Halloween treat for Oracle: A database worm

Source code of what is believed to be the first worm to target Oracle databases has been released, in a security list e-mail titled "Trick or Treat Larry."

The code, posted anonymously on Monday to the popular Full Disclosure security mailing list, is for a worm that scans for other Oracle databases once it is on a network. When it finds a one, it attempts to log in using several default username and password combinations. If access is granted, the worm creates a table in the database under attack, according to the SANS Internet Storm Center, which tracks network threats.

"In its current state, the worm isn't a terribly significant threat. However, it can be treated as an early warning sign for future variants of the worm that include additional propagation methods," according to the SANS ISC Web log.

Related news
Flaw hunters pick holes in Oracle patches

Software maker faces mounting criticism over its security practices

The worm is proof-of-concept code, which means that it is an example of an attack and not a threat that has been released into the wild. "As far as I know, this is the first worm to target an Oracle database," said Alexander Kornbrust, an Oracle security specialist who runs Germany's Red Database Security. Microsoft's SQL Server and the open-source MySQL have been targeted by database pests.

"The danger of this specific worm is low, but it shows the direction and potential," Kornbrust said in an e-mail interview. "It is a wake-up call for database administrators to make their databases more secure."

Oracle is increasingly in the security spotlight. The Redwood Shores, Calif-based business software maker faces criticism about its security practices and has a shaky relationship with security researchers, but CEO Larry Ellison--referenced in the subject line of the worm code e-mail--still likes to tout the security of its products.

Pete Finnigan, an Oracle security specialist in York, England, made similar comments to Kornbrust in a Web log posting Tuesday. "This is a worrying new event for anyone running insecure databases," he wrote.

Especially worrying about this Oracle concept worm, compared with the SQL Slammer pest, is that it actually enters the database and can meddle with the data stored in it, said Shlomo Kramer, CEO of security vendor Imperva. "Today, the payload is not malicious. But adding a malicious payload to it can do enormous damage," he said.

A variant of the worm could erase information or send it somewhere else, Kramer noted. "The potential impact of this type of database worm can be very serious," he said.

A hardened database would be protected against database worm attacks, according to Kornbrust. "A real malicious Oracle worm could destroy thousands of Oracle databases within hours and cause a damage of several billion dollars," he said.

Kornbrust and Finnigan offer several simple tips for Oracle users to protect their systems. These include changing the default passwords on databases, revoking certain privileges, not using port 1521 for specific functions.

[Hernys]

Unbreakable?

It's amazing that this company claims their database is unbreakable in big neon signs, and then doesn't even care to issue patches for their products holes. I think their security record is the worst in the industry, viewed from the patched vulnerabilities and unpatched vulnerabilities numbers, as well as their treatment of security in general (I once heard an Oracle presenter say "vulnerabilities are not a significant issue for a database server, since most databases are hidden behind a firewall").
Just plain pathetic.

[BogusName]

In Their Defense

If you leave the default usernames unlocked with their default passwords it is your fault if the database is hacked. Their is nothing Oracle can do to prevent user mistakes.

[BogusName]

What does CNET have against Oracle?

This article is valueless. This isn't a product flaw, it is a user error issue.

This is like the third article in a week bashing Oracle. I have to think it is more than coincidence.

[shikarishambu]

Uncle Larry is the master of spin

LOL