Database Trojans represent a sophisticated attack because the attack is separated into two parts: the injection of the malicious code and the calling of the malicious code. One of the main advantages of Trojan attacks is that they are more difficult to track because of this separation into two phases.
The difficulty is in associating the two events and understanding that the two events, which occur at different times, using different connections, possibly with different user IDs, are really a single attack.
There are four main categories of Trojan attacks:
- An attack that both injects the Trojan and calls it
- An attack that uses an oblivious user or process to inject the Trojan and then calls it to extract the information or perform an action within the database
- An attack that injects the Trojan and then uses an oblivious user or process to call the Trojan
- An attack that uses an oblivious user or process to inject the Trojan and also uses an oblivious user or process to call the Trojan
An example of using an oblivious user or process to inject a Trojan is a scenario in which a junior developer gets some procedural code from someone he or she doesn't know (perhaps from a question posted in a newsgroup) and then uses this code within a stored procedure without fully understanding what it is doing. An example of using an oblivious user or process to call the Trojan is a stored procedure that runs every month as part of a General Ledger calculation performed when closing the books. An attacker who has this insight can try to inject a Trojan into this procedure, knowing that it will be run at the end of the month automatically.
The options are listed in increasing degree of sophistication, complexity, and quality. The first category is the least sophisticated because actions can be traced back to the attacker. The only advantage over a direct attack using a single connection is that the attack occurs at two distinct times, and it certainly requires more work from an investigation unit to be able to identify the two events as being related and as forming a single attack.
The fourth category is extremely sophisticated and difficult to track back to the attacker—sometimes impossible. Because both the injection an investigation well beyond what happened at the database to figure out who the attacker is and what methods were used to coerce the injection.
The second and third types are somewhat comparable in terms of sophistication, but a type 3 Trojan is usually easier to carry out. In terms of what you need to monitor, for type 1 and type 2 the focus is on monitoring execution of stored procedures, whereas for type 3 and type 4 the focus is on monitoring creation and modification of procedural objects.
To learn how to detect and prevent database Trojans.
Note: Printed with permission from Digital Press, a division of Elsevier. Copyright 2005. Implementing Database Security and Auditing by Ron Ben Natan. For more information about this book and other similar titles, please visit www.books.elsevier.com.
This was first published in June 2006