orphée Posted April 27, 2023 Share #13 Posted April 27, 2023 don't know if it is enough i created a planned task as root at start 1 Quote Link to comment Share on other sites More sharing options...
Orphée Posted April 27, 2023 Share #14 Posted April 27, 2023 (edited) Just to improve de start task, something like this could be done : /usr/bin/cat << EOF > /etc/apparmor/usr.syno.bin.synowedjat-exec /usr/syno/bin/synowedjat-exec { deny network, deny capability net_raw, deny capability net_admin, } EOF /usr/bin/sleep 2 /sbin/apparmor_parser -r /etc/apparmor/usr.syno.bin.synowedjat-exec /bin/rm -f /usr/syno/etc/wedjat.status the sleep timer may not be necessary... but just in case... It re-create the file at every boot, just in case something/someone delete it. Edited May 2, 2023 by Orphée 2 Quote Link to comment Share on other sites More sharing options...
borlcand Posted May 1, 2023 Share #15 Posted May 1, 2023 (edited) Probably this is what punishment stands for Quote on my good old DS1813+ running DSM 7.0-41890 I am observing /usr/syno/bin/synowedjat protection using constantly 100% of a single CPU thread and doing about 800Mb/s of disk read activity for a couple of days now. https://community.synology.com/enu/forum/1/post/152163 Edited May 1, 2023 by borlcand Quote Link to comment Share on other sites More sharing options...
IG-88 Posted May 1, 2023 Share #16 Posted May 1, 2023 (edited) 3 hours ago, borlcand said: Probably this is what punishment stands for as synology does not specify anything about that its hard to tell but i'd expect something more like shutting down system just after starting or ending file services or web gui as seen in the former timebomb issues in dsm 6.x - but as there is no line they draw there could be more, even malicious stuff like damaging systems or data its a little concerning seeing something you describe as it could be some kind of scan of all data on the system as of the data they collect it would be possible to target any specific system with any special task you can think of as this is original system you are talking about i'd suggest to involve synology's official support and see what they tell you about it, maybe reference to the wikipedia about wedjat (https://en.wikipedia.org/wiki/Eye_of_Horus) and ask specifically about data collection also check you logs in /var/log/ about things going on edit: before involving synology support it might be interesting to find out what payload your system received (and why, as its a original system that should not be bothered at all) Edited May 1, 2023 by IG-88 Quote Link to comment Share on other sites More sharing options...
borlcand Posted May 1, 2023 Share #17 Posted May 1, 2023 Fortunately, that’s just finding on official community forum. I’ve restricted internet access for this binary with a task provided above Quote Link to comment Share on other sites More sharing options...
Orphée Posted May 1, 2023 Share #18 Posted May 1, 2023 Tested quickly latest 7.2 RC, there is no wedjat in it... Quote Link to comment Share on other sites More sharing options...
K4L0 Posted May 1, 2023 Share #19 Posted May 1, 2023 Renamed to diid in version 7.2RC /usr/syno/bin/dlid /usr/syno/etc/dlid.status 1 1 Quote Link to comment Share on other sites More sharing options...
Orphée Posted May 2, 2023 Share #20 Posted May 2, 2023 (edited) On 5/2/2023 at 12:46 AM, K4L0 said: Renamed to diid in version 7.2RC /usr/syno/bin/dlid /usr/syno/etc/dlid.status So for 7.2RC : /usr/bin/cat << EOF > /etc/apparmor/usr.syno.bin.dlid /usr/syno/bin/dlid { deny network, deny capability net_raw, deny capability net_admin, } EOF /usr/bin/sleep 2 /sbin/apparmor_parser -r /etc/apparmor/usr.syno.bin.dlid /bin/rm -f /usr/syno/etc/dlid.status Edited May 3, 2023 by Orphée 6 1 Quote Link to comment Share on other sites More sharing options...
Orphée Posted May 3, 2023 Share #21 Posted May 3, 2023 script fixed for 7.2RC ! please update if you already applied it. 2 Quote Link to comment Share on other sites More sharing options...
-iliya- Posted June 1, 2023 Share #22 Posted June 1, 2023 (edited) could it be sufficient to deny access to certain syno sites at the router level - for example mikrotik? if yes, then to which sites it should be done? Edited June 1, 2023 by -iliya- Quote Link to comment Share on other sites More sharing options...
Diktor Posted June 1, 2023 Share #23 Posted June 1, 2023 1 час назад, -iliya- сказал: could it be sufficient to deny access to certain syno sites at the router level - for example mikrotik? if yes, then to which sites it should be done? My Synology is used as an NVR and does not have internet access. But still sometimes I see this process and abnormal CPU usage. A few months earlier, I also had a high CPU load, but there the system said that it was "scheduler" consumption. Quote Link to comment Share on other sites More sharing options...
Rebutia Posted October 30, 2023 Share #24 Posted October 30, 2023 @Orphée just to inform you that, the newest DSM 7.2.1-69057 rs3621xs+ will cease to work/not to be network-reachable if I run this script on boot up. Don't get me wrong, this is not a complain. Quote Link to comment Share on other sites More sharing options...
Orphée Posted October 31, 2023 Share #25 Posted October 31, 2023 @Rebutia Well you're the first one to report this issue, you may want to try with another loader. Currently with SA6400 and DVA3221 it works fine for me. 2 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.