Latest Iranian Malware Targets Financial Software

There appears to be some professional differences of opinion about the latest super malware targeting the nation of Iran.  Just days after Symantec Corp. warned about a new piece of malware, W32.Narilam,  researchers at the Russian anti-virus firm Kaspersky Lab threw cold water on the report, saying their analysis suggests that Narilam is two to three years old and probably targeted financial software packages, rather than high value government or industrial systems.

Narilam Report - Symantec
Symantec’s report on the Narilam malware is contradicted by data from Kaspersky Lab.

The back and forth started with Symantec’s Nov. 22nd blog post on Narilam, which claimed the malware had recently been found circulating in the “Middle East” – and particularly in Iran. Narilam was programmed to infect systems running Microsoft’s SQL database software, spreading through removable drives and network shared folders. It was designed to corrupt data, not to steal information, Symantec said.

Though the Cupertino company made no attestation as to Narilam’s origins, Symantec did say the worm was of the same “theme” as earlier threats including Stuxnet, Flame(r) and Shamoon (aka Dis-track) – all believed to be part of sophisticated attacks and some (like Stuxnet and Flame) with links to nation-backed actors.

In an unsigned post Monday on the Kaspersky Lab research blog Securelist, however, that company argued that there was nothing new or unusual about Narilam. Rather, the malware was between two to three years old and well-known to both antivirus firms and potential targets. Kaspersky, the post said, first detected the malware in August 2010. Kaspersky has been tracking Narilam as Win32.Scar.cvcw and Win32.Scar.dlvc since then and recorded around 80 infections, around 60% of them in Iran and the rest in Afghanistan. (As a Moscow-based firm, Kaspersky has a substantial presence in the Iranian market, so – though not comprehensive – the company’s numbers here should be taken seriously, especially compared to western firms with little or no footprint in Iran.)

The Iranians, also, appear to have caught on to the malware. Kaspersky notes an Iranian CERT warning from June 2010 which describes a similar piece of malware, dubbed “Trojan.AKK,” and an alert from the past week noting that the malware isn’t new nor is it widespread.

And, while Symantec’s warning suggested that the target systems were corporate machines used for “ordering, accounting, or customer management,” Kaspersky fills in the picture a bit more: noting an alert from the Iranian firm TarrahSystem about the Narilam malware, which it claimed targeted their financial software – Malyran, Amin and Shahd – names that correspond to database tables that Narilam is known to act on.

Kaspersky’s conclusion? “Narilam is a rather old threat that was probably deployed during late 2009 and mid-2010. The malware appears to be designed to corrupt accounting systems, primarily used by small businesses within those countries and is “almost extinct”. “Unlike Duqu or Flame, there is no apparent cyber espionage function.”

Of course, mix-ups like this aren’t that unusual. Anti malware companies – Kaspersky included – know only what their install base and other monitoring tools allow them to see. And, in markets where they have little visibility for political or other reasons, that leaves them susceptible to being surprised by things that might seem very commonplace to those with a bigger presence. Looks like Symantec  finds itself in that position with Narilam.