- Iran: Eight Prisoners Hanged on Drug Charges
- Daughter of late Iranian president jailed for ‘spreading lies’ - IRAN: Annual report on the death penalty 2016 - Taheri Facing the Death Penalty Again - Dedicated team seeking return of missing agent in Iran - Iran Arrests 2, Seizes Bibles During Catholic Crackdown
- Trump to welcome Netanyahu as Palestinians fear U.S. shift
- Details of Iran nuclear deal still secret as US-Tehran relations unravel - Will Trump's Next Iran Sanctions Target China's Banks? - Don’t ‘tear up’ the Iran deal. Let it fail on its own. - Iran Has Changed, But For The Worse - Iran nuclear deal ‘on life support,’ Priebus says
- Female Activist Criticizes Rouhani’s Failure to Protect Citizens
- Iran’s 1st female bodybuilder tells her story - Iranian lady becomes a Dollar Millionaire on Valentine’s Day - Two women arrested after being filmed riding motorbike in Iran - 43,000 Cases of Child Marriage in Iran - Woman Investigating Clinton Foundation Child Trafficking KILLED!
- Senior Senators, ex-US officials urge firm policy on Iran
- In backing Syria's Assad, Russia looks to outdo Iran - Six out of 10 People in France ‘Don’t Feel Safe Anywhere’ - The liberal narrative is in denial about Iran - Netanyahu urges Putin to block Iranian power corridor - Iran Poses ‘Greatest Long Term Threat’ To Mid-East Security |
Saturday 24 November 2012Iran-focused malware tampers with business databasesZDNet Symantec is warning businesses to watch out for new malware that sabotages corporate databases by tampering with the items inside them. The 'Narilam' worm targets Microsoft SQL databases, gaining access to certain tables and objects. Once inside, it looks for specific words then replaces these with random values, or deletes particular tables. "The malware does not have any functionality to steal information from the infected system and appears to be programmed specifically to damage the data held within the targeted database," Symantec security researcher Shunichi Imano wrote in a blog post on Thursday. "Given the types of objects that the threat searches for, the targeted databases seem to be related to ordering, accounting, or customer management systems belonging to corporations." "The vast majority of users impacted by this threat are corporate users." - Symantec "Our in-field telemetry indicates that the vast majority of users impacted by this threat are corporate users," he added. Narilam looks for databases named 'alim', 'marilan' or 'shahd', then searches for terms such as 'BankCheck' and 'buyername'. According to Imano, some of the words are in Persian — 'Hesabjari', meaning 'current account', and 'pasandaz', meaning 'savings'. Most of the Narilam-infected machines are in Iran — bringing to mind Stuxnet, which also aimed to sabotage corporate systems. However, the worm has also hit organisations in the UK and US, according to Symantec, though the overall number of infections so far is low. "What’s interesting is that it’s specifically targeted the Persian region. We don’t typically see threats targeting financial accounting software in that area," Peter Coogan, senior security response manager at Symantec, told ZDNet. Given this, Symantec is looking for more components to the malware, to find out what, if any, other actions it might take. This context could reveal whether Narilam has any correlation with Stuxnet or whether there is any spyware involved. At the moment, Symantec doesn't know how the malware gets onto systems or who is behind it, Coogan said. While most financial Trojans are generated by cybercrime gangs, Narilam's Iranian focus warrants investigation into whether it is being used for sabotage or spying. "We are looking to identify other potential components of this threat to see if there is more to this threat than a purely malicious threat," Coogan said. However, those investigations are still in their early days, he cautioned. While Symantec first started detecting the malware two years ago, it was initially viewed as a Trojan Horse. It was only when researchers got hold of more samples that they took a closer look and began viewing it as a particular threat. What they do know is that Narilam copies itself to an infected machine, adds registry keys and spreads via shared file folders and employee use of removable drives. In addition, they know it affects several versions of Windows, including Windows 7, Windows Server 2008, Vista and XP. "What is unusual about this threat is the fact that it has the functionality to update a Microsoft SQL database if it is accessible by OLEDB," Imano said. Object Linking and Embedding, Database (OLE DB) is a Microsoft API for accessing data from diverse data stores. Businesses will have difficulty restoring a vandalised database, Symantec warned, unless they have backups. "The affected organisation will likely suffer significant disruption and even financial loss while restoring the database," Imano said. "As the malware is aimed at sabotaging the affected database and does not make a copy of the original database first, those affected by this threat will have a long road to recovery ahead of them." |