Narilam virus targets Middle East, but isn't like others

Share this article:

Researchers have detected new cases of a previously discovered worm, Narilam, which is targeting accounting applications in corporate databases throughout the Middle East

Symantec, which on Thursday published an analysis of the malware, found that Narilam had infected Microsoft SQL systems and was capable of modifying and deleting sensitive data and tables of its victims. Narilam, which likely began spreading as early as late 2009, may have capabilities reminiscent of other Middle Eastern-targeted malware, but its source is likely a smaller network, according to Symantec.

While the worm does not steal information from infected computers, it is coded to tamper with or sabotage databases. So far, Narilam has targeted databases, primarily in Iran, used for customer management and accounting purposes. Computers running Windows 7, Windows Server 2008, Windows Vista and XP have been impacted by the worm.

Vikram Thakur, principal security response manager at Symantec, told SCMagazine.com on Tuesday that Narilam has likely been used by small to midsize businesses to sabotage the sensitive data of competitors -- and is not the work of nation-state attackers. 

“We don't think that there is technically any connection [here] between StuxnetDuqu or Flame malware,” Thakur said. If anything, he said, the similarities end in that the malware destroys data and is very targeted in nature, much like Shamoon, a virus that attacks energy-sector computers running Microsoft Windows NT.

"On a technical level, Narilam is very straightforward," Thakur said. "It is not complicated, and we don't believe it is the act of any nation-state.”

Narilam infections are thought to be in the hundreds, and an even smaller number of cases have popped up in the United States and the U.K. over the last couple of months, Thakur said.

Once corporate databases are infected, restoring assets is a challenge given the malware's ability to sabotage systems. Of its victims, more than 97 percent have been business users, according to Symantec's research.

On Sunday, Iran's Computer Emergency Response Team (CERT), also known as the Maher Center, posted an alert supporting theories about Narilam's perpetrators.

“The sample is not widespread and is only able to corrupt the database of some of the products by an Iranian software company…accounting software for small businesses,” the alert said. “The simple nature of the malware looks more like [it's trying] to harm the software company's reputation among their customers."

Research from security firm Kaspersky Lab also confirmed these reports.

"Considering compilation timestamps and early reports, Narilam is a rather old threat that was probably deployed during late 2009 and mid-2010," said a blog post published Monday. "Its purpose was to corrupt databases of three financial applications from [an Iranian company named] TarrahSystem, namely Maliran, Amin and Shahd. Several variants appear to have been created, but all of them have the same functionality and method of replication." 

Over the past month, Kaspersky detected six cases of the threat.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

More exploits, including Silverlight attack, packed in Nuclear kit

More exploits, including Silverlight attack, packed in Nuclear ...

Since the year's start, the number of exploits used by the kit has doubled, Trend Micro found.

Researchers discover Tinba variant with 64-bit support, other tricks

Researchers discover Tinba variant with 64-bit support, other ...

Seculert researchers discovered a variant of the Tinba banker trojan that can infect more systems and better skirt detection.

Policy violation letters trick SMB workers into downloading malware

Bitdefender researchers detected an uptick in computers infected by Zbot via dozens of ARJ-compressed files.