[ISN] Database rootkit menace looms

InfoSec News isn at c4i.org
Tue Apr 5 01:05:54 EDT 2005


By John Leyden
4th April 2005 

Crackers are developing more sophisticated techniques for take over
the control of corporate databases using malicious code akin to
malware already common on Unix platforms. The threat also applies to
repository-based software such as CRM systems and web applications,
creating a need for new security tools, according to Alexander
Kombrust of Red Database Security.

Kombrust told a session at the Black Hat security conference in
Amsterdam on Friday, 1 April that operating Systems and databases are
quite similar in their architecture. Each has users, processes, jobs
and executables. This similarity means forms of malicious code - like
rootkits - that have long being a problem for Unix admins are also an
issue for database administrators.

Rootkits refer to a set of tools used by crackers after breaking into
a computer system to hide logins and processes under the control of an
attacker from detection. Kornbrust said a database rootkit for Oracle
systems would hide the Oracle execution path, database users,
processes and jobs as well as modifying internal functions.

Database rootkits would be implemented by either modifying a database
object or changing the execution path, for example by creating a local
object with the identical name, establishing a synonym pointing to a
different object or switching to a different schema. Thereafter
Kornbrust showed how it would be possible for a hacker to hide
database users or processes he controlled. Most internal packages from
Oracle are protected from modifications but Kombrust emphasised that
the threat - although hard to quantify - was real.

"Knowledge is not widespread about how to hack databases but
information is out there," said Kombrust. "This is not for script
kiddie but internal attack is possible - a professional attacker is
very difficult to detect. There are no figures on incidents," he

Databases don't keep tabs yet, so buy our software instead Kombrust
explained how to rootkits/backdoors in a database could be identified
using a special tool called repscan, developed by Red Database
Security. The tool finds modifications in execution paths and checks
for insecure database settings. Ultimately databases or other
application should check the repository for modifications themselves,
according to Kombrust, who added that the rootkit threat ought to
prompt more secure coding practices among developers.

More information about the ISN mailing list