Hacker Posts Oracle Worm Proof

A worm that can attack Oracle Corp. databases has been posted to a security-related Internet mailing list, raising the specter of possible future worms with dangerous payloads.

Code for the worm was posted Monday by an anonymous person on the Full-disclosure mailing list who used the subject line “Trick or treat Larry.” It is a “proof of concept” worm with a harmless payload, but similar worms could automatically spread among databases and wreak havoc, security researchers said Wednesday.

“Trick or treat” is the first Oracle worm that security researcher Alexander Kornbrust has seen “in the wild,” outside a lab setting. Hackers who target Oracle databases normally aim at a single database and steal information from it, said Kornbrust, of Red-Database-Security GmbH, in Neunkirchen, Germany. A worm could automate the process of getting into many databases within a company or on the Internet, he said. Some enterprises use thousands of Oracle databases.

Two factors limit the size of the worm’s threat, according to security analysts. It takes advantage of default passwords provided by Oracle, which users typically replace with their own passwords, though Kornbrust estimates that half of all Oracle shops use a default password on at least one database. In addition, most Oracle databases are not connected directly to the Internet, so an attacker would have to get access to the LAN to release the worm.

To protect themselves against the worm, users should stop using default passwords and also password-protect the “listener” element of the database, a process that is responsible for communication between a user and the database, Kornbrust said. Most users leave this process open without a password, he said.

The “trick or treat” code won’t cause any damage, according to analysts. Once it gets into a database, it just creates a new table, called “x.” But greater threats could be on the way.

“As always, it’s possible to change the payload and do more dangerous things, like modifying data, deleting data, or stealing data,” Kornbrust said. He doubts a future attacker would use the very same code, but thinks an Oracle database worm would not be particularly hard to write.

If a worm could successfully spread using default passwords, the next thing to worry about would be one that includes “dictionary” attack code to figure out passwords, said David Kennedy, senior security analyst at Cybertrust Inc., in Herndon, Virginia. A “dictionary” attack tests words from the dictionary as possible passwords. Fortunately, most administrators of valuable Oracle databases don’t use the kinds of simple passwords that could be easily found by this kind of attack, he said.

“If I was responsible for a valuable Oracle installation, I’d already be thinking about that kind of problem,” Kennedy said. “This is one of those things that (Oracle administrators) would have already architected against.”

One reason database worms are rare may be that they are not good tools for stealing data, Red Database’s Kornbrust said. However, analysts said a worm that could rapidly go from one database to another could cause problems by erasing or changing data. For example, an attacker could unleash a worm on a company and change the information in its databases, then extort money from the company for a remedy that would bring back the correct information, Kornbrust said.

By Stephen Lawson, IDG News Service