Security Protection – Harry Waldron MVP Rotating Header Image

W32.Narilam – New SQL data base malware emerges in Middle East

Symantec has identified a new sophisticated malware threat designed to alter SQL Server databaseswhere user rights are not properly locked down.  As with the Stuxnet attacks, this new threat is most active in the Middle East

http://www.symantec.com/connect/blogs/w32narilam-business-database-sabotage

http://securitywatch.pcmag.com/none/305296-database-modifying-malware-narilam-a-corporate-sabotage-tool

QUOTE: In the last couple of years, we have seen highly sophisticated malware used to sabotage the business activities of chosen targets. We have seen malware such as W32.Stuxnet designed to tamper with industrial automation systems and other destructive examples such as W32.Disstrack and W32.Flamer, which can both wiped out data and files from hard disks. All of these threats can badly disrupt the activities of those affected.  Following along that theme, we recently came across an interesting threat that has another method of causing chaos, this time, by targeting and modifying corporate databases. We detect this threat as W32.NarilamBased on the detections observed, W32.Narilam is active predominantly in the Middle East.

Just like many other worms that we have seen in the past, the threat copies itself to the infected machine, adds registry keys, and spreads through removable drives and network shares. It is even written using Delphi, which is a language that is used to create a lot of other malware threats. All these aspects of this threat are normal enough, what is unusual about this threat is the fact that it has the functionality to update a Microsoft SQL database if it is accessible by OLEDB.

 

Comments are closed.