l****z
发帖数: 29846 | 1 Now this is interesting. From Symantec, makers of the Norton Ant-Virus
family of products:
n the last couple of years, we have seen highly sophisticated malware
used to sabotage the business activities of chosen targets. We have seen
malware such as W32.Stuxnet designed to tamper with industrial automation
systems and other destructive examples such as W32.Disstrack and W32.Flamer,
which can both wiped out data and files from hard disks. All of these
threats can badly disrupt the activities of those affected.
Following along that theme, we recently came across an interesting
threat that has another method of causing chaos, this time, by targeting and
modifying corporate databases. We detect this threat as W32.Narilam.
Based on the detections observed, W32.Narilam is active predominantly in
the Middle East. (See heat map above)
Just like many other worms that we have seen in the past, the threat
copies itself to the infected machine, adds registry keys, and spreads
through removable drives and network shares. It is even written using Delphi
, which is a language that is used to create a lot of other malware threats.
All these aspects of this threat are normal enough, what is unusual about
this threat is the fact that it has the functionality to update a Microsoft
SQL database if it is accessible by OLEDB. The worm specifically targets SQL
databases with three distinct names: alim, maliran, and shahd.
The malware does not have any functionality to steal information from
the infected system and appears to be programmed specifically to damage the
data held within the targeted database. Given the types of objects that the
threat searches for, the targeted databases seem to be related to ordering,
accounting, or customer management systems belonging to corporations.
The problem is that the U.S. is not invulnerable from this type of worm
either, though this worm specifically attacks Persian names and tables. |
|
