Article

Oracle database worm gets a makeover

Mark Brunelli, News Director

A newly revamped and potentially more dangerous version of the Oracle Voyager worm has been published on a popular security mailing list.

The new variant of the worm grants administrator access to public database user accounts, but currently lacks a mechanism by which it can replicate itself, according to Oracle security specialist and blogger Pete Finnigan.

    Requires Free Membership to View

More on the Voyager worm

"This new variant of the Oracle Voyager worm is written in PL/SQL and utilizes some of the key built-in packages that people like me always tell people to revoke access from PUBLIC … such as UTL_HTTP, UTL_TCP and UTL_SMTP," said Finnigan. "This is good advice. Believe me!"

As yet, no Oracle users have been attacked by the worm, according to reports.

The original version of the Voyager worm surfaced about two months ago on the Full Disclosure mailing list. Experts explained that the worm uses the UTL_TCP package to scan for remote databases on the same network, then upon finding one, retrieves the SID and uses several default usernames and passwords to attempt login.

The Bethesda, Md.-based SANS Internet Storm Center suggested steps to block the worm and possible future variants after it first appeared:

  • Change the Oracle listener from the default port of TCP/1521 (and set a listener password while you are at it).
  • Drop or lock default user accounts if possible. Ensure all default accounts do not use default passwords.
  • Revoke PUBLIC privileges to the UTL_TCP, UTL_INADDR packages.
  • Revoke CREATE DATABASE LINK privileges granted to users who do not need to link to remote databases, including the CONNECT role.

    More information about the worm can be found at Application Security and Red Database Security.

    News Editor Bill Brenner of SearchSecurity.com contributed to this report.


    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: