Trojans - Implementing Database Security and Auditing

Databases Reference

In-Depth Information

9.1

The four types of database Trojans

Database Trojans represent a sophisticated attack because the attack is sepa-

rated into two parts: the injection of the malicious code and the calling of

the malicious code. One of the main advantages of Trojan attacks is that

they are more difficult to track because of this separation into two phases.

The difficulty is in associating the two events and understanding that the

two events, which occur at different times, using different connections, pos-

sibly with different user IDs, are really a single attack.

There are four main categories of Trojan attacks:

1.

An attack that both injects the Trojan and calls it

2.

An attack that uses an oblivious user or process to inject the Tro-

jan and then calls it to extract the information or perform an

action within the database

3.

An attack that injects the Trojan and then uses an oblivious user

or process to call the Trojan

4.

An attack that uses an oblivious user or process to inject the Tro-

jan and also uses an oblivious user or process to call the Trojan

An example of using an oblivious user or process to inject a Trojan is a

scenario in which a junior developer gets some procedural code from some-

one he or she doesn't know (perhaps from a question posted in a news-

group) and then uses this code within a stored procedure without fully

understanding what it is doing. An example of using an oblivious user or

process to call the Trojan is a stored procedure that runs every month as

part of a General Ledger calculation performed when closing the topics. An

attacker who has this insight can try to inject a Trojan into this procedure,

knowing that it will be run at the end of the month automatically.

The options are listed in increasing degree of sophistication, complexity,

and quality. The first category is the least sophisticated because actions can

be traced back to the attacker. The only advantage over a direct attack using

a single connection is that the attack occurs at two distinct times, and it cer-

tainly requires more work from an investigation unit to be able to identify

the two events as being related and as forming a single attack.

The fourth category is extremely sophisticated and difficult to track

back to the attacker—sometimes impossible. Because both the injection

Search WWH ::

Custom Search

Home