Malware Targeting Middle Eastern Corporate Databases
November 27, 2012

Narilam Malware Targets Corporate Databases In The Middle East

redOrbit Staff & Wire Reports - Your Universe Online

Experts have uncovered a new strain of malware that modified corporate databases in the Middle East, although the virus appears to be a form of corporate sabotage rather than a high-threat cyber-weapon.

“In the last couple of years, we have seen highly sophisticated malware used to sabotage the business activities of chosen targets. We have seen malware such as W32.Stuxnet designed to tamper with industrial automation systems and other destructive examples such as W32.Disstrack and W32.Flamer, which can both wiped out data and files from hard disks. All of these threats can badly disrupt the activities of those affected,” wrote Symantec´s Security Response Team in a posting on the company´s blog.

“Following along that theme, we recently came across an interesting threat that has another method of causing chaos, this time, by targeting and modifying corporate databases. We detect this threat as W32.Narilam.”

The virus, which was discovered on November 15, spreads through removable drives and network shares. It is active predominantly in the Middle East, with the vast majority of victims in Iran, Symantec said.

Although Narilam appears similar to other network malware that copies itself onto infected machines, adds registry keys and propagates itself through removable drives and network shares, it is "unusual" because it can update Microsoft SQL databases over the Object Linking and Embedding Database (OLEDB) protocol, Symantec said.

Specifically, Narilam targets SQL databases with three distinct names: alim, maliran, and shahd. Once the targeted databases are located, Narilam looks for specific objects and tables, and either deletes them or replaces them with random values.

The malware "appears to be programmed specifically to damage the data held within the targeted database,” Symantec´s Security Response Team said.

Reports from Kaspersky Security Network indicate that Narilam was found mainly in Iran (~60%) and Afghanistan (~40%), although infections have been reported in the U.S. and the Britain.

Narilam appears to be an older virus, likely created between 2009 and 2010, said Kaspersky Lab's Global Research and Analysis Team.

“Narilam is a rather old threat that was probably deployed during late 2009 and mid-2010. Its purpose was to corrupt databases of three financial applications from TarrahSystem, namely Maliran [integrated financial and industrial applications], Amin [banking and loans software] and Shahd [integrated financial/commercial software],” wrote a Kaspersky Lab Expert on Monday in a posting to SecureList.

“Several variants appear to have been created, but all of them have the same functionality and method of replication.”

Roughly 80 incidents have been recorded since 2010, but the fact that just six infections were reported during the past month suggests the malware is "probably almost extinct," Kaspersky said.

Symantec said Narilam does not appear to have any information-stealing capabilities, and seems to be “programmed specifically to damage the data held within the targeted database.”

“Given the types of objects that the threat searches for, the targeted databases seem to be related to ordering, accounting, or customer management systems belonging to corporations,” Symantec said, adding that the types of databases Narilam looks for are unlikely to be found in the systems of home users.

Kaspersky said it did not find any "obvious connection" between Narilam and Duqu, Stuxnet, Flame, and Gauss. That assessment was also voiced by Iran's Computer Emergency Response Team (CERT), which issued a statement warning against comparing Narilam with Stuxnet, Duqu, and Flame, saying that Narilam was not "a major threat, nor a sophisticated piece of computer malware."

The worm appears able to infect only the database included in a small business accounting software developed by an unnamed Iranian company, Iran-CERT said.

"The simple nature of the malware looks more like a try to harm the software company reputation among their customers.”

Narilam is "not a threat for general users," although customers of that particular software package should make backups of their database, and scan their systems with updated antivirus products, Iran-CERT said.

Kaspersky said that within the targeted databases, Narilam looks for tables and objects with financial-related names such as BankCheck, A_Sellers, and buyername. Persian words such as Pasandaz, (savings), Hesabjari (current account), R_DetailFactoreForosh (sale), End_Hesab (account) and Vamghest (installment loans) are also among the list of terms Narilam targeted.

Symantec said users with the latest definitions of its security software are protected from W32.Narilam, but are urged to regularly backup important databases.

"Unless appropriate backups are in place, the affected database will be difficult to restore," the company warned.

“The affected organization will likely suffer significant disruption and even financial loss while restoring the database. As the malware is aimed at sabotaging the affected database and does not make a copy of the original database first, those affected by this threat will have a long road to recovery ahead of them.”