Hacker Develops Oracle Worm

Sample carries harmless payload, but demonstrates an attack unique to Oracle databases.

A worm that can attack Oracle databases has been posted to a security-related Internet mailing list, raising the specter of possible future worms laden with dangerous payloads.

An anonymous person who used the subject line "Trick or treat Larry" posted code for the worm on the Full-disclosure mailing list earlier this week. The "proof of concept" worm carries a harmless payload, but similar worms could automatically spread among databases and wreak havoc, security researchers said Wednesday.


Oracle's First Worm
"Trick or treat" is the first Oracle worm that security researcher Alexander Kornbrust of Red-Database-Security in Neunkirchen, Germany, has seen outside a lab setting. Hackers who target Oracle databases normally aim at a single database and steal information from it, said Kornbrust. A worm could automate the process of getting into many databases within a company or on the Internet, he said. Some enterprises use thousands of Oracle databases. Recently, Oracle has reached out to smaller businesses with lower-end versions of its database.

Two factors limit the magnitude of the worm's threat, according to security analysts. First, it exploits Oracle's default passwords, which users typically replace with their own passwords--though Kornbrust estimates that half of all Oracle shops use a default password on at least one database. In addition, most Oracle databases aren't connected directly to the Internet, so an attacker would have to gain access to the LAN to release the worm.

To protect themselves against the worm, users should stop using default passwords and should password-protect the listener element of the database, a process responsible for communication between a user and the database, Kornbrust said. Most users leave this process open without a password, he said.

The "trick or treat" code itself doesn't cause any damage, according to analysts. Once it gets into a database, it merely creates a new table, called "x." But greater threats could be on the way.

"As always, it's possible to change the payload and do more dangerous things, like modifying data, deleting data, or stealing data," Kornbrust said. He doubts that a future attacker would use the very same code, but he thinks that an Oracle database worm wouldn't be particularly hard to write.


New Type of Threat
If a worm could successfully spread by using default passwords, the next thing to worry about would be a worm carrying "dictionary" attack code to figure out passwords, according to David Kennedy, senior security analyst at Cybertrust in Herndon, Virginia. A dictionary attack tests words from the dictionary as possible passwords. Fortunately, most administrators of valuable Oracle databases don't use the kinds of simple passwords that this kind of attack finds easily, he said.

"If I were responsible for a valuable Oracle installation, I'd already be thinking about that kind of problem," Kennedy said. "This is one of those things that [Oracle administrators] would have already architected against."

One reason database worms are rare may be that they're not good tools for stealing data, Red Database's Kornbrust said. Analysts said, however, that a worm that moved rapidly from one database to another could cause problems by erasing or changing data. For example, an attacker could unleash a worm on a company, change the information in the company's databases, and then extort money from the company for a remedy that brought back the correct information, Kornbrust said.



Related Links:

• Go back to category Internet & Networks to read more reviews and articles.
• Go back to Software Magazine's main page.