Hacker publishes Oracle proof-of-concept worm

A worm that can attack Oracle databases has been posted to a security-related Internet mailing list.

A worm that can attack Oracle databases has been posted to a security-related Internet mailing list, raising the specter of possible future worms with dangerous payloads.

Code for the worm was posted Monday by an anonymous person on the Full-disclosure mailing list who used the subject line "Trick or treat Larry." It is a "proof of concept" worm with a harmless payload, but similar worms could automatically spread among databases and wreak havoc, security researchers said Wednesday.

"Trick or treat" is the first Oracle worm that security researcher Alexander Kornbrust has seen "in the wild," outside a lab setting. Hackers who target Oracle databases normally aim at a single database and steal information from it, said Kornbrust, of Red-Database-Security GmbH, in Neunkirchen, Germany. A worm could automate the process of getting into many databases within a company or on the Internet, he said. Some enterprises use thousands of Oracle databases.

Two factors limit the size of the worm's threat, according to security analysts. It takes advantage of default passwords provided by Oracle, which users typically replace with their own passwords, though Kornbrust estimates that half of all Oracle shops use a default password on at least one database. In addition, most Oracle databases are not connected directly to the Internet, so an attacker would have to get access to the LAN to release the worm.

To protect themselves against the worm, users should stop using default passwords and also password-protect the "listener" element of the database, a process that is responsible for communication between a user and the database, Kornbrust said. Most users leave this process open without a password, he said.

The "trick or treat" code won't cause any damage, according to analysts. Once it gets into a database, it just creates a new table, called "x." But greater threats could be on the way.

"As always, it's possible to change the payload and do more dangerous things, like modifying data, deleting data, or stealing data," Kornbrust said. He doubts a future attacker would use the very same code, but thinks an Oracle database worm would not be particularly hard to write.

If a worm could successfully spread using default passwords, the next thing to worry about would be one that includes "dictionary" attack code to figure out passwords, said David Kennedy, senior security analyst at Cybertrust. A "dictionary" attack tests words from the dictionary as possible passwords. Fortunately, most administrators of valuable Oracle databases don't use the kinds of simple passwords that could be easily found by this kind of attack, he said.

"If I was responsible for a valuable Oracle installation, I'd already be thinking about that kind of problem," Kennedy said. "This is one of those things that (Oracle administrators) would have already architected against."

One reason database worms are rare may be that they are not good tools for stealing data, Red Database's Kornbrust said. However, analysts said a worm that could rapidly go from one database to another could cause problems by erasing or changing data. For example, an attacker could unleash a worm on a company and change the information in its databases, then extort money from the company for a remedy that would bring back the correct information, Kornbrust said.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Stephen Lawson

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?