Security Watch

Oracle Rootkit: Not a Hacking Tool?

A white hatter is developing a tougher database rootkit for security reasons -- but can it be used for evil?

• By Russ Cooper
• 02/13/2006

This is just what we need so we can look to database security companies to help us figure out how to remove such tools installed by criminals. I thought it was interesting to see Kornbrust suggesting that the criminals are more savvy than the consumer…could it have something to do with the work he's done so far, or is he claiming that all his work so far is based on the work of others?

It's safe to say that any application framework, be it Microsoft SharePoint, IIS or Oracle, that can be abused as an operating system can, and that attackers may seek to exploit them. But creating a cross-platform database rootkit seems more like creating a SYN-flooding tool than helping to solve database security issues.

Red Hat Directory Server and Red Hat Certificate Server High Risk Vulnerability: The Help button functionality within the server's Management Console Admin pages could be exploited to trigger a buffer overflow allowing an attacker to elevate their privileges. However, the attack must first gain access to the Management Console Admin pages.

The U.S. National Security Agency (NSA) has issued guidelines (PDF) for how to remove extraneous data from Microsoft Word and other documents prior to publishing them as Adobe PDFs.

It has long been know that such documents use "filler" data to pad the document, often information from other documents. Further, if changes were tracked during the creation of the document, or comments embedded, these too could end up in the published document unexpectedly. The NSA attempts to ensure this doesn't happen via these guidelines. The agency admits, however, the guidelines are not comprehensive and only cover the majority of risks.

It's noteworthy that the government is coming out with instructions on how not to leave stupid things in your documents. Word 2003 offers several options to help avoid saving a document containing metadata. When publishing such a document, it is always a good idea to first disable hidden tags (such as tracked changes), save the document, open it again, and then copy the contents to an entirely new document. By default, Word 2003 will prompt you before saving a document with track changes enabled.

Malicious Code
According to published reports, 70 individuals in the British Parliament and other British government offices were targeted by e-mail-based attacks using the .WMF exploit (MS06-001) originating from China.

Well, this hardly passes the sniff test. Imagine, if you will, that one person who happens to have had dealings with the U.K. government was compromised by a bot or other malware. Imagine they have the e-mail addresses of, say, 70 people on their computer. Imagine the malware they are infected with attempts mass mailings. Imagine that the bot they are infected with was updated with the .WMF malware.

It's a pretty easy scenario to imagine and far more common than you might expect. Bots are very quickly updated with whatever malicious attacks are available, and they often spread themselves by mass-mailing.

Human Factors
The Anti-Phishing Working Group (APWG), not surprisingly, says that phishing attacks have nearly doubled during the one-year period between November 2004 and 2005. Some 93 major trusted brand names were targeted during 2005, up from 64 in 2004. In addition to luring unwitting victims to sites to type in their personal information, many criminals are installing keystroke-logging trojans as well. Such trojans would allow them to capture the keystrokes used to, for example, log into bank sites and other protected Web locations.

The obvious question here is whether or not there has *ever* been a drop in phishing attacks? Given that this relatively new form of cyber-criminal activity is lucrative, and methods of cashing in are becoming better known, why should we expect any drop? Thus far very little is being done to thwart phishing attempts, but some software are trying to identify phishing attempts. The Thunderbird 1.5 e-mail client is one, as well as some browser toolbar add-ins.

There have also been reports about a phishing generation site (quickly taken down) -- essentially a criminal's toolbox to create your own phishing attempts.