As Narilam samples are trickling in, we interviewed Bitdefender security researcher Iulian Artenie Muntean for insights on its design and behavior:
What can you tell us about Narilam? Is it an APT like Stuxnet or Flamer?
IAM: The code is very simply written and un-obfuscated so the SQL commands used can be read directly. Most of it is library code, in fact, while the rest is about issuing malicious SQL commands and for adding it to the autorun list so it is executed at system start-up. The SQL commands are highly specific. We have found about 30 samples so far and they all have the same SQL commands.
Could the target be a particular company? Might this be the work of a disgruntled (ex-)employee?
IAM: It’s very hard to tell which particular Iranian (or indeed middle-Eastern) companies are being targeted based on the names of database tables used. It could be that they are used in multiple (possibly state-run) companies, or it could be that they are specific to just one. Given the relatively low complexity of this trojan’s code, which could have been written by just one person, the disgruntled employee scenario is also a distinct possibility.
Is Narilam restricted to the Middle East, or is it spreading?
IAM: So far, most of the samples we have collected come from Iran, with the remainder split between Egypt, Vietnam, Italy and Great Britain.