Halloween treat for Oracle: A database worm

By Joris Evers
Staff Writer, CNET News

5 comments

Related Stories: Oracle password system comes under fire
October 27, 2005; Flaw hunters pick holes in Oracle patches
October 27, 2005; MySQL worm hits Windows systems
January 27, 2005; Damage control
February 6, 2003

Source code of what is believed to be the first worm to target Oracle databases has been released, in a security list e-mail titled "Trick or Treat Larry."

The code, posted anonymously on Monday to the popular Full Disclosure security mailing list, is for a worm that scans for other Oracle databases once it is on a network. When it finds a one, it attempts to log in using several default username and password combinations. If access is granted, the worm creates a table in the database under attack, according to the SANS Internet Storm Center, which tracks network threats.

"In its current state, the worm isn't a terribly significant threat. However, it can be treated as an early warning sign for future variants of the worm that include additional propagation methods," according to the SANS ISC Web log.

Related news
Flaw hunters pick holes in Oracle patches

Software maker faces mounting criticism over its security practices

The worm is proof-of-concept code, which means that it is an example of an attack and not a threat that has been released into the wild. "As far as I know, this is the first worm to target an Oracle database," said Alexander Kornbrust, an Oracle security specialist who runs Germany's Red Database Security. Microsoft's SQL Server and the open-source MySQL have been targeted by database pests.

"The danger of this specific worm is low, but it shows the direction and potential," Kornbrust said in an e-mail interview. "It is a wake-up call for database administrators to make their databases more secure."

Oracle is increasingly in the security spotlight. The Redwood Shores, Calif-based business software maker faces criticism about its security practices and has a shaky relationship with security researchers, but CEO Larry Ellison--referenced in the subject line of the worm code e-mail--still likes to tout the security of its products.

Pete Finnigan, an Oracle security specialist in York, England, made similar comments to Kornbrust in a Web log posting Tuesday. "This is a worrying new event for anyone running insecure databases," he wrote.

Especially worrying about this Oracle concept worm, compared with the SQL Slammer pest, is that it actually enters the database and can meddle with the data stored in it, said Shlomo Kramer, CEO of security vendor Imperva. "Today, the payload is not malicious. But adding a malicious payload to it can do enormous damage," he said.

A variant of the worm could erase information or send it somewhere else, Kramer noted. "The potential impact of this type of database worm can be very serious," he said.

A hardened database would be protected against database worm attacks, according to Kornbrust. "A real malicious Oracle worm could destroy thousands of Oracle databases within hours and cause a damage of several billion dollars," he said.

Kornbrust and Finnigan offer several simple tips for Oracle users to protect their systems. These include changing the default passwords on databases, revoking certain privileges, not using port 1521 for specific functions.

See more CNET content tagged:
Oracle Corp., Oracle Database, worm, database, pest

Add a Comment (Log in or register) (5 Comments)

Unbreakable?
by Hernys November 1, 2005 10:09 PM PST: It's amazing that this company claims their database is unbreakable in big neon signs, and then doesn't even care to issue patches for their products holes. I think their security record is the worst in the industry, viewed from the patched vulnerabilities and unpatched vulnerabilities numbers, as well as their treatment of security in general (I once heard an Oracle presenter say "vulnerabilities are not a significant issue for a database server, since most databases are hidden behind a firewall").
Just plain pathetic.; Like this Reply to this comment

In Their Defense
by BogusName November 2, 2005 6:11 AM PST: If you leave the default usernames unlocked with their default passwords it is your fault if the database is hacked. Their is nothing Oracle can do to prevent user mistakes.; Like this Reply to this comment

What does CNET have against Oracle?

by BogusName November 2, 2005 6:15 AM PST

This article is valueless. This isn't a product flaw, it is a user error issue.

This is like the third article in a week bashing Oracle. I have to think it is more than coincidence.

Like this Reply to this comment

The reason
by Meh234 May 3, 2006 5:14 PM PDT: The reason is simple, Oracle's track record for security is absolutely abysmal.
This is the same database that at one point would create multiple DB admins with default or blank passwords and you had to manually disable or change the accounts to not have huge backdoors. There were known programmed backdoors into Oracle for a long time.
They still release more patches in an average month than you'll see for MS SQL Server in a whole release, yet they claim that they're secure because they run FORTIFY on their code.

They're the laughingstock of the security industry, and they completely deserve it.; Like this

Uncle Larry is the master of spin
by shikarishambu November 2, 2005 7:05 AM PST: LOL; Like this Reply to this comment

(5 Comments)

Latest tech news headlines

FanSnap--another way to find cheap concert tickets
Posted in Digital Noise: Music and Tech by Matt Rosoff

November 11, 2009 8:30 PM PST
Microsoft exec: Mac OS inspired Windows 7
Posted in Technically Incorrect by Chris Matyszczyk

November 11, 2009 7:15 PM PST
Apple updates Safari for security
Posted in The Download Blog by Seth Rosenblatt

November 11, 2009 6:17 PM PST
See all headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Markets: Market news, charts, SEC filings, and more; Related quotes; Oracle (0.46%) 0.10 21.90; Dow Jones Industrials (0.43%) 44.29 10,291.26; S&P 500 (0.50%) 5.50 1,098.51; NASDAQ (0.74%) 15.82 2,166.90; CNET TECH (0.52%) 8.18 1,579.76

Inside CNET News

Scroll Left Scroll Right

Nanotech - The Circuits Blog
AMD: Our claims about Intel have been 'ratified'
CEO Dirk Meyer cites action by EU and the lawsuit filed by New York's attorney general as confirmation of AMD's allegations of anticompetitive behavior by its rival.
Gallery
Images: Firefox through the ages
Technically Incorrect
Microsoft exec: Mac OS inspired Windows 7
Simon Aldous, Microsoft's Partner Group Manager, says that they looked at the Mac and its graphical nature and ease of use and tried to create "a Mac look."
Beyond Binary
Bing getting a fall refresh
Microsoft's search engine is getting improved preview results as well as some new health information licensed from Wolfram's Alpha.
Video
Exploratorium's shocking 40th anniversary kicks off
Digital Noise: Music and Tech
FanSnap--another way to find cheap concert tickets
This search engine aggregates second-hand ticket listings from around the Web, including eBay and broker sites, and arranges them on a useful seating chart.
Video
A new workout for the Wii
The Social
Twitter issues mulligan on new 'retweet' feature
Twitter developer chat logs reveal that fresh new feature was pulled temporarily to fix some bugs.
Military Tech
Remote-control gun turrets, made for Italy
Italian defense department orders Hitrole remote-controlled machine gun turrets to enable soldiers in Afghanistan to aim and fire without exposing themselves to attack.
Gallery
Photos: Top-rated reviews of the week
The Car Tech blog
Top 5 car technologies
CNET Car Tech picks the best 5 technologies in modern cars.
Green Tech
Powering cell phone towers with wind
Southern California pilot program to test Helix Wind's small wind turbines to run cell phone towers.