Narilam database malware found in Iran strictly business
Symantec recently identified a database-corrupting piece of malware targeting systems mostly in Iran, but despite early speculation that it could be related to the likes of Stuxnet and Flame, it appears to be targeting small businesses rather than the country’s infrastructure.
The worm, which Symantec calls W32.Narilam, attacks Microsoft SQL Server databases and searches for specific words, some of the written in Persian or Arabic, according to a Symantec blog post. Narilam then corrupts data, but does not steal anything, according to the blog.
The malware bears some cursory resemblance to Stuxnet, in that it is a worm and spreads via removable drives and network files shares, Symantec said. Stuxnet reportedly was developed as part of a U.S.-led cyber operation and which disrupted Iran’s uranium processing. Other pieces of malware, including Flame and Duqu, also have been identified as coming from the program.
However, Iran’s Computer Emergency Response Team issued a statement calling Narilam unsophisticated and “has no sign of a major threat.” In fact, Iran’s CERT said it had been previously detected in 2010 and targets accounting software developed by an Iranian company used by small businesses.
Symantec said infections weren’t widespread and that the vast majority of infections were in Iran, with a few in the United States and Great Britain.
Researchers at Kaspersky Labs also said they saw no connection between Narilam and Stuxnet, and, considering the low number of reported infections, speculated that the worm is “probably almost extinct.”
Posted by Kevin McCaney on Nov 26, 2012 at 9:39 AM