Symantec Discovers New Database Sabotage Malware

Malware Modifies, Deletes Business SQL Databases

Symantec researchers said they have discovered new malware that targets corporate databases, but doesn’t actually have data-stealing capabilities. Instead, Symantec said, the malware modifies and deletes records in corporate SQL databases.

Detected by Symantec as W32.Narilam, infections appear to be predominately in systems in the Middle East, Symantec said. However, other infections have been detected in other countries including a small number in the United States and in the UK. Of the infections detected so far, the vast majority of users impacted by this threat are corporate users, Symantec said.

The malware copies itself to a system, adds registry keys, and spreads through removable drives and network shares, Symantec said.

Developed in Delphi, the malware incorporates functionality to update and modify a Microsoft SQL database if it is accessible by Object Linking and Embedding Database (OLEDB).

The malware was authored to specifically target SQL databases with three distinct names: alim, maliran, and shahd. Furthermore, the malware targets object and table names that can be accessed, and replaces certain items in the database with random values, including Asnad.SanadNo, which “sanad” means “document” in Persian, and Pasandaz.Code, of which “pasandaz” means “savings” in Persian.

Based on these values and some others, it’s apparent that the malware is targeting databases that have financial and other business-related functions.

In addition to modifying records, the malware deletes tables, including specific names such as “A_Sellers”, “person”, and “Kalamast”.

Because this particular threat targets specific databases and table names, organizations that become infected really aren’t at risk unless they have OLEDB accessible databases using those specific names. That being said, malware authors can easily customize and modify the malware to launch attacks against other targets, and in this case, the malware could be easily modified to target databases with different names.

“Unless appropriate backups are in place, the affected database will be difficult to restore,” Symantec warned in a Thanksgiving day blog post. “The affected organization will likely suffer significant disruption and even financial loss while restoring the database. As the malware is aimed at sabotaging the affected database and does not make a copy of the original database first, those affected by this threat will have a long road to recovery ahead of them.”