What is a rootkit?
According to Symantec’s definition:
A rootkit is a component that uses stealth to maintain a persistent and undetectable presence on the machine. Actions performed by a rootkit, such as installation and any form of code execution, are done without end user consent or knowledge.
Rootkits do not infect machines by themselves like viruses or worms, but rather, seek to provide an undetectable environment for malicious code to execute. Attackers will typically leverage vulnerabilities in the target machine, or use social engineering techniques, to manually install rootkits. Or, in some cases, rootkits can be installed automatically upon execution of a virus or worm or simply even by browsing to a malicious website.
Once installed, an attacker can perform virtually any function on the system to include remote access, eavesdropping, as well as hide processes, files, registry keys and communication channels.
Does a rootkit exist for Oracle?
Yes. In fact, Alexander Kornbrust, of Red Database Security GmbH, is developing Version 2.0 of a rootkit program he first unveiled in April 2005.
Why has Alex created a rootkit?
Alex claims his rootkits are not hacking tools but are designed to underscore weaknesses in databases from Oracle, Microsoft and others that make it easy to hide malicious activity.
What is the difference between the first version of Alex’s rootkit and the newer version?
The new version of the database rootkit will modify the computer memory used to run Oracle. Administrators could detect the first version of the rootkit by noting changes in the size of the data dictionaries that had been modified. The new version will allow attackers to disguise malicious elements without modifying the database views.
This is what I learned from reading this eWeek.com article. I had never heard about rootkits until I read the article. I believe that more DBA’s should be educated about this kind of stuff (if they are not already). Better yet, create a new position within your organization, a DBSA. Guess what the “S” stands for?3 Comments | Filed in Oracle, Technology | Tags: rootkit, Security