A worm that can attack Oracle databases has been posted to an Internet mailing list.
Code for the worm was posted on Monday - coinciding with Halloween - on the Full-disclosure mailing list with the subject line "Trick or treat Larry", referring to Oracle CEO Larry Ellison. It is a "proof of concept" worm, the anonymous poster stated, and came with a harmeless payload.
However, it could be used to create worms that spread automatically and cause damage, security researchers have warned.
It is the first Oracle worm that security researcher Alexander Kornbrust has seen outside a lab. Hackers who target Oracle databases normally aim at a single database and steal information from it, said Kornbrust, of Red Database Security. A worm could automate the process of getting into many databases within a company or on the Internet, he said. Some enterprises use thousands of Oracle databases.
Two factors limit the size of the worm's threat, according to security analysts. It takes advantage of default passwords provided by Oracle, which users typically replace with their own passwords, though Kornbrust estimates that half of all Oracle shops use a default password on at least one database. In addition, most Oracle databases are not connected directly to the Internet, so an attacker would have to get access to the LAN to release the worm.
To protect themselves against the worm, users should stop using default passwords and also password-protect the "listener" element of the database, a process that is responsible for communication between a user and the database, Kornbrust said. Most users leave this process open without a password, he said.
The "trick or treat" code won't cause any damage, according to analysts. Once it gets into a database, it just creates a new table, called "x." But greater threats could be on the way.
"As always, it's possible to change the payload and do more dangerous things, like modifying data, deleting data, or stealing data," Kornbrust said. He doubts a future attacker would use the very same code, but thinks an Oracle database worm would not be particularly hard to write.
One reason database worms are rare may be that they are not good tools for stealing data, Kornbrust said. However, analysts said a worm that could rapidly go from one database to another could cause problems by erasing or changing data.
For example, an attacker could unleash a worm on a company and change the information in its databases, then extort money from the company for a remedy that would bring back the correct information, Kornbrust said.