Anti-Malware Research

Could Narilam be the work of a disgruntled employee?

As Narilam samples are trickling in, we interviewed Bitdefender security researcher Iulian Artenie Muntean for insights on its design and behavior:

What can you tell us about Narilam? Is it an APT like Stuxnet or Flamer?

IAM: The code is very simply written and un-obfuscated so the SQL commands used can be read directly. Most of it is library code, in fact, while the rest is about issuing malicious SQL commands and for adding it to the autorun list so it is executed at system start-up. The SQL commands are highly specific. We have found about 30 samples so far and they all have the same SQL commands.

Could the target be a particular company? Might this be the work of a disgruntled (ex-)employee?

IAM: It’s very hard to tell which particular Iranian (or indeed middle-Eastern) companies are being targeted based on the names of database tables used. It could be that they are used in multiple (possibly state-run) companies, or it could be that they are specific to just one. Given the relatively low complexity of this trojan’s code, which could have been written by just one person, the disgruntled employee scenario is also a distinct possibility.

Is Narilam restricted to the Middle East, or is it spreading?

IAM: So far, most of the samples we have collected come from Iran, with the remainder split between Egypt, Vietnam, Italy and Great Britain.

About the author



Razvan Stoica is a journalist turned teacher turned publicist and technology evangelist. When Bitdefender isn't paying him to bring complex subjects to wide audiences, he enjoys writing fiction, skiing and biking. Razvan Stoica started off writing for a science monthly and was the chief editor of a science fiction magazine for a short while before moving on to the University of Medicine in Bucharest where he lectured on the English language. Recruited by Bitdefender in 2004 to add zest to the company's online presence, he has fulfilled a bevy of roles within the company since. In his current position, he is primarily responsible for the communications and community-building efforts of the Bitdefender research and technology development arm.