Proof of concept worm targets Oracle databases

Powered by SC Magazine
 

An anonymous developer has published details of a proof-of-concept worm engineered to compromise Oracle databases which have been left with default user accounts and passwords.

According to a warning on the Full-Disclosure mailing list, the worm uses the UTL_TCP package to scan for remote Oracle databases on the same local network. Upon finding another database, the SID is retrieved and the worm uses several default username and password combinations to attempt to login to the remote database.

Currently, the worm's recorded default/username password list includes the following combinations: system/manager; sys/change_on_install; dbsnmp/dbsnmp; outln/outln; scott/tiger; mdsys/mdsys and ordcommon/ordcommon.

"When the worm discovers a default username and password, it creates a table "X" in the current user's schema with a date column called "Y". This could easily be changed to a more dramatic payload," warned the SANS Internet Storm Center.

In its current state, the worm is not deemed a "terribly significant" threat. However, security experts at SANs warned that data base administrators should treat the malware as "an early warning sign for future variants of the worm that include additional propagation methods".

Database security watcher Red Database Security agreed with this assessment: "The initial version of the worm must be started in the database manually but it is possible to use the glogin.sql feature of sqlplus to do this without the knowledge of the (database) user if it is possible to modify the file glogin.sql."

According to SANS, Oracle DBA's can take actions to mitigate the effect of this worm including changing the Oracle listener from the default port of TCP/1521 and setting a listener password.

Protection can also be enhanced by dropping or locking default user accounts where possible and ensuring that all default accounts do not use default passwords. Other precaution include revoking PUBLIC privileges to the UTL_TCP, UTL_INADDR packages and ensuring that CREATE DATABASE LINK privileges are not granted to users who do not need to link to remote databases.

www.red-database-security.com/advisory/oracle_worm_voyager.html
www.sans.org

Copyright © SC Magazine, US edition


 
 
 
Top Stories
ATO investigates 25 tech giants in tax hunt
Prepared to take tax evaders to court.
 
Immigration, Customs restructure IT leadership
Customs CIO promoted into transformation role.
 
NBN Co begins FTTB rollout
Will bring service to 6000 apartments.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  36%
 
Your insurance company
  5%
 
A technology company (Google, Facebook et al)
  9%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  4%
 
A Federal Government agency (ATO, Centrelink etc)
  18%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  7%
TOTAL VOTES: 2931

Vote
Do you support the abolition of the Office of the Information Commissioner?

   |   View results
I support shutting down the OAIC.
  27%
 
I DON'T support shutting the OAIC.
  73%
TOTAL VOTES: 911

Vote