W32.Narilam, the malware that hit databases in Middle East

Sunday, November 25, 2012

Pierluigi Paganini

03b2ceb73723f8b53cd533e4fba898ee

(Translated from the original Italian)


Recently we have always thought to malware as dangerous agents used to steal information such as banking credentials or to be used in cyber espionage operation.

This is one of the different ways to monetize the development of a malicious agent, virus creation to steal information which is associated with an economic value.

But we also learned that malware could be developed for destructive purposes, that the case of state-sponsored project or cyber weapon such as Stuxnet, but similar approach could be also persecuted by private companies against competitor business.

The sabotage of business could be obtained also through the spread of virus and trojan designed to attacks specific targets, W32.Disttrack malware is a sample of this category of malware because it is able to wiped out data from victims hard disks.

The sabotage could have various effects depending on the practices adopted by companies to respond to an incident, anyway it represents a serious threat to the business.

Symantec has published an interesting alert on a new agent named W32.Narilam that has been designed to damage corporate databases. Once again the geographic area most impacted is the Middle East.

W32.Narilam is a worm that attempts to spread by copying itself to all drives and certain shared folders on the compromised computer, the malware doesn’t include module to steal information from the victims.

The malware is written in Delphi programming language and has a behavior similar to other malicious agent but what is considered “unusual” by security researchers is its capability to update a Microsoft SQL database if it is accessible by OLEDB.

The worm is designed expressed to attack SQL databases, it searches for instances having the following names:

  • alim
  • maliran
  • shahd

and in particular it is able to access to database objects to updating/deleting them. The malware searches for objects having specific names, some of them having some of them belonging to the Arabic and Persian languages (e.g. Hesabjari than means "current account" in Arabic/Persian).

Analyzing the objects manipulated by the malware, and the type of database hit, the experts have deducted that it has been developed to target mainly corporations.

Symantec revealed that the percentage of business users hit is of 97,1%, meanwhile Non business users are at 2,9%.

The Symantec report states:

“Unless appropriate backups are in place, the affected database will be difficult to restore. The affected organization will likely suffer significant disruption and even financial loss while restoring the database. As the malware is aimed at sabotaging the affected database and does not make a copy of the original database first, those affected by this threat will have a long road to recovery ahead of them.”

Fortunately the threat assessment reveals that it is considerable a low level menace due the limited number of infections in a very restricted area. The agent is simple to eradicate despite once infected the victim it damages database irreparably.

Once again the question is ... who has developed the malware and why?

Pierluigi Paganini

 

References

http://securityaffairs.co/wordpress/10564/malware/w32-narilam-the-malware-that-hit-databases-in-middle-east.html

Possibly Related Articles:
14526
Viruses & Malware
Information Security
malware Attacks cyber weapon Middle East
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.