Oracle database worm gets a makeover

A new and potentially more dangerous version of the "Oracle Voyager" worm has surfaced on a popular security mailing list.

A newly revamped and potentially more dangerous version of the Oracle Voyager worm has been published on a popular security mailing list.

The new variant of the worm grants administrator access to public database user accounts, but currently lacks a mechanism by which it can replicate itself, according to Oracle security specialist and blogger Pete Finnigan.

More on the Voyager worm

"This new variant of the Oracle Voyager worm is written in PL/SQL and utilizes some of the key built-in packages that people like me always tell people to revoke access from PUBLIC … such as UTL_HTTP, UTL_TCP and UTL_SMTP," said Finnigan. "This is good advice. Believe me!"

As yet, no Oracle users have been attacked by the worm, according to reports.

The original version of the Voyager worm surfaced about two months ago on the Full Disclosure mailing list. Experts explained that the worm uses the UTL_TCP package to scan for remote databases on the same network, then upon finding one, retrieves the SID and uses several default usernames and passwords to attempt login.

The Bethesda, Md.-based SANS Internet Storm Center suggested steps to block the worm and possible future variants after it first appeared:

  • Change the Oracle listener from the default port of TCP/1521 (and set a listener password while you are at it).
  • Drop or lock default user accounts if possible. Ensure all default accounts do not use default passwords.
  • Revoke PUBLIC privileges to the UTL_TCP, UTL_INADDR packages.
  • Revoke CREATE DATABASE LINK privileges granted to users who do not need to link to remote databases, including the CONNECT role.

    More information about the worm can be found at Application Security and Red Database Security.

    News Editor Bill Brenner of SearchSecurity.com contributed to this report.

  • This Content Component encountered an error

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchDataManagement

    SearchBusinessAnalytics

    SearchSAP

    SearchSQLServer

    TheServerSide

    SearchDataCenter

    SearchContentManagement

    SearchFinancialApplications

    Close