Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Symantec Discovers New Database Sabotage Malware

Malware Modifies, Deletes Business SQL Databases

Symantec researchers said they have discovered new malware that targets corporate databases, but doesn’t actually have data-stealing capabilities. Instead, Symantec said, the malware modifies and deletes records in corporate SQL databases.

Malware Modifies, Deletes Business SQL Databases

Symantec researchers said they have discovered new malware that targets corporate databases, but doesn’t actually have data-stealing capabilities. Instead, Symantec said, the malware modifies and deletes records in corporate SQL databases.

Malware Targeting SQL DatabaseDetected by Symantec as W32.Narilam, infections appear to be predominately in systems in the Middle East, Symantec said. However, other infections have been detected in other countries including a small number in the United States and in the UK. Of the infections detected so far, the vast majority of users impacted by this threat are corporate users, Symantec said.

The malware copies itself to a system, adds registry keys, and spreads through removable drives and network shares, Symantec said.

Developed in Delphi, the malware incorporates functionality to update and modify a Microsoft SQL database if it is accessible by Object Linking and Embedding Database (OLEDB).

The malware was authored to specifically target SQL databases with three distinct names: alim, maliran, and shahd. Furthermore, the malware targets object and table names that can be accessed, and replaces certain items in the database with random values, including Asnad.SanadNo, which “sanad” means “document” in Persian, and Pasandaz.Code, of which “pasandaz” means “savings” in Persian.

Based on these values and some others, it’s apparent that the malware is targeting databases that have financial and other business-related functions.

In addition to modifying records, the malware deletes tables, including specific names such as “A_Sellers”, “person”, and “Kalamast”.

Because this particular threat targets specific databases and table names, organizations that become infected really aren’t at risk unless they have OLEDB accessible databases using those specific names. That being said, malware authors can easily customize and modify the malware to launch attacks against other targets, and in this case, the malware could be easily modified to target databases with different names.

Advertisement. Scroll to continue reading.

“Unless appropriate backups are in place, the affected database will be difficult to restore,” Symantec warned in a Thanksgiving day blog post. “The affected organization will likely suffer significant disruption and even financial loss while restoring the database. As the malware is aimed at sabotaging the affected database and does not make a copy of the original database first, those affected by this threat will have a long road to recovery ahead of them.”

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.