Synology Backdoor

[wedjat]

Synowedjat is a backdoor from Synology. When checking package updates, it is downloaded from the server and executed, no matter whether you are using a genuine Synology device or not. It is highly recommended to remove it.

Specifically:
1. When the background service checks for updates, "synopkg chkupgradepkg" is invoked
2. "synopkg chkupgradepkg" starts synowedjat-exec
3. synowedjat-exec
   - Uploads hardware info to account.synology.com/wedjat
   - Downloads and extracts synowedjat.sa, a synology archive which contains the backdoor
   - Runs the main binary "synowedjat protection"
4. synowedjat has several modes
   - Debugging modes (controlled by argv[1])
     - "collect" and "collect-enc" uploads a comprehensive set of host info to synology's server, in plain text, or encrypted
     - "punish" resets the login page's background, and sends a piracy notification
   - "protection" is the default mode
     - Runs /run/ai_tool.cpython-38.pyc to twiddle with the "Active Insight" package settings, periodically
     - Uploads a comprehensive set of host info to synology's server
     - Enters the "punish" mode according to the servers' response

 

Recommendations:
1. Stop the processes: killall -KILL synowedjat
2. Remove the package: rm /run/synowedjat*
3. Remove the configuration: rm /usr/syno/etc/wedjat.status
4. Remove the "Active Insight" package
5. Since synowedjat-exec is bundled with the OS, do not remove it. Instead, edit /etc/hosts to disable the access to account.synology.com and dlid.synology.com

[wedjat]

Attached are the original files from Geminilake. Feel free to drag them to IDA Pro, if you are interested in their behaviors.

ai_tool.pyc synowedjat synowedjat-exec synopkg

[john_matrix]

On my Synobox DSM 7.1.1-42962 Update 4:

 

 

Is this process built-in DSM?

[IG-88]

 

On 3/25/2023 at 11:19 AM, john_matrix said:

Is this process built-in DSM?

synowedjat-exec is build-in

 

imho this might need more attention and discussion

On 3/17/2023 at 6:16 AM, wedjat said:

Enters the "punish" mode according to the servers' response

 

found the same post in a chinese forum https://imnks.com/7800.html

i also found way older references like this from 2021

http://www.nasyun.com/thread-78105-1-1.html and there are some references about consuming cpu power on other forums

 

wedjat seems to refer to "wedjat eye" aka "Eye of Horus" https://en.wikipedia.org/wiki/Eye_of_Horus

"... that represents well-being, healing, and protection ...", so its synology's eye on "there" systems

some people might see it more like this https://en.wikipedia.org/wiki/Palantír ?

 

synowedjat-exec seems to be present since 2020 (DSM 7.0)

DSM_7.0 beta 40850 came without it

DSM 7.0 beta 41222 already came with it - that was 12/2020

 

so it looks like synology is actively collecting data for years and the question is what are they doing with this data and active (root) access to the systems

as there are no information on what they collect (could even be the data you host on the nas as the content what is downloaded for collection or "punishment" can change at any point) it does rise some serious questions and seen from European law (GDPR) there could be interesting legal follow up's from that

and who watches the watchers?

 

edit: my gripe here is about synology making the rules, investigating, judging and punishing, all in one instance without  control/transparency and in a democratic system there is a problem with that (or at least it should be or its not a democratic system), https://en.wikipedia.org/wiki/Separation_of_powers

Edited April 2, 2023 by IG-88

[K4L0]

hxxps://www.synology.com/en-global/company/legal/Services_Data_Collection_Disclosure

[IG-88]

4 minutes ago, K4L0 said:

hxxps://www.synology.com/en-global/company/legal/Services_Data_Collection_Disclosure

there is no consent about that, they just don't tell you about that function and its ability to variably change what is done on you system and the name "punish" for the function is a clear intention to do harm, active insight is that kind of collection but the synowedjat-exec is part of DSM itself and i'm pretty sure a lot of business customers will have compliance issues if synology can upload and execute code at any time, collect data at any time of any data stored on the system and can also "punish" for whatever they think is not within of there view of legal or compliant - and what happens if they get hacked? all units reachable by internet are at risk of a takeover - yeah sure they have consent about that from all customers

 

btw. the link still works, you just removed the "tt" in the visible part (text of the link)

 

[K4L0]

wedjat.sa download link https://global.synologydownload.com/download/Misc/Wedjat/1.0.3-00031/Wedjat-geminilake-1.0.3-00031.sa.spk

upload the collect.json file to synology server.

collect.json

Edited April 6, 2023 by K4L0

[Orphée]

Well, with this json, no any doubt about genuine or loader...

[K4L0]

1. extract Wedjat-geminilake-1.0.3-00031.sa.spk file, use Synology_Archive_Extractor
    "python3 sae.py -k WEDJAT -a Wedjat-geminilake-1.0.3-00031.sa.spk -d ."
2. run "synowedjat collect > collect.json"

Edited April 6, 2023 by K4L0

[IG-88]

On 4/6/2023 at 12:29 PM, K4L0 said:

upload the collect.json file to synology server.

at least nothing "inappropriate" in that file but they will for sure be able to track users even when they change dsm type or serial, only way to reduce that would be using VM and virtual disks

but whats combined in these file will expose any non legit system for sure and with the hardware id (hwid) they can target a specific system for punishment/piracy

combined with these new AI like stuff it might take no effort to very safely target these systems, no matter how many there might be and how often systems change there id

 

the binary of synowedjat in the package looks roughly the same as synowedjat-exec in dsm, the content of the spk is from 02.2023, so why that package if wedjat is already there and working? might be to have recent check with a new wedjat before going into punishment mode (if the system in question in not updated then the wedjat installed might be pretty old)

synowedjat.jpg is kind of unnecessary big and the pictures content itself might make it easy to hide payload (steganography) ...

 

one way to counter might be to keep a constant eye on wedjat changes and block the communication  (at least to the systems where it would try to downloads something)

 

how about removing the execut flag of synowedjat-exec? the file would still be there and can be checked by checksum but any call of the file might fail as its not executable anymore

[K4L0]

Disable Internet access to the synowedjat-exec application:
 

vi /etc/apparmor/usr.syno.bin.synowedjat-exec
 

/usr/syno/bin/synowedjat-exec {
   deny network,
   deny capability net_raw,
   deny capability net_admin,
}

apparmor_parser -r /etc/apparmor/usr.syno.bin.synowedjat-exec
Must be run again on restart.

[IG-88]

On 4/19/2023 at 11:09 AM, K4L0 said:

Must be run again on restart.

i came up with this (should survive updates?)

 

create file: /etc/apparmor/usr.syno.bin.synowedjat-exec

/usr/syno/bin/synowedjat-exec {
   deny network,
   deny capability net_raw,
   deny capability net_admin,
}

create file: /usr/local/bin/apparmor_add_start.sh

(needs to be executable)

#!/bin/sh
apparmor_parser -r /etc/apparmor/usr.syno.bin.synowedjat-exec

create file: /usr/local/bin/apparmor_add_stop.sh

(needs to be executable)

#!/bin/sh
# apparmor_parser -R /etc/apparmor/usr.syno.bin.synowedjat-exec
# no plan to remove that as long as the system is running

create file: /usr/local/lib/systemd/system/apparmor_add.service

# Service file for apparmor_add
# copy this file to /usr/local/lib/systemd/system/apparmor_add.service

[Unit]
Description=Add Apparmore profile on boot
 
[Service]
Type=oneshot
ExecStart=/bin/bash /usr/local/bin/apparmor_add_start.sh
ExecStop=/bin/bash /usr/local/bin/apparmor_add_stop.sh
RemainAfterExit=yes
Restart=no

[Install]
WantedBy=syno-low-priority-packages.target

test it:
"systemctl start apparmor_add" to start it now
check with "aa-status" that the new apparmor profile is active
-> /usr/syno/bin/synowedjat-exec

 

"systemctl enable apparmor_add" to make enable it at start of the system
should result in this: "Created symlink from /etc/systemd/system/syno-low-priority-packages.target.wants/apparmor_add.service to /usr/local/lib/systemd/system/apparmor_add.service."

 

reboot and check again with "aa-status"
-> /usr/syno/bin/synowedjat-exec

 

Edited April 27, 2023 by IG-88

[Orphée]

don't know if it is enough

 

i created a planned task as root at start

 

[Orphée]

Just to improve de start task, something like this could be done :

 

/usr/bin/cat << EOF > /etc/apparmor/usr.syno.bin.synowedjat-exec
/usr/syno/bin/synowedjat-exec {
   deny network,
   deny capability net_raw,
   deny capability net_admin,
}
EOF
/usr/bin/sleep 2
/sbin/apparmor_parser -r /etc/apparmor/usr.syno.bin.synowedjat-exec
/bin/rm -f /usr/syno/etc/wedjat.status

 

the sleep timer may not be necessary... but just in case...

 

It re-create the file at every boot, just in case something/someone delete it.

Edited May 2, 2023 by Orphée

[borlcand]

Probably this is what punishment stands for

Quote

on my good old DS1813+ running DSM 7.0-41890 I am observing /usr/syno/bin/synowedjat protection using constantly 100% of a single CPU thread and doing about 800Mb/s of disk read activity for a couple of days now.

https://community.synology.com/enu/forum/1/post/152163

Edited May 1, 2023 by borlcand

[IG-88]

3 hours ago, borlcand said:

Probably this is what punishment stands for

as synology does not specify anything about that its hard to tell but i'd expect something more like shutting down system just after starting or ending file services or web gui as seen in the former timebomb issues in dsm 6.x - but as there is no line they draw there could be more, even malicious stuff like damaging systems or data

its a little concerning seeing something you describe as it could be some kind of scan of all data on the system

as of the data they collect it would be possible to target any specific system with any special task you can think of

 

as this is original system you are talking about i'd suggest to involve synology's official support and see what they tell you about it, maybe reference to the wikipedia about wedjat (https://en.wikipedia.org/wiki/Eye_of_Horus) and ask specifically about data collection

also check you logs in /var/log/ about things going on

 

edit: before involving synology support it might be interesting to find out what payload your system received (and why, as its a original system that should not be bothered at all)

 

Edited May 1, 2023 by IG-88

[borlcand]

Fortunately, that’s just finding on official community forum. 
I’ve restricted internet access for this binary with a task provided above

[Orphée]

Tested quickly latest 7.2 RC, there is no wedjat in it...

[K4L0]

Renamed to diid in version 7.2RC
 

/usr/syno/bin/dlid

/usr/syno/etc/dlid.status

[Orphée]

On 5/2/2023 at 12:46 AM, K4L0 said:

Renamed to diid in version 7.2RC
 

/usr/syno/bin/dlid

/usr/syno/etc/dlid.status

So for 7.2RC :

 

 

 

 

/usr/bin/cat << EOF > /etc/apparmor/usr.syno.bin.dlid
/usr/syno/bin/dlid {
   deny network,
   deny capability net_raw,
   deny capability net_admin,
}
EOF
/usr/bin/sleep 2
/sbin/apparmor_parser -r /etc/apparmor/usr.syno.bin.dlid
/bin/rm -f /usr/syno/etc/dlid.status

 

Edited May 3, 2023 by Orphée

[Orphée]

script fixed for 7.2RC ! please update if you already applied it.

[-iliya-]

could it be sufficient to deny access to certain syno sites at the router level - for example mikrotik?
if yes, then to which sites it should be done?

Edited June 1, 2023 by -iliya-

[Diktor]

1 час назад, -iliya- сказал:

could it be sufficient to deny access to certain syno sites at the router level - for example mikrotik?
if yes, then to which sites it should be done?

My Synology is used as an NVR and does not have internet access.  But still sometimes I see this process and abnormal CPU usage.  A few months earlier, I also had a high CPU load, but there the system said that it was "scheduler" consumption.

[Rebutia]

@Orphée just to inform you that, the newest DSM 7.2.1-69057 rs3621xs+ will cease to work/not to be network-reachable if I run this script on boot up. Don't get me wrong, this is not a complain.

[Orphée]

@Rebutia Well you're the first one to report this issue, you may want to try with another loader.

Currently with SA6400 and DVA3221 it works fine for me.