Narilam virus targets Middle East, but isn’t like others


Researchers have detected new cases of a previously discovered worm, Narilam, which is targeting accounting applications in corporate databases throughout the Middle East

Symantec, which on Thursday published an analysis of the malware, found that Narilam had infected Microsoft SQL systems and was capable of modifying and deleting sensitive data and tables of its victims. Narilam, which likely began spreading as early as late 2009, may have capabilities reminiscent of other Middle Eastern-targeted malware, but its source is likely a smaller network, according to Symantec.

While the worm does not steal information from infected computers, it is coded to tamper with or sabotage databases. So far, Narilam has targeted databases, primarily in Iran, used for customer management and accounting purposes. Computers running Windows 7, Windows Server 2008, Windows Vista and XP have been impacted by the worm.

Vikram Thakur, principal security response manager at Symantec, told on Tuesday that Narilam has likely been used by small to midsize businesses to sabotage the sensitive data of competitors -- and is not the work of nation-state attackers. 

“We don't think that there is technically any connection [here] between StuxnetDuqu or Flame malware,” Thakur said. If anything, he said, the similarities end in that the malware destroys data and is very targeted in nature, much like Shamoon, a virus that attacks energy-sector computers running Microsoft Windows NT.

"On a technical level, Narilam is very straightforward," Thakur said. "It is not complicated, and we don't believe it is the act of any nation-state.”

Narilam infections are thought to be in the hundreds, and an even smaller number of cases have popped up in the United States and the U.K. over the last couple of months, Thakur said.

Once corporate databases are infected, restoring assets is a challenge given the malware's ability to sabotage systems. Of its victims, more than 97 percent have been business users, according to Symantec's research.

On Sunday, Iran's Computer Emergency Response Team (CERT), also known as the Maher Center, posted an alert supporting theories about Narilam's perpetrators.

“The sample is not widespread and is only able to corrupt the database of some of the products by an Iranian software company…accounting software for small businesses,” the alert said. “The simple nature of the malware looks more like [it's trying] to harm the software company's reputation among their customers."

Research from security firm Kaspersky Lab also confirmed these reports.

"Considering compilation timestamps and early reports, Narilam is a rather old threat that was probably deployed during late 2009 and mid-2010," said a blog post published Monday. "Its purpose was to corrupt databases of three financial applications from [an Iranian company named] TarrahSystem, namely Maliran, Amin and Shahd. Several variants appear to have been created, but all of them have the same functionality and method of replication." 

Over the past month, Kaspersky detected six cases of the threat.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.