Hacker publishes Oracle proof-of-concept worm

A worm that can attack Oracle databases has been posted to a security-related Internet mailing list.

A worm that can attack Oracle databases has been posted to a security-related Internet mailing list, raising the specter of possible future worms with dangerous payloads.

Code for the worm was posted Monday by an anonymous person on the Full-disclosure mailing list who used the subject line "Trick or treat Larry." It is a "proof of concept" worm with a harmless payload, but similar worms could automatically spread among databases and wreak havoc, security researchers said Wednesday.

"Trick or treat" is the first Oracle worm that security researcher Alexander Kornbrust has seen "in the wild," outside a lab setting. Hackers who target Oracle databases normally aim at a single database and steal information from it, said Kornbrust, of Red-Database-Security GmbH, in Neunkirchen, Germany. A worm could automate the process of getting into many databases within a company or on the Internet, he said. Some enterprises use thousands of Oracle databases.

Two factors limit the size of the worm's threat, according to security analysts. It takes advantage of default passwords provided by Oracle, which users typically replace with their own passwords, though Kornbrust estimates that half of all Oracle shops use a default password on at least one database. In addition, most Oracle databases are not connected directly to the Internet, so an attacker would have to get access to the LAN to release the worm.

To protect themselves against the worm, users should stop using default passwords and also password-protect the "listener" element of the database, a process that is responsible for communication between a user and the database, Kornbrust said. Most users leave this process open without a password, he said.

The "trick or treat" code won't cause any damage, according to analysts. Once it gets into a database, it just creates a new table, called "x." But greater threats could be on the way.

"As always, it's possible to change the payload and do more dangerous things, like modifying data, deleting data, or stealing data," Kornbrust said. He doubts a future attacker would use the very same code, but thinks an Oracle database worm would not be particularly hard to write.

If a worm could successfully spread using default passwords, the next thing to worry about would be one that includes "dictionary" attack code to figure out passwords, said David Kennedy, senior security analyst at Cybertrust. A "dictionary" attack tests words from the dictionary as possible passwords. Fortunately, most administrators of valuable Oracle databases don't use the kinds of simple passwords that could be easily found by this kind of attack, he said.

"If I was responsible for a valuable Oracle installation, I'd already be thinking about that kind of problem," Kennedy said. "This is one of those things that (Oracle administrators) would have already architected against."

One reason database worms are rare may be that they are not good tools for stealing data, Red Database's Kornbrust said. However, analysts said a worm that could rapidly go from one database to another could cause problems by erasing or changing data. For example, an attacker could unleash a worm on a company and change the information in its databases, then extort money from the company for a remedy that would bring back the correct information, Kornbrust said.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Stephen Lawson

IDG News Service
Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Compare & Save

Deals powered by WhistleOut
WhistleOut

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?