Home > Security News > Voyager worm targets Oracle databases
Security News:
EMAIL THIS LICENSING & REPRINTS

Voyager worm targets Oracle databases

By Bill Brenner, News Writer
02 Nov 2005 | SearchSecurity.com

Security Wire Daily News
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

Voyager is a proof-of-concept worm that doesn't seem capable of spreading in its current form. But security experts worry it's a sign that the digital underground is salivating over Oracle's growing list of flaws and is getting ready to pounce.

"The code looks incomplete as the worm does not replicate itself. This could be changed," Pete Finnigan, an Oracle expert and author of Oracle Security Step By Step, warned in his blog Tuesday. "This is a worrying new event for anyone running insecure databases. Take simple precautions, revoke the execute privileges on UTL_TCP, change all default passwords, do not use 1521 for the listener and disable local authentication on the 10g listener and instead use a strong password."

The Bethesda, Md.-based SANS Internet Storm Center (ISC) issued a similar warning on its Web site, saying, "In its current state, the worm isn't a terribly significant threat. However, is can be treated as an early warning sign for future variants of the worm that include additional propagation methods."
Related Oracle news

The trouble with Oracle's password security

Admins grapple with Oracle's latest patch puzzle

Details of the worm first emerged Monday on the Full Disclosure list hosted and sponsored by Danish vulnerability watcher Secunia. It was posted anonymously and appeared under the heading "Trick or treat Larry."

According to the ISC, Voyager "uses the UTL_TCP package to scan for remote Oracle databases on the same local network. Upon finding another database, the SID is retrieved and the worm uses several default username and password combinations to attempt to login to the remote database." Currently, the ISC said, the default/username password list includes: system/manager, sys/change_on_install; dbsnmp/dbsnmp; outln/outln; scott/tiger; mdsys/mdsys; and ordcommon/ordcommon.

"When the worm discovers a default username and password, it creates a table 'X' in the current user's schema with a date column called 'Y,'" the ISC said. "This could easily be changed to a more dramatic payload."

The ISC said Oracle database administrators can take several steps to block the worm and possible future variants:

  • Change the Oracle listener from the default port of TCP/1521 (and set a listener password while you are at it).
  • Drop or lock default user accounts if possible. Ensure all default accounts do not use default passwords.
  • Revoke PUBLIC privileges to the UTL_TCP, UTL_INADDR packages.
  • Revoke CREATE DATABASE LINK privileges granted to users who do not need to link to remote databases, including the CONNECT role.


Sound Off! -   Be the first to post a message to Sound Off!


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts