While reading about hot viruses I found recently  Symantec come across a new sophisticated threat which targets “corporate databases”. They detect this malware as W32. Narilam. This malware sabotage database entities of accounting softwares and replace them with random data. Like other malwares, Narilam copies itself to the infected machine and then adds registry keys and finally infects removable drives and spread through networks. But what is unique about this malware is that it can update Microsoft SQL databases if it is accessible by OLEDB protocol. (OLE DB provides interfaces that expose data from variety of sources and also provides an amount of DBMS functionality needed.)

The strange idea that I found about this virus is that it only look for specific database names used in the small business accounting software of an Iranian company. Then it replaces specific objects and tables rather than just uploading data to command-and-control servers.

Although it turns out that this virus is not a cyber-weapon on the scale of Stuxnet (http://vimeo.com/25118844), It is really the targeted nature of the malware that needs to be understood and addressed. Not too long ago, small and midsize businesses could rightfully consider themselves immune to targeted attacks and malware, as the size of the business didn’t create enough of a reward to be worth the risk to the attacker. With cloud computing and powerful analytics allowing midsize businesses to harness unimaginable amounts of data, their data stores and lax security make them the perfect target for attackers.

Hopefully, the damage that a worm like Narilam can do will be enough to convince IT manager of the need for powerful, consistent security measures. While locking down systems is rarely possible or profitable, ensuring that employees understand the importance of proper security precautions can greatly diminish malware’s ability to infect a system and spread out from there.

Between employee education and proper anti-malware software, the threat of destruction from malware is significantly diminished, but only if the right people remain vigilant.

References:

http://securitywatch.pcmag.com/none/305296-database-modifying-malware-narilam-a-corporate-sabotage-tool

http://www.symantec.com/connect/blogs/w32narilam-business-database-sabotage

http://midsizeinsider.com/en-us/article/is-narilam-malware-something-to-worry-ab

http://msdn.microsoft.com/en-us/library/windows/desktop/ms722784%28v=vs.85%29.aspx

This entry was posted on Tuesday, December 4th, 2012 at 11:55 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.