Iran-focused malware tampers with business databases

Summary:Symantec has discovered an 'interesting' worm that sabotages Microsoft SQL databases and replaces items with random values — something that could be difficult for businesses to remedy, it warns.

Symantec is warning businesses to watch out for new malware that sabotages corporate databases by tampering with the items inside them.

The 'Narilam' worm targets Microsoft SQL databases, gaining access to certain tables and objects. Once inside, it looks for specific words then replaces these with random values, or deletes particular tables.

narilam
The distribution of the Narilam worm, as detected by Symantec's team. Image: Symantec

"The malware does not have any functionality to steal information from the infected system and appears to be programmed specifically to damage the data held within the targeted database," Symantec security researcher Shunichi Imano wrote in a blog post on Thursday. "Given the types of objects that the threat searches for, the targeted databases seem to be related to ordering, accounting, or customer management systems belonging to corporations."

"The vast majority of users impacted by this threat are corporate users."  - Symantec

"Our in-field telemetry indicates that the vast majority of users impacted by this threat are corporate users," he added.

Narilam looks for databases named 'alim', 'marilan' or 'shahd', then searches for terms such as 'BankCheck' and 'buyername'. According to Imano, some of the words are in Persian — 'Hesabjari', meaning 'current account', and 'pasandaz', meaning 'savings'.

Most of the Narilam-infected machines are in Iran — bringing to mind Stuxnet, which also aimed to sabotage corporate systems. However, the worm has also hit organisations in the UK and US, according to Symantec, though the overall number of infections so far is low.

"What’s interesting is that it’s specifically targeted the Persian region. We don’t typically see threats targeting financial accounting software in that area," Peter Coogan, senior security response manager at Symantec, told ZDNet.

Early days

Given this, Symantec is looking for more components to the malware, to find out what, if any, other actions it might take. This context could reveal whether Narilam has any correlation with Stuxnet or whether there is any spyware involved.

At the moment, Symantec doesn't know how the malware gets onto systems or who is behind it, Coogan said. While most financial Trojans are generated by cybercrime gangs, Narilam's Iranian focus warrants investigation into whether it is being used for sabotage or spying.

"We are looking to identify other potential components of this threat to see if there is more to this threat than a purely malicious threat," Coogan said.

However, those investigations are still in their early days, he cautioned. While Symantec first started detecting the malware two years ago, it was initially viewed as a Trojan Horse. It was only when researchers got hold of more samples that they took a closer look and began viewing it as a particular threat.

What they do know is that Narilam copies itself to an infected machine, adds registry keys and spreads via shared file folders and employee use of removable drives. In addition, they know it affects several versions of Windows, including Windows 7, Windows Server 2008, Vista and XP.

"What is unusual about this threat is the fact that it has the functionality to update a Microsoft SQL database if it is accessible by OLEDB," Imano said. Object Linking and Embedding, Database (OLE DB) is a Microsoft API for accessing data from diverse data stores.

Businesses will have difficulty restoring a vandalised database, Symantec warned, unless they have backups.

"The affected organisation will likely suffer significant disruption and even financial loss while restoring the database," Imano said. "As the malware is aimed at sabotaging the affected database and does not make a copy of the original database first, those affected by this threat will have a long road to recovery ahead of them."

Topics: Security, Data Management, Malware

About

Karen Friar is news editor for ZDNet in the UK, based in London. She has been in journalism since the last century, starting out in film journalism in San Francisco, before making the switch to tech coverage at ZDNet.com. Next came a move to CNET News.com, where she looked after west coast coverage of business technology, specialising in... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.