New Destructive Narilam Malware Threatens Targets In The Middle East

Appears to be completely different from Stuxnet and Flame; seems to be aimed at Iranian databases.


The Middle East is threatened by a new malware named Narilam that has the potential to corrupt databases, but that might only be the tip of the iceberg. The malware, discovered by Symantec a few days ago, seems to be meant for Iranian targets based on its database structure. Compiled with Borland C++ Builder, several 1.5 MB Windows PE executables have been identified; it appears that they were created in 2009 or 2010, which means they've been on the loose and undetected for this long. Kaspersky Security Network has stated that it has very few reports about this malware right now, which indicates that it is either extinct, or lying dormant — waiting for a trigger of some sort. Only six instances have been detected in the past month.

Quite a few variants of Narilam exist, and it could have already targeted several installations in Iran. It is hard to find whether it actually did any damage, though: Getting sensitive information out of that country is difficult.

An analysis of the malware has shown that it is not similar to previous threats such as Duqu, Stuxnet, Flame, and Gauss. What is known is that it has targeted databases with specific names: Maliran, Amin, and Shahd, all products of an Iranian software company TarrahSystem. This raises the possibility of Narilam being an attack from a rival software company. That hasn't been confirmed, because the programs could not be made available to Kaspersky.

TAGS: Security, Jayesh