Symantec’s database wrecking malware is no Stuxnet, says Iran CERT

Kaspersky protects super spy cyber weapon turf.
  • Liam Tung (CSO Online)
  • — 27 November, 2012 10:55


Image credit: TarrahSystem.com

A piece of malware that Symantec warned could cause "chaos" to businesses in Iran is not a major threat, according to Iran CERT, Maher, and Russian security outfit Kaspersky Lab.

Symantec last week loosely compared what it thought was a newly discovered database wrecking worm, which it named Narilam, to the more powerful Stuxnet, Flamer and Distrack (Shamoon). Symantec warned businesses in the middle east to backup their databases or risk significant disruption from the effects of the malware.

The worm seeks to manipulate certain tables in SQL databases but not steal information and was said by Symantec to have been written in the Delphi programming language.

Some subsequent media reports that suggested Narilam and Stuxnet were related prompted a clarification from Iran’s Maher on Sunday:

“The malware called "narilam" by Symantec was an old malware, previously detected and reported online in 2010 by some other names. This malware has no sign of a major threat, nor a sophisticated piece of computer malware. The sample is not wide spread and is only able to corrupt the database of some of the products by an Iranian software company, those products are accounting software for small businesses. The simple nature of the malware looks more like a try to harm the software company reputation among their customers.”

According to Kaspersky Lab, the software company likely to be the target is an Iranian firm “TarrahSystem”, which sells three software packages by the names maliran, shahd and amin -- the database names that Symantec reported the malware specifically targeted.

On Monday an alert was published on tarrahsystem.com warning of the W32.Narilam threat to its customers.

“Could it be that “Narilam” targets these 3 products from TarrahSystem? Unfortunately, we do not have these three programs to check, but it’s quite likely,” Kaspersky’s threat team said.

Kaspersky Lab took issue with reports based on Symantec’s claim that Narilam was built using Delphi.

“We’ve analysed the sample and found no obvious connection with these. Duqu, Stuxnet, Flame and Gauss have all been compiled with versions of Microsoft Visual C, while Narilam was built with Borland C++ Builder 6 (and not Delphi, as other articles seem to suggest), a completely different programming tool.”

The Russian company added that the database destroyer is currently almost “extinct”.

“During the past month, we have observed just six instances of this threat,” it said.

Tags: symantec, kaspersky, Iran CERT

Hundreds of medical professionals targeted in multi-state tax scam

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Sophos Mobile Control

Data protection, policy compliance and device control for mobile devices

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.