Voyager is a proof-of-concept worm that doesn't seem capable of spreading in its current form. But security experts worry it's a sign that the digital underground is salivating over Oracle's growing list of flaws and is getting ready to pounce.
"The code looks incomplete as the worm does not replicate itself. This could be changed," Pete Finnigan, an Oracle expert and author of Oracle Security Step By Step, warned in his blog Tuesday. "This is a worrying new event for anyone running insecure databases. Take simple precautions, revoke the execute privileges on UTL_TCP, change all default passwords, do not use 1521 for the listener and disable local authentication on the 10g listener and instead use a strong password."
The Bethesda, Md.-based SANS Internet Storm Center (ISC) issued a similar warning on its Web site, saying, "In its current state, the worm isn't a terribly significant threat. However, is can be treated as an early warning sign for future variants of the worm that include additional propagation methods."
Details of the worm first emerged Monday on the Full Disclosure list hosted and sponsored by Danish vulnerability watcher Secunia. It was posted anonymously and appeared under the heading "Trick or treat Larry."
According to the ISC, Voyager "uses the UTL_TCP package to scan for remote Oracle databases on the same local network. Upon finding another database, the SID is retrieved and the worm uses several default username and password combinations to attempt to login to the remote database." Currently, the ISC said, the default/username password list includes: system/manager, sys/change_on_install; dbsnmp/dbsnmp; outln/outln; scott/tiger; mdsys/mdsys; and ordcommon/ordcommon.
"When the worm discovers a default username and password, it creates a table 'X' in the current user's schema with a date column called 'Y,'" the ISC said. "This could easily be changed to a more dramatic payload."
The ISC said Oracle database administrators can take several steps to block the worm and possible future variants:
- Change the Oracle listener from the default port of TCP/1521 (and set a listener password while you are at it).
- Drop or lock default user accounts if possible. Ensure all default accounts do not use default passwords.
- Revoke PUBLIC privileges to the UTL_TCP, UTL_INADDR packages.
- Revoke CREATE DATABASE LINK privileges granted to users who do not need to link to remote databases, including the CONNECT role.