Narilam Malware Targets SQL Databases

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Symantec researchers recently uncovered new malware, W32.Narilam, which is designed to modify and delete items in specific SQL databases named alim, maliran and shahd. The vast majority of infections thus far have occurred in Iran.

"Once Narilam finds the targeted databases, it looks for financial terms such as 'BankCheck,' 'A_sellers' and 'buyername' and Persian terms like 'Pasandaz' ('Savings') and 'Vamghest' ('Instant Loans')," writes Threatpost's Anne Saita. "The malware also deletes tables with the following names: A_Sellers, person and Kalamast."

"The malware does not have any functionality to steal information from the infected system and appears to be programmed specifically to damage the data held within the targeted database," writes Symantec's Shunichi Imano. "Given the types of objects that the threat searches for, the targeted databases seem to be related to ordering, accounting, or customer management systems belonging to corporations."

"Businesses will have difficulty restoring a vandalised database, Symantec warned, unless they have backups," writes ZDNet's Karen Friar. "'The affected organisation will likely suffer significant disruption and even financial loss while restoring the database,' Imano said. 'As the malware is aimed at sabotaging the affected database and does not make a copy of the original database first, those affected by this threat will have a long road to recovery ahead of them.'"

"Interestingly, Narilam shares some similarities with Stuxnet, the malware targeted at Iran that disrupted its uranium refinement capabilities by interfering with industrial software that ran its centrifuges," writes Computerworld's Jeremy Kirk. "Like Stuxnet, Narilam is also a worm, spreading through removable drives and network file shares, Imano wrote."

"Stuxnet similarly served no intelligence purpose and was designed to sabotage its target -- an uranium enrichment facility in Natanz, Iran," The H Security reports.