First worm to hit Oracle databases found
Published: 02 Nov 2005 11:30 GMT
Source code of what is believed to be the first worm to target Oracle databases has been released, in a security list email titled "Trick or Treat Larry".
The code, posted anonymously on Monday to the popular Full Disclosure security mailing list, is for a worm that scans for other Oracle databases once it is on a network. When it finds one, it attempts to log in using several default username and password combinations. If access is granted, the worm creates a table in the database under attack, according to the SANS Internet Storm Centre, which tracks network threats.
"In its current state, the worm isn’t a terribly significant threat. However, it can be treated as an early warning sign for future variants of the worm that include additional propagation methods," according to the SANS ISC blog.
The worm is proof-of-concept code, which means that it is an example of an attack and not a threat that has been released into the wild. "As far as I know, this is the first worm to target an Oracle database," said Alexander Kornbrust, an Oracle security specialist who runs Germany’s Red Database Security. Microsoft’s SQL Server and the open source MySQL have been targeted by database pests.
"The danger of this specific worm is low, but it shows the direction and potential," Kornbrust said in an email interview. "It is a wake-up call for database administrators to make their databases more secure."
Oracle is increasingly in the security spotlight. The business software maker faces criticism about its security practices and has a shaky relationship with security researchers, but chief executive Larry Ellison — referenced in the subject line of the worm code email — still likes to tout the security of its products.
Pete Finnigan, an Oracle security specialist in York, made similar comments to Kornbrust in a blog posting on Tuesday. "This is a worrying new event for anyone running insecure databases," he wrote.
Especially worrying about this Oracle concept worm, compared with the SQL Slammer pest, is that it actually enters the database and can meddle with the data stored in it, said Shlomo Kramer, chief executive of security vendor Imperva. "Today, the payload is not malicious. But adding a malicious payload to it can do enormous damage," he said.
A variant of the worm could erase information or send it elsewhere, Kramer noted. "The potential impact of this type of database worm can be very serious," he said.
A hardened database would be protected against database worm attacks, according to Kornbrust. "A real malicious Oracle worm could destroy thousands of Oracle databases within hours and cause a damage of several billion dollars," he said.
Kornbrust and Finnigan offer several simple tips for Oracle users to protect their systems. These include changing the default passwords on databases, revoking certain privileges, not using port 1521 for specific functions.
Did you find this article useful?
89 out of 159 people found this useful
- Share this article:
