Iran-focused malware tampers with business databases

ZDNet

Symantec is warning businesses to watch out for new malware that sabotages corporate databases by tampering with the items inside them.

The 'Narilam' worm targets Microsoft SQL databases, gaining access to certain tables and objects. Once inside, it looks for specific words then replaces these with random values, or deletes particular tables.

"The malware does not have any functionality to steal information from the infected system and appears to be programmed specifically to damage the data held within the targeted database," Symantec security researcher Shunichi Imano wrote in a blog post on Thursday. "Given the types of objects that the threat searches for, the targeted databases seem to be related to ordering, accounting, or customer management systems belonging to corporations."

"The vast majority of users impacted by this threat are corporate users." - Symantec

"Our in-field telemetry indicates that the vast majority of users impacted by this threat are corporate users," he added.

Narilam looks for databases named 'alim', 'marilan' or 'shahd', then searches for terms such as 'BankCheck' and 'buyername'. According to Imano, some of the words are in Persian — 'Hesabjari', meaning 'current account', and 'pasandaz', meaning 'savings'.

Most of the Narilam-infected machines are in Iran — bringing to mind Stuxnet, which also aimed to sabotage corporate systems. However, the worm has also hit organisations in the UK and US, according to Symantec, though the overall number of infections so far is low.

"What’s interesting is that it’s specifically targeted the Persian region. We don’t typically see threats targeting financial accounting software in that area," Peter Coogan, senior security response manager at Symantec, told ZDNet.
Early days

Given this, Symantec is looking for more components to the malware, to find out what, if any, other actions it might take. This context could reveal whether Narilam has any correlation with Stuxnet or whether there is any spyware involved.

At the moment, Symantec doesn't know how the malware gets onto systems or who is behind it, Coogan said. While most financial Trojans are generated by cybercrime gangs, Narilam's Iranian focus warrants investigation into whether it is being used for sabotage or spying.

"We are looking to identify other potential components of this threat to see if there is more to this threat than a purely malicious threat," Coogan said.

However, those investigations are still in their early days, he cautioned. While Symantec first started detecting the malware two years ago, it was initially viewed as a Trojan Horse. It was only when researchers got hold of more samples that they took a closer look and began viewing it as a particular threat.

What they do know is that Narilam copies itself to an infected machine, adds registry keys and spreads via shared file folders and employee use of removable drives. In addition, they know it affects several versions of Windows, including Windows 7, Windows Server 2008, Vista and XP.

"What is unusual about this threat is the fact that it has the functionality to update a Microsoft SQL database if it is accessible by OLEDB," Imano said. Object Linking and Embedding, Database (OLE DB) is a Microsoft API for accessing data from diverse data stores.

Businesses will have difficulty restoring a vandalised database, Symantec warned, unless they have backups.

"The affected organisation will likely suffer significant disruption and even financial loss while restoring the database," Imano said. "As the malware is aimed at sabotaging the affected database and does not make a copy of the original database first, those affected by this threat will have a long road to recovery ahead of them."