Topic: Symantec discovered new Worm which target Iran - W32.Narilam

[Samker]

Symantec has spotted another odd piece of malware that appears to be targeting Iran and is designed to meddle with SQL databases.

The company discovered the malware, called W32.Narilam: http://www.symantec.com/security_response/writeup.jsp?docid=2012-111516-3751-99 , on November 15 but on Friday published a more detailed writeup by Shunichi Imano: http://www.symantec.com/connect/blogs/w32narilam-business-database-sabotage
Narilam is rated as a "low risk" by the company, but according to a map, the majority of infections are concentrated in Iran, with a few in the U.K., the continental U.S., and the state of Alaska.

Interestingly, Narilam shares some similarities with Stuxnet, the malware targeted at Iran that disrupted its uranium refinement capabilities by interfering with industrial software that ran its centrifuges. Like Stuxnet, Narilam is also a worm, spreading through removable drives and network file shares, Imano wrote.

Once on a machine, it looks for Microsoft SQL databases. It then hunts for specific words in the SQL database—some of which are in Persian, Iran's main language—and replaces items in the database with random values or deletes certain fields.

Some of the words include "hesabjari," which means current account; "pasandaz," which means savings; and "asnad," which means financial bond, Imano wrote.

"The malware does not have any functionality to steal information from the infected system and appears to be programmed specifically to damage the data held within the targeted database," Imano wrote. "Given the types of objects that the threat searches for, the targeted databases seem to be related to ordering, accounting, or customer management systems belonging to corporations."

Consumers not targeted

The types of databases sought by Narilam are unlikely to be employed by home users. But Narilam could be a headache for companies that use SQL databases but do not keep backups.

"The affected organization will likely suffer significant disruption and even financial loss while restoring the database," Imano wrote. "As the malware is aimed at sabotaging the affected database and does not make a copy of the original database first, those affected by this threat will have a long road to recovery ahead of them."

Stuxnet is widely believed to have been created by the U.S. and Israel with the intent of slowing down Iran's nuclear program. Since its discovery in June 2010, researchers have linked it to other malware including Duqu and Flame, indicating a long-running espionage and sabotage campaign that has prompted concern over escalating cyberconflict between nations.

(PCW)

[Fintech]

O.K. That's good to know!

[Pez]

Some more info about "Narilam".

Narilam Trojan Targets Iranian Financial Software


Iranian infrastructure has been on the radar of cyberattackers for a couple of years. We have already witnessed organized and sophisticated attacks such as Stuxnet, Duqu, and similar assaults. Now we have seen yet another attack against Iran, this one primarily targeting the Microsoft SQL Server databases of some Iranian financial software. This attack has been named Narilam because one of the financial applications it targets is called Maliran.

We have analyzed several samples of this malware, one of which was about 2MB. From the binaries’ headers, it looks as though this attack has been going on for a while: The Trojan was compiled with Borland C++ in 2010.


Larger picture

One sample, first seen in June 2012, has a timestamp of July 2002.


Larger picture

Although these headers could have been faked, while analyzing the code we found the date April 25, 2010, which leads us to believe that this threat has existed for more than two years.


Larger picture

The Iranian CERT team has published an alert for this malware, indicating that Narilam has been known since 2010 by a different name.

Narilam Targets

The installation process of this malware is fairly standard in creating the start-up registry entries and copying itself as lsass.exe into the system directory. It targets certain SQL databases and tables of the following Iranian finance and banking software.

• Maliran (integrated financial and applications software)
• Shahd (integrated financial, commercial, and retail software)
• Amin (banking software)

Narilam checks for the presence of these software and exits the infected systems if it does not find them.


Larger picture

Although the malware code doesn’t seem to employ any sophisticated techniques compared with its predecessors, it can connect to the specific databases via OLE DB and send SQL queries to update or delete records and drop certain tables with specific names. Here are some of the SQL queries that we’ve found in the code:

• Update Asnad Set SanadNo=@SanadNo1,LastNo=@SanadNo1,FirstNo=@SanadNo1 Where Cast(SanadNo as int)=@SanadNo and Raj=@Raj
• Set @SanadNo=(select Max(Cast(sellercod As int )) from A_Sellers
• Delete from A_Sellers Where Cast(sellercod as int)=@SanadNo
• Update A_TranSanj Set Tranid=@SanadNo1 Where Cast(Tranid as int)=@SanadNo and Raj=@Raj
• Delete from Koll Where Cast(Koll as int)=@SanadNo
• Delete from Moein Where Cast(Moein as int)=@SanadNo
• Drop table Holiday_1
• Set @SanadNo=Round(@SanadNo * (SELECT RAND(@IDLE)),0,0
• Set @Raj=(select Max(Raj) from R_DetailFactoreForosh Where Cast(SanadNoForosh as int)=@SanadNo
• Update R_DetailFactoreForosh Set SanadNoForosh=@SanadNo1 Where Cast(SanadNoForosh as int)=@SanadNo and Raj=@Raj


Larger picture

Here are the some of the database tables that Narilam targets for updating and deleting records:

• Holiday_1
• Holiday_2
• A_Sellers
• A_TranSanj
• Koll
• R_DetailFactoreForosh
• Moein
• Tafsily
• Vamghest

Some of the table names dropped from the database:

• Holiday_1
• Holiday_2
• A_Sellers

Next we see the portion of the code where it tries to access SQL Server’s sysobjects table:


Larger picture

The binary also contains the following sequence to further corrupt the database with random values:


Larger picture

All the financial and banking software targeted by this malware are products of the Iranian company Tarrah Systems, which issued a warning on its website about W32.Narilam a couple of days ago. The company asked its customers to use the backups of their databases if they are using the targeted products.


Larger picture

While analyzing several similar samples of this malware, it seems this code was written to corrupt and delete databases accessed by these software, thereby causing potential financial losses to users. Possible targets of Narilam are corporations and banks that are likely to have these applications installed. We recommend that users of these systems regularly back up their systems, and avoid any kind of disturbance.

McAfee users with the latest antivirus definitions are already protected against these attacks.


Orginal article: Thursday, November 29, 2012 at 10:50pm by Chintan Shah