November 1, 2005 1:38 PM PST

Halloween treat for Oracle: A database worm

Related Stories

Oracle password system comes under fire

October 27, 2005

Flaw hunters pick holes in Oracle patches

October 27, 2005

MySQL worm hits Windows systems

January 27, 2005

Damage control

February 6, 2003
Source code of what is believed to be the first worm to target Oracle databases has been released, in a security list e-mail titled "Trick or Treat Larry."

The code, posted anonymously on Monday to the popular Full Disclosure security mailing list, is for a worm that scans for other Oracle databases once it is on a network. When it finds a one, it attempts to log in using several default username and password combinations. If access is granted, the worm creates a table in the database under attack, according to the SANS Internet Storm Center, which tracks network threats.

"In its current state, the worm isn't a terribly significant threat. However, it can be treated as an early warning sign for future variants of the worm that include additional propagation methods," according to the SANS ISC Web log.

Related news
Flaw hunters pick holes in Oracle patches
Software maker faces mounting criticism over its security practices

The worm is proof-of-concept code, which means that it is an example of an attack and not a threat that has been released into the wild. "As far as I know, this is the first worm to target an Oracle database," said Alexander Kornbrust, an Oracle security specialist who runs Germany's Red Database Security. Microsoft's SQL Server and the open-source MySQL have been targeted by database pests.

"The danger of this specific worm is low, but it shows the direction and potential," Kornbrust said in an e-mail interview. "It is a wake-up call for database administrators to make their databases more secure."

Oracle is increasingly in the security spotlight. The Redwood Shores, Calif-based business software maker faces criticism about its security practices and has a shaky relationship with security researchers, but CEO Larry Ellison--referenced in the subject line of the worm code e-mail--still likes to tout the security of its products.

Pete Finnigan, an Oracle security specialist in York, England, made similar comments to Kornbrust in a Web log posting Tuesday. "This is a worrying new event for anyone running insecure databases," he wrote.

Especially worrying about this Oracle concept worm, compared with the SQL Slammer pest, is that it actually enters the database and can meddle with the data stored in it, said Shlomo Kramer, CEO of security vendor Imperva. "Today, the payload is not malicious. But adding a malicious payload to it can do enormous damage," he said.

A variant of the worm could erase information or send it somewhere else, Kramer noted. "The potential impact of this type of database worm can be very serious," he said.

A hardened database would be protected against database worm attacks, according to Kornbrust. "A real malicious Oracle worm could destroy thousands of Oracle databases within hours and cause a damage of several billion dollars," he said.

Kornbrust and Finnigan offer several simple tips for Oracle users to protect their systems. These include changing the default passwords on databases, revoking certain privileges, not using port 1521 for specific functions.

See more CNET content tagged:
Oracle Database, worm, Oracle Corp., pest, database

Add a Comment (Log in or register) 5 comments
Unbreakable?
by Hernys November 1, 2005 10:09 PM PST
It's amazing that this company claims their database is unbreakable in big neon signs, and then doesn't even care to issue patches for their products holes. I think their security record is the worst in the industry, viewed from the patched vulnerabilities and unpatched vulnerabilities numbers, as well as their treatment of security in general (I once heard an Oracle presenter say "vulnerabilities are not a significant issue for a database server, since most databases are hidden behind a firewall").
Just plain pathetic.
Reply to this comment
In Their Defense
by BogusName November 2, 2005 6:11 AM PST
If you leave the default usernames unlocked with their default passwords it is your fault if the database is hacked. Their is nothing Oracle can do to prevent user mistakes.
Reply to this comment
What does CNET have against Oracle?
by BogusName November 2, 2005 6:15 AM PST
This article is valueless. This isn't a product flaw, it is a user error issue.

This is like the third article in a week bashing Oracle. I have to think it is more than coincidence.
Reply to this comment View reply
Uncle Larry is the master of spin
by shikarishambu November 2, 2005 7:05 AM PST
LOL
Reply to this comment
Powered by Jive Software
advertisement

Latest tech news headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

advertisement

Inside CNET News

Scroll Left Scroll Right
  • Nanotech: The Circuits Blog

    Timing rumors surface for AMD plant spin-off

    Rumors persist that Advanced Micro Devices is planning to spin off all or part of its manufacturing operations.

  • Gallery

    Photos: Ron Paul's RNC alternative

    As the Republican convention took place just miles away, a crowd rallied for the former presidential candidate and his message of limited government, ensured civil liberties, lower taxes, and peace.

  • Digital Noise: Music and Tech

    Was 1980s music that bad?

    NPR asks listeners which year featured the best music, and the 1980s emerge as a bleak era. Personally, the '80s figure prominently in my collection, but well behind the 1970s.

  • Beyond Binary

    Microsoft begins big ad push

    Microsoft's multi-year push, estimated at $300 million, begins with a spot featuring Bill Gates and Jerry Seinfeld aired during Thursday's NFL game.

  • Video

    YouTube plays party politics

    During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.

  • News - Digital Media

    Michael Moore plans Net-only film premiere

    Filmmaker plans to premiere his latest documentary exclusively on the Internet for free, forgoing the traditional theatrical release.

  • Video

    Political party playlists

    We know the Democrats and Republicans are split over policy issues, but does their musical taste fall down party lines too? And what kind of gadgets did they bring to the conventions to listen to their music? CNET reporter Kara Tsuboi finds out.

  • News - Politics and Law

    What you can-- and can't-- find about Palin on the Internet

    John McCain's choice of Sarah Palin as a running mate has inspired a wealth of creativity on the Internet.

  • News - Cutting Edge

    Execs predict next Google-like tech

    On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.

  • Gallery

    Photos: The brains behind Google Chrome

    Here's a look at some of the engineers and executives who took the stage at the company's headquarters as they unveiled the new browser.

  • Webware

    10 things we'd like to see in Chrome

    Google's Chrome is pretty good, but it could be a whole lot better. We've rounded up 10 fairly extensive ways to tweak it to make it an all-around better browser.

  • Green Tech

    Clean-tech group forms to support Obama

    "Clean Tech and Green Business for Obama" aims to raise $1 million for the Democratic presidential nominee while elevating issues of climate change and alternative energy.