Symantec Warns of New Malware Targeting SQL Databases

Symantec is warning of a new bit of malware that appears to be modifying corporate databases, particularly in the Middle East, though its showing up elsewhere in the world too.

Symantec is warning of a new bit of malware that appears to be modifying corporate databases, particularly in the Middle East, though its showing up elsewhere in the world too.

W32.Narilam, first discovered Nov. 15, follows a similar pattern of other worms by copying itself onto infected machines, adding registry keys and propogating through removable drives and network shares. “What is unusual about this threat is the fact that it has the functionality to update a Microsoft SQL database if it is accessible by OLEDB. The worm specifically targets SQL databases with three distinct names: alim, maliran, and shahd,” wrote Symantec security researcher Shunichi Imano in a blog post.

Once Narilam finds the targeted databases, it looks for financial terms such as “BankCheck,” “A_sellers” and “buyername” and Persian terms like “Pasandaz” (“Savings”) and “Vamghest” (“Instant Loans”). The malware also deletes tables with the following names: A_Sellers, person and Kalamast.

“The malware does not have any functionality to steal information from the infected system and appears to be programmed specifically to damage the data held within the targeted database,” Imano wrote. “Given the types of objects that the threat searches for, the targeted databases seem to be related to ordering, accounting, or customer management systems belonging to corporations.

The overall infection rate is low at the moment, but those whose networks are not properly protected could see business disrupted, Imano said.

“Unless appropriate backups are in place, the affected database will be difficult to restore. The affected organization will likely suffer significant disruption and even financial loss while restoring the database. As the malware is aimed at sabotaging the affected database and does not make a copy of the original database first, those affected by this threat will have a long road to recovery ahead of them.”

 

Suggested articles

IoT’s Day of Reckoning on the Horizon

Chris Rouland, an expert when it comes to the security of the internet of things, stressed the modern-day equivalent of the Melissa worm could be imminent.

Researchers Find Stuxnet Older Than Previously Believed

Researchers on Tuesday said they have proof the Stuxnet worm used to cripple Iran’s nuclear program has been in the wild two years longer than first believed. There’s also now evidence the military-grade malware’s origins date back to 2005, and possibly earlier.

Precision Espionage miniFlame Malware Tied to Flame, Gauss

One of three previously unseen pieces of malware discovered during forensic analysis of the Flame malware command-and-control servers has been identified as a secondary surveillance tool deployed against specially identified targets, and only after an initial Flame or Gauss compromise, researchers said today.

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.