Oracle DB rootkit for sale in exploit pack

Oracle DB rootkit for sale in exploit pack

Summary: A vulnerability research company in Argentina has fitted an Oracle database rootkit into a zero-day exploit pack, adding a stealthy new danger to enterprise systems.

TOPICS: Oracle

A vulnerability research company in Argentina has fitted an Oracle database rootkit into its zero-day exploit pack, adding a stealthy new danger to enterprise systems.

The rootkit, which is available for sale in the Argeniss Ultimate 0day Exploits Pack, can be used to hide a malicious database user once a database server is compromised. The rootkit can also be used to hide activities that might set off alarm bells -- running processes, opened connections, logins created, etc.

"We have different rootkits for Microsoft SQL Server and Oracle Database Server," says Argeniss founder and CEO Cesar Cerrudo.  "[These rootkits] can let an attacker hide a database login or a database backdoor to gain remote access, even from the Internet.  It gives them invisibility from a database administrator," he added.

Cerrudo, a database security guru who has had a frosty relationship with Oracle, said the rootkit on sale will work alongside a batch of zero-day bugs and exploits that run on top of Immunity's CANVAS point-and-click penetration testing tool.

The exploit pack sells for $2500 (5 seats), a price tag that includes monthly updates and support. The company also sells an "advanced version" to security vendors that offers early access to the zero-day flaws, proof-of-concept attack code just after the bug is discovered, vulnerability details and new exploitation techniques.

Cerrudo said Argeniss' customers are mostly consulting and research companies that use the exploit pack "to improve the security of their own customers and/or their own products" but he admits that the company has little control over who has access to the exploits.

Oracle rootkits are not entirely new.  Alexander Kornbrust, a German database security expert, first discussed the concept at Black Hat Europe in 2005 and, at last year's conference in Las Vegas, he again warned that difficult-to-detect database rootkits (PDF) could be very dangerous to businesses. 

In Cerrudo's mind, the database rootkit is just as dangerous as traditional OS rootkits that are used to hide malware files on infected systems.  "A company could have its database servers compromised and continuously accessed by attackers for months without noticing it. This already happens without a rootkit so, if you put a rootkit into the equation, the compromise is almost difficult to detect," he added.

Cerrudo recommends that DBAs start comparing a previous known safe database installation with the current database state to look for evidence of changes.  "If you detect changes on database objects (that weren't done by software updates) such as views and procedures bodies, etc. then probably a rootkit is present," he warned.

Topic: Oracle

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Oracle AND MS rootkits

    [i]"We have different rootkits for [b]Microsoft SQL Server[/b] and Oracle Database Server,"[/i]

    Perchance the headline could use updating?
    Robert Crocker
    • Why?

      The article was for the new Oracle rootkit. The MS one was probally in an article some time earlier.
      Why would it be necessary to bring up old news everytime new news is presented?
      John Zern
      • Because of the included quote

        My objection was because the quote that was included mentioned both Oracle and SQL Server.
        Robert Crocker
  • Why is ZDNet advertising this?

    Those in the security realm who need to know will already be aware through other channels. This is retarded.
  • It's an Oracle rootkit

    Robert, as far as I understand it, the rootkit fitted into the 0day pack is an Oracle rootkit. They have working rootkits for other types of DBs but the one on sale is specific to Oracle.

    Ryan Naraine
    • I suggest you clarify it then with the company

      The page you included in the link just shows that they have a collection of exploits available for their "Argeniss Ultimate 0day Exploits Pack".

      So, does buying a license get you all of the exploits including multiple Root Kits or not?

      Frankly I find the idea of rootkits for sale (legitimately) to be quite disturbing be they for Oracle, another DB, or any OS.
      Robert Crocker
  • so sophisticated

    Oracle database applications are now so sophisticated and powerful that they are like operating systems....aren't they somehow?

    <<"The difference is that databases don't have the security features operating systems do, and are therefore easily susceptible to malicious code">>, but it's only "says Oracle security expert Alexander Kornbrust"...

    ...what's next then?...

    If the fax file filter in the BIOS were switched on there would be absolutely no problems with computers.The Internet,computer, and computer file type designs are United Nations sanctioned designs.
  • What's the big deal?

    This so called "exploit" can be avoided if the system password is changed from the default and all other user/schemas don't have rights to the system tables. I read about oracle rootkits in September 2004 and it wasn't very hard to find on the net. Any DBA worth his salt should be able to make a rootkit without any problem. Let's face it you are hardly going to be reading the email and accidentally double click on an SQL script and still have it automatically execute using the system user without it asking for a login or display some kind of error.
    Ooooo! I can just see it now "New Trojan found in ORACLE developer forms/JAVA form". I think not!
  • RE: Oracle DB rootkit for sale in exploit pack

    Entertaining. All the rootkits I've seen demonstrated for the Oracle database have one thing in common. The rootkit can only be installed by an authorized Oracle DBA or sys admin that already has all db privileges. This pretty much narrows down the use to 'insiders'. In short, every business needs to have highly trusted dba's and system admins in charge. It all goes back to the trustworthiness of your IT staff.