Harder-to-Detect Oracle Rootkit on the Way

A security expert is working on a new version of an Oracle rootkit that he claims will allow attackers to more easily disguise malicious elements.

A security expert working on a new version of an Oracle database rootkit says the programs are easy to create and could soon be as common as those that target operating systems like Windows.

Alexander Kornbrust, of Red Database Security GmbH, told eWEEK that he is developing Version 2.0 of a rootkit program he first unveiled in April 2005. The new version, which Kornbrust hopes to unveil at the Black Hat Conference in Las Vegas in July, will be harder to detect on Oracle systems using standard administrative tools. Kornbrust claims his rootkits are not hacking tools but are designed to underscore weaknesses in databases from Oracle, Microsoft and others that make it easy to hide malicious activity.

Kornbrust first introduced a proof-of-concept Oracle rootkit last April, at the Black Hat Conference in Amsterdam, Netherlands. That version modified Oracle database dictionaries, sometimes referred to as "views," to disguise the presence of malicious accounts, database processes and so on.

/zimages/2/28571.gifWhen is a rootkit not a rootkit? Click here to read more.

The new version of the database rootkit will modify the computer memory used to run Oracle. Administrators could detect the first version of the rootkit by noting changes in the size of the data dictionaries that had been modified. The new version will allow attackers to disguise malicious elements without modifying the database views, Kornbrust said.

Also, evidence of the hack will disappear whenever the database is restarted, Kornbrust said.

Unlike operating system rootkits such as Back Orifice, Hacker Defender and FU, database rootkits are platform-independent and can run on any operating system, Kornbrust said.

The database rootkits are part of a larger project to port malicious code from operating systems to enterprise database environments, he said. Applications like Oracle and Microsofts SQL Server have become so sophisticated that they are, in effect, operating systems in their own right, he said.

"Things like creating users, processes and jobs used to be part of the operating system. But now every database has similar commands to the operating system. You can kill processes, create users and so on," he said.

/zimages/2/28571.gifLarry Seltzer claims some rootkits are worse than others. Click here to read his column.

Unlike operating systems, however, many enterprise databases do not have robust security features that could detect rogue accounts or suspicious activity, he said.

For example, tools that Oracle database administrators use to monitor user accounts just present information from the same data dictionaries that would be modified by the rootkit, Kornbrust said.

Traditional network security tools also arent effective. "[Security] tools from the operating system world dont work in the database world," he said.

At the same time, database and network security staff often move in different circles, experts say.

"Security guys are used to dealing with packets on the network," said Shlomo Kramer, CEO of Imperva, a database security company in Foster City, Calif. "The assumption is the security guys dont know anything about databases."

However, malicious hackers and organized online criminal groups are figuring out that databases like Oracle and SQL are vulnerable to attack, Kornbrust said.

"I personally think that bad guys have better knowledge of how to exploit [database holes] than the good guys," he said.

Recent events like the Oracle "Voyager" show that malicious code writers are getting savvy about targeting enterprise databases, Kramer said.

"Its not about the infrastructure; its about the data," Kramer said.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.