November 1, 2005 1:38 PM PST

Halloween treat for Oracle: A database worm

Related Stories

Oracle password system comes under fire

October 27, 2005

Flaw hunters pick holes in Oracle patches

October 27, 2005

MySQL worm hits Windows systems

January 27, 2005

Damage control

February 6, 2003
Source code of what is believed to be the first worm to target Oracle databases has been released, in a security list e-mail titled "Trick or Treat Larry."

The code, posted anonymously on Monday to the popular Full Disclosure security mailing list, is for a worm that scans for other Oracle databases once it is on a network. When it finds a one, it attempts to log in using several default username and password combinations. If access is granted, the worm creates a table in the database under attack, according to the SANS Internet Storm Center, which tracks network threats.

"In its current state, the worm isn't a terribly significant threat. However, it can be treated as an early warning sign for future variants of the worm that include additional propagation methods," according to the SANS ISC Web log.

Related news
Flaw hunters pick holes in Oracle patches
Software maker faces mounting criticism over its security practices

The worm is proof-of-concept code, which means that it is an example of an attack and not a threat that has been released into the wild. "As far as I know, this is the first worm to target an Oracle database," said Alexander Kornbrust, an Oracle security specialist who runs Germany's Red Database Security. Microsoft's SQL Server and the open-source MySQL have been targeted by database pests.

"The danger of this specific worm is low, but it shows the direction and potential," Kornbrust said in an e-mail interview. "It is a wake-up call for database administrators to make their databases more secure."

Oracle is increasingly in the security spotlight. The Redwood Shores, Calif-based business software maker faces criticism about its security practices and has a shaky relationship with security researchers, but CEO Larry Ellison--referenced in the subject line of the worm code e-mail--still likes to tout the security of its products.

Pete Finnigan, an Oracle security specialist in York, England, made similar comments to Kornbrust in a Web log posting Tuesday. "This is a worrying new event for anyone running insecure databases," he wrote.

Especially worrying about this Oracle concept worm, compared with the SQL Slammer pest, is that it actually enters the database and can meddle with the data stored in it, said Shlomo Kramer, CEO of security vendor Imperva. "Today, the payload is not malicious. But adding a malicious payload to it can do enormous damage," he said.

A variant of the worm could erase information or send it somewhere else, Kramer noted. "The potential impact of this type of database worm can be very serious," he said.

A hardened database would be protected against database worm attacks, according to Kornbrust. "A real malicious Oracle worm could destroy thousands of Oracle databases within hours and cause a damage of several billion dollars," he said.

Kornbrust and Finnigan offer several simple tips for Oracle users to protect their systems. These include changing the default passwords on databases, revoking certain privileges, not using port 1521 for specific functions.


Join the conversation!
Add your comment
It's amazing that this company claims their database is unbreakable in big neon signs, and then doesn't even care to issue patches for their products holes. I think their security record is the worst in the industry, viewed from the patched vulnerabilities and unpatched vulnerabilities numbers, as well as their treatment of security in general (I once heard an Oracle presenter say "vulnerabilities are not a significant issue for a database server, since most databases are hidden behind a firewall").
Just plain pathetic.
Posted by Hernys (744 comments )
Reply Link Flag
In Their Defense
If you leave the default usernames unlocked with their default passwords it is your fault if the database is hacked. Their is nothing Oracle can do to prevent user mistakes.
Posted by BogusName (33 comments )
Reply Link Flag
What does CNET have against Oracle?
This article is valueless. This isn't a product flaw, it is a user error issue.

This is like the third article in a week bashing Oracle. I have to think it is more than coincidence.
Posted by BogusName (33 comments )
Reply Link Flag
The reason
The reason is simple, Oracle's track record for security is absolutely abysmal.
This is the same database that at one point would create multiple DB admins with default or blank passwords and you had to manually disable or change the accounts to not have huge backdoors. There were known programmed backdoors into Oracle for a long time.
They still release more patches in an average month than you'll see for MS SQL Server in a whole release, yet they claim that they're secure because they run FORTIFY on their code.

They're the laughingstock of the security industry, and they completely deserve it.
Posted by Meh234 (37 comments )
Link Flag
Uncle Larry is the master of spin
Posted by shikarishambu (89 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.