Thursday, May 13, 2021

Newly Discovered Malware Targets Iran, Modifies Microsoft SQL Databases

Security vendor Symantec is warning of a newly discovered piece of malware that is targeting corporate databases in the Middle East, specifically Iran. The worm, called “Narilam,” looks for particular words in Microsoft SQL databases and overwrites them.

Symantec’s blog explained, “Just like many other worms that we have seen in the past, the threat copies itself to the infected machine, adds registry keys, and spreads through removable drives and network shares. It is even written using Delphi, which is a language that is used to create a lot of other malware threats. All these aspects of this threat are normal enough, what is unusual about this threat is the fact that it has the functionality to update a Microsoft SQL database if it is accessible by OLEDB. The worm specifically targets SQL databases with three distinct names: alim, maliran, and shahd.”

Computerworld’s Jeremy Kirk noted, “Interestingly, Narilam shares some similarities with Stuxnet, the malware targeted at Iran that disrupted its uranium refinement capabilities by interfering with industrial software that ran its centrifuges. Like Stuxnet, Narilam is also a worm, spreading through removable drives and network file shares, [Symantec’s Shunichi] Imano wrote. Once on a machine, it looks for Microsoft SQL databases. It then hunts for specific words in the SQL database — some of which are in Persian, Iran’s main language — and replaces items in the database with random values or deletes certain fields. Some of the words include ‘hesabjari,’ which means current account; ‘pasandaz,’ which means savings; and ‘asnad,’ which means financial bond, Imano wrote.”

PCMag’s Fahmida Y. Rashid reported, “The bulk of the infections thus far have been found in the Middle East, particularly Iran and Afghanistan, although infections have been reported in the United States and the United Kingdom. The malware appeared to have been created between 2009 and 2010, according to Kaspersky Lab’s Global Research and Analysis Team. While ‘about 80 incidents’ have been recorded over the past two years, the fact that just six infections were reported in the past month suggests the malware is ‘probably almost extinct,’ the researchers wrote on SecureList.”

The Register quoted Iran’s Computer Emergency Response Team, which dismissed the threat, saying, “The malware called ‘Narilam’ by Symantec was an old malware, previously detected and reported online in 2010 by some other names. This malware has no sign of a major threat, nor a sophisticated piece of computer malware. The sample is not wide spread and is only able to corrupt the database of some of the products by an Iranian software company, those products are accounting software for small businesses. The simple nature of the malware looks more like a try to harm the software company reputation among their customers.”

Similar articles

Latest Articles

Database-Tuning Platform Launches and...

PITTSBURGH — A team out of Carnegie Mellon University is launching its automatic database-tuning product today with the help of $2.5 million in funding.   OtterTune,...

Top 10 Professional Services...

Professional services automation (PSA) software aims to offer service-based companies most of the software they will need to run their businesses in one package....

What is Data Aggregation?

Data aggregation is the process where raw data is gathered and presented in a summarized format for statistical analysis. The data may be gathered...

Dell APEX: Our...

One of the missteps IBM made last century was collapsing their sales model, which was services based, to generate a short-term revenue spike. Up...