"A vulnerability research company in Argentina has fitted an Oracle database rootkit into its zero-day exploit pack, adding a stealthy new danger to enterprise systems.
The rootkit, which is available for sale in the Argeniss Ultimate 0day Exploits Pack, can be used to hide a malicious database user once a database server is compromised. The rootkit can also be used to hide activities that might set off alarm bells — running processes, opened connections, logins created, etc."
This is interesting. I can see how you may conclude that buying zero day exploits can be useful for manufactures of security tools so that they can test if their tools perform correctly in detecting any exploit that may occur, not just the known ones. A rootkit for Oracle though? I am not convinced there are any in the wild. I know Alex has talked about them at BlackHat and I have been aware of the idea of Oracle rootkits for much longer but I have not heard of one in the wild yet. There could be value for the same tool and product manufacturers in testing if audit tools can detect firstly a root kit and secondly a compromised system that includes a level of hiding using a root kit. The Oracle root kits that Alex has discussed are not honed and slick by any means (no disrespect to Alex intended) but I guess the security tools are also not honed to test for root kits yet. I have no idea of the complexity of the Argeniss rootkit but suspicions would be that it may fool some existing products but it would not fool someone who know how to check if one is installed.
Argeniss should share their research on this, or at least let us see the level of complexity of the rootkit. It would be useful in progressing free and commercial tools capabilities BUT it would also help develop more cunning Oracle root kits.
Interesting all the same!
There has been 3 Comments posted on this article