A newly revamped and potentially more dangerous version of the Oracle Voyager worm has been published on a popular security mailing list.
The new variant of the worm grants administrator access to public database user accounts, but currently lacks a mechanism by which it can replicate itself, according to Oracle security specialist and blogger Pete Finnigan.
"This new variant of the Oracle Voyager worm is written in PL/SQL and utilizes some of the key built-in packages that people like me always tell people to revoke access from PUBLIC … such as UTL_HTTP, UTL_TCP and UTL_SMTP," said Finnigan. "This is good advice. Believe me!"
As yet, no Oracle users have been attacked by the worm, according to reports.
The original version of the Voyager worm surfaced about two months ago on the Full Disclosure mailing list. Experts explained that the worm uses the UTL_TCP package to scan for remote databases on the same network, then upon finding one, retrieves the SID and uses several default usernames and passwords to attempt login.
The Bethesda, Md.-based SANS Internet Storm Center suggested steps to block the worm and possible future variants after it first appeared:
Change the Oracle listener from the default port of TCP/1521 (and set a listener password while you are at it).
Drop or lock default user accounts if possible. Ensure all default accounts do not use default passwords.
Revoke PUBLIC privileges to the UTL_TCP, UTL_INADDR packages.
Revoke CREATE DATABASE LINK privileges granted to users who do not need to link to remote databases, including the CONNECT role.