New worm is designed to attack Iran financial institutions

[anuseems]

Stuxnet garnered a ton of media attention when it managed to cripple Iran's nuclear program but a new worm recently detailed by Symantec is attacking the country on a different and perhaps even more damaging level.

A new virus called Narilam started infiltrating the country's banking systems during the past week. As outlined by the security company, the worm works much like any other in that it copies itself to infected machines, adds registry keys and can be spread via removable drives and over networks.

The code is written in Delphi, a common language used to produce malware. What's not common about Narilam, however, is the fact that it can manipulate a Microsoft SQL database that is accessible by OLEDB. Symantec says it specifically goes after SQL databases that have one of three distinct names: alim, maliran or shahd.

Also unlike other malware, Narilam isn't designed to spy on a user or their data. Instead, the code simply works itself into systems that deal with money and does its best to screw up data. As you can imagine, this is bad news for banks as it could potentially permanently destroy valuable financial records.

At this hour, it seems that the best defense against the worm is a good backup strategy that an institution could resort to in the event they become infected. Even still, Symantec says an infected database could be difficult to restore. Service disruption and permanent loss would both be expected as part of a successful attack.

There's no word yet on who is responsible for creating the worm. For their part, Iran says the worm hasn't been a serious concern as of yet. Granted, they probably wouldn't admit it even if it was causing chaos in the financial sector.

@ http://www.symantec....tabase-sabotage

@ http://www.techspot....stitutions.html

[anuseems]

In the last couple of years, we have seen highly sophisticated malware used to sabotage the business activities of chosen targets. We have seen malware such as W32.Stuxnet designed to tamper with industrial automation systems and other destructive examples such as W32.Disstrack and W32.Flamer, which can both wiped out data and files from hard disks. All of these threats can badly disrupt the activities of those affected.

Following along that theme, we recently came across an interesting threat that has another method of causing chaos, this time, by targeting and modifying corporate databases. We detect this threat as W32.Narilam.

Based on the detections observed, W32.Narilam is active predominantly in the Middle East.

Figure 1. Distribution of W32.Narilam

Just like many other worms that we have seen in the past, the threat copies itself to the infected machine, adds registry keys, and spreads through removable drives and network shares. It is even written using Delphi, which is a language that is used to create a lot of other malware threats. All these aspects of this threat are normal enough, what is unusual about this threat is the fact that it has the functionality to update a Microsoft SQL database if it is accessible by OLEDB. The worm specifically targets SQL databases with three distinct names: alim, maliran, and shahd.

The following are some of the object/table names that can be accessed by the threat:

Hesabjari ("current account" in Arabic/Persian).

Holiday

Holiday_1

Holiday_2

Asnad (“financial bond” in Arabic)

A_sellers

A_TranSanj

R_DetailFactoreForosh ("forosh" means "sale" in Persian)

person

pasandaz ("savings" in Persian)

BankCheck

End_Hesab ("hesab" means "account" in Persian)

Kalabuy

Kalasales

REFcheck

buyername

Vamghest (“instalment loans” in Persian)

The threat replaces certain items in the database with random values. The following are some of the items that are modified by the threat:

Asnad.SanadNo ("sanad" means "document" in Persian)

Asnad.LastNo

Asnad.FirstNo

A_TranSanj.Tranid

Pasandaz.Code (“pasandaz” means “savings” in Persian)

n_dar_par.price

bankcheck.state

End_Hesab.Az

Kalabuy.Serial

sath.lengths

Kalasales.Serial

refcheck.amount

buyername.Buyername

The threat also deletes tables including ones with the following names:

A_Sellers

person

Kalamast

Below is a fraction of the temporal procedure that is specified in the threat code.

Figure 2. Code snippet showing an extract of the temporal procedure

For example, in line 12 through 14, it sets a variable, @SanadNo, to a value that is randomly chosen between zero and the maximal value in Koll.Koll records. Then it deletes a record in Koll table where the Koll.Koll value is the same as the random value.

The malware does not have any functionality to steal information from the infected system and appears to be programmed specifically to damage the data held within the targeted database. Given the types of objects that the threat searches for, the targeted databases seem to be related to ordering, accounting, or customer management systems belonging to corporations.

Our in-field telemetry indicates that the vast majority of users impacted by this threat are corporate users. This fact is consistent with the functionality contained within the threat. The types of databases that this threat is looking for is unlikely to be found in the systems of home users.

Figure 3. Narilam infections broken down by user type

Unless appropriate backups are in place, the affected database will be difficult to restore. The affected organization will likely suffer significant disruption and even financial loss while restoring the database. As the malware is aimed at sabotaging the affected database and does not make a copy of the original database first, those affected by this threat will have a long road to recovery ahead of them.

Symantec users with the latest definitions are protected from W32.Narilam; however, we strongly recommend that important databases be backed up regularly.

http://www.symantec.com/connect/blogs/w32narilam-business-database-sabotage

[dcs18]

anuseems,

I don't know from where you keep out all those worms - rep. to ya. :)

[anuseems]

From the backdoor of politicians ;-)

[x3r0]

Delphi? Does Iranian banking system run on Windows?