A vulnerability research company in Argentina has fitted an Oracle database rootkit into its zero-day exploit pack, adding a stealthy new danger to enterprise systems.
The rootkit, which is available for sale in the Argeniss Ultimate 0day Exploits Pack, can be used to hide a malicious database user once a database server is compromised. The rootkit can also be used to hide activities that might set off alarm bells -- running processes, opened connections, logins created, etc.
"We have different rootkits for Microsoft SQL Server and Oracle Database Server," says Argeniss founder and CEO Cesar Cerrudo. "[These rootkits] can let an attacker hide a database login or a database backdoor to gain remote access, even from the Internet. It gives them invisibility from a database administrator," he added.
Cerrudo, a database security guru who has had a frosty relationship with Oracle, said the rootkit on sale will work alongside a batch of zero-day bugs and exploits that run on top of Immunity's CANVAS point-and-click penetration testing tool.
The exploit pack sells for $2500 (5 seats), a price tag that includes monthly updates and support. The company also sells an "advanced version" to security vendors that offers early access to the zero-day flaws, proof-of-concept attack code just after the bug is discovered, vulnerability details and new exploitation techniques.
Cerrudo said Argeniss' customers are mostly consulting and research companies that use the exploit pack "to improve the security of their own customers and/or their own products" but he admits that the company has little control over who has access to the exploits.
Oracle rootkits are not entirely new. Alexander Kornbrust, a German database security expert, first discussed the concept at Black Hat Europe in 2005 and, at last year's conference in Las Vegas, he again warned that difficult-to-detect database rootkits (PDF) could be very dangerous to businesses.
In Cerrudo's mind, the database rootkit is just as dangerous as traditional OS rootkits that are used to hide malware files on infected systems. "A company could have its database servers compromised and continuously accessed by attackers for months without noticing it. This already happens without a rootkit so, if you put a rootkit into the equation, the compromise is almost difficult to detect," he added.
Cerrudo recommends that DBAs start comparing a previous known safe database installation with the current database state to look for evidence of changes. "If you detect changes on database objects (that weren't done by software updates) such as views and procedures bodies, etc. then probably a rootkit is present," he warned.