Do you remember where you were the first time a layman said something to you about a “virus” or a “worm” and how those “hackers” can take over your “computer”. I do. I was in club; it was 2000 so I was being assaulted by the sounds of N’sync, Pink, Creed, and Macy Gray. Being that I was 22 or so it’s a safe bet that I was wearing a shiny shirt to impress women, it was a very scary time. I was talking to a cute girl in a short skirt (ah the things you remember) who asked me what I did for a living. After telling her I worked with computers she started in on a long story about how those “hackers” tricked her because she got an email with the subject line “I Love you” and she totally fell for it and got a “virus” then her computer crashed. I suddenly felt like my super secret club just became a subject of mainstream discussion.
With Word flaws, and Apple flaws, and a host of other problems affecting people in ways previously unseen, like Myspace, I predict someone will have a similar experience: “Like, I was totally surfing Myspace and some hackers like used one of those 0days on me and now my credit card information is in like Prague or something”.
I remember when it was a hard thing to find 0day and there were so called 0day brokers who were often regarded like underground cyber arms dealers. Not anymore it seems. This morning I awake to a story about Oracle rootkits and 0day. The story revolves around a company in Argentina, Argeniss, which sells a 0day pack for Canvas. Immunity, the makers of Canvas also have their own vulnerability sharing club. Argeniss isn’t the first service of its kind to build an ecosystem around exploit frameworks. Gleg offers up the vulndisco pack which also works on top of Canvas. Not to be confined to exploit framework ecosystmes some vendors like Digital Armaments also sales 0day information. Yours truly, Errata Security, even includes original 0day information in our Hacker Eye View Service. It won’t be long till Gartner has a magic quadrant for 0day services. It’s hardly a secret anymore.
Back to Oracle rootkits. This is not a new problem. Since vendors are hardening their OSes attackers have two options: go up to the application layer or go deep into the device drive layer. We have seen plenty of device driver problems so to make sure the app layer doesn’t feel lonely, we have database rootkits. The first person I saw talk about this was Alexander Kornbrust, A great presentation on this can be found here. Since security is actually all about diligence you now need to add checking databases for rootkits to the list as there is weaponized code available. I doubt it will be long till we see similar rootkits for DB2 or Microsoft’s SQLServer. Anybody have good suggestions for verifying database integrity?