After the US and Israel cooked up Stuxnet — a potent cyber weapon aimed at Iran’s nuclear facilities — whenever a virus targets Iran, it could be something major. This time around, the web threat wants to erase Iranian banks.
The worm, which Symantec has dubbed W32.Narilam, started creeping through Iranian financial servers over the past several days:
Just like many other worms that we have seen in the past, the threat copies itself to the infected machine, adds registry keys, and spreads through removable drives and network shares. It is even written using Delphi, which is a language that is used to create a lot of other malware threats. All these aspects of this threat are normal enough, what is unusual about this threat is the fact that it has the functionality to update a Microsoft SQL database if it is accessible by OLEDB. The worm specifically targets SQL databases with three distinct names: alim, maliran, and shahd.
The following are some of the object/table names that can be accessed by the threat:
Hesabjari (“current account” in Arabic/Persian).
Holiday
Holiday_1
Holiday_2
Asnad (“financial bond” in Arabic)
A_sellers
A_TranSanj
R_DetailFactoreForosh (“forosh” means “sale” in Persian)
person
pasandaz (“savings” in Persian)
BankCheck
End_Hesab (“hesab” means “account” in Persian)
Kalabuy
Kalasales
REFcheck
buyername
Vamghest (“instalment loans” in Persian)
That might look like gibberish, but it can be distilled down to one idea: the worm makes its way into computers and then screws up code that includes financial terms. If you’re a bank, this is very bad news, potentially (and permanently) screwing up very valuable databases. Symantec notes that, interestingly, the worm doesn’t have any ambitions of spying — it just goes in and ruins data, rather than reporting it back to some third party. But any bank hit by Narilam will be hurting:
Unless appropriate backups are in place, the affected database will be difficult to restore. The affected organisation will likely suffer significant disruption and even financial loss while restoring the database.
Iran denies the attack has been much of a problem so far, but after the drumming it received from Stuxnet, it’s unlikely it’ll admit to having its guard down yet again. It’s also unclear who’s behind the virus — other than some party that wants to hurt Iran’s financial sector. When a country has as many enemies as Tehran’s up against, that’s a long list. [Symantec]
Image: Symantec