Risk: Informational
Crackers are developing more sophisticated techniques for taking over corporate databases using malicious code akin to malware already common on Unix platforms. This threat also applies to repository-based software, such as CRM systems and web applications, creating a need for new security tools.
At the recent Black Hat security conference in Amsterdam, speakers advised attendees that operating systems and databases are quite similar in their architecture. Each has users, processes, jobs and executables. This similarity means forms of malicious code - like rootkits - that have long been a problem for Unix admins are also an issue for database administrators.
Rootkits refer to a set of tools used by crackers after breaking into a computer system, to hide logins and processes under the control of an attacker from detection. For example, a database rootkit for Oracle systems could hide the Oracle execution path, database users, processes and jobs, as well as modifying internal functions.
Database rootkits would be implemented by either modifying a database object or changing the execution path, for example by creating a local object with an identical name, which would be executed before the system supplied version. Alternatively, establishing a synonym pointing to a different object or switching to a different schema could be utilised. Attendees were also shown how it would be possible for a hacker to hide database users or processes that they controlled. Most internal packages from Oracle are protected from modifications, however in this attack, emphasis was placed on the fact that the threat - although hard to quantify - was real.
This type of attack is unlikely to happen from script kiddies, as information is not widespread about how to hack databases, but it is there. Possible attack vectors include internal attacks, as internal applications also rely on databases and are generally written with a less security conscious and more trusting mindset.