Iran: Narilam Malware Not a Major Threat

Officials on Iran’s computer emergency response team poured cold water on alerts about a strain of malware security researchers have warned is infecting databases throughout the country.

Last week, Symantec released a detailed analysis about a piece malware known as Narilam, which has primarily been targeting users in the Middle East though a small number of infections have been detected in the United States and the U.K. According to the company, the majority of the victims are corporate users.

Though the report received media coverage, authorities in Iran pointed out the malware is old and declared that it is not a threat for most users.

“The malware called “narilam” by Symantec was an old malware, previously detected and reported online in 2010 by some other names,” according to a translation of a statement from Iran-CERT. “This malware has no sign of a major threat, nor a sophisticated piece of computer malware. The sample is not wide spread and is only able to corrupt the database of some of the products by an Iranian software company, those products are accounting software for small businesses. The simple nature of the malware looks more like a try to harm the software company reputation among their customers.”

According to an analysis by Kaspersky Lab, Narilam was probably deployed during late 2009 and mid-2010.

“Its purpose was to corrupt databases of three financial applications from TarrahSystem, namely Maliran, Amin and Shahd,” Kaspersky Lab noted. “Several variants appear to have been created, but all of them have the same functionality and method of replication.Reports from Kaspersky Security Network indicate that the malware was found mostly in Iran (~60%) and Afghanistan (~40%).”

“At the moment, we do not see any direct connection with other recent destructive malware (such as Shamoon or Wiper). Unlike Duqu or Flame, there is no apparent cyberespionage function,” the analysis continued. “The malware is currently almost extinct – during the past month, we have observed just six instances of this threat.”

Symantec itself classified the threat as ‘low’ in terms of the distribution. Written in Delphi, the malware copies itself to the infected machine, adds registry keys and spreads through removable drives and network shares. What is more unique about it is that it has functionality to update a Microsoft SQL database provided it is accessible by Object Linking and Embedding Database (OLEDB), and specifically targets SQL databases with three distinct names: alim, maliran, and shahd.

 “The malware does not have any functionality to steal information from the infected system and appears to be programmed specifically to damage the data held within the targeted database,” according to Symantec. “Given the types of objects that the threat searches for, the targeted databases seem to be related to ordering, accounting, or customer management systems belonging to corporations.”

“Unless appropriate backups are in place, the affected database will be difficult to restore,” Symantec warned. “The affected organization will likely suffer significant disruption and even financial loss while restoring the database. As the malware is aimed at sabotaging the affected database and does not make a copy of the original database first, those affected by this threat will have a long road to recovery ahead of them.”