Halloween treat for Oracle: A database worm
Proof-of-concept pest is believed to be the first to target Oracle databases.
The code, posted anonymously on Monday to the popular Full Disclosure security mailing list, is for a worm that scans for other Oracle databases once it is on a network. When it finds a one, it attempts to log in using several default username and password combinations. If access is granted, the worm creates a table in the database under attack, according to the SANS Internet Storm Center, which tracks network threats.
"In its current state, the worm isn't a terribly significant threat. However, it can be treated as an early warning sign for future variants of the worm that include additional propagation methods," according to the SANS ISC Web log.
The worm is proof-of-concept code, which means that it is an example of an attack and not a threat that has been released into the wild. "As far as I know, this is the first worm to target an Oracle database," said Alexander Kornbrust, an Oracle security specialist who runs Germany's Red Database Security. Microsoft's SQL Server and the open-source MySQL have been targeted by database pests.
"The danger of this specific worm is low, but it shows the direction and potential," Kornbrust said in an e-mail interview. "It is a wake-up call for database administrators to make their databases more secure."
Oracle is increasingly in the security spotlight. The Redwood Shores, Calif-based business software maker faces criticism about its security practices and has a "5846019">shaky relationship with security researchers, but CEO Larry Ellison--referenced in the subject line of the worm code e-mail--still likes to tout the security of its products.
Pete Finnigan, an Oracle security specialist in York, England, made similar comments to Kornbrust in a Web log posting Tuesday. "This is a worrying new event for anyone running insecure databases," he wrote.
Especially worrying about this Oracle concept worm, compared with the SQL Slammer pest, is that it actually enters the database and can meddle with the data stored in it, said Shlomo Kramer, CEO of security vendor Imperva. "Today, the payload is not malicious. But adding a malicious payload to it can do enormous damage," he said.
A variant of the worm could erase information or send it somewhere else, Kramer noted. "The potential impact of this type of database worm can be very serious," he said.
A hardened database would be protected against database worm attacks, according to Kornbrust. "A real malicious Oracle worm could destroy thousands of Oracle databases within hours and cause a damage of several billion dollars," he said.
Kornbrust and Finnigan offer several simple tips for Oracle users to protect their systems. These include changing the default passwords on databases, revoking certain privileges, not using port 1521 for specific functions.