News Stay informed about the latest enterprise technology news and product updates.

Oracle database worm gets a makeover

A new and potentially more dangerous version of the "Oracle Voyager" worm has surfaced on a popular security mailing list.

A newly revamped and potentially more dangerous version of the Oracle Voyager worm has been published on a popular security mailing list.

The new variant of the worm grants administrator access to public database user accounts, but currently lacks a mechanism by which it can replicate itself, according to Oracle security specialist and blogger Pete Finnigan.

More on the Voyager worm

"This new variant of the Oracle Voyager worm is written in PL/SQL and utilizes some of the key built-in packages that people like me always tell people to revoke access from PUBLIC … such as UTL_HTTP, UTL_TCP and UTL_SMTP," said Finnigan. "This is good advice. Believe me!"

As yet, no Oracle users have been attacked by the worm, according to reports.

The original version of the Voyager worm surfaced about two months ago on the Full Disclosure mailing list. Experts explained that the worm uses the UTL_TCP package to scan for remote databases on the same network, then upon finding one, retrieves the SID and uses several default usernames and passwords to attempt login.

The Bethesda, Md.-based SANS Internet Storm Center suggested steps to block the worm and possible future variants after it first appeared:

  • Change the Oracle listener from the default port of TCP/1521 (and set a listener password while you are at it).
  • Drop or lock default user accounts if possible. Ensure all default accounts do not use default passwords.
  • Revoke PUBLIC privileges to the UTL_TCP, UTL_INADDR packages.
  • Revoke CREATE DATABASE LINK privileges granted to users who do not need to link to remote databases, including the CONNECT role.

    More information about the worm can be found at Application Security and Red Database Security.

    News Editor Bill Brenner of contributed to this report.

  • Dig Deeper on Oracle strategy and product roadmap

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.