News Stay informed about the latest enterprise technology news and product updates.

Worm targets Oracle databases

Experts worry the worm is a sign that the bad guys see Oracle as a juicier target.

SAP via RSS - Subscribe to's RSS Feed for news and tips on SAP.
Voyager is a proof-of-concept worm that doesn't seem capable of spreading in its current form. But security experts worry it's a sign that the digital underground is salivating over Oracle's growing list of flaws and is getting ready to pounce.

This is a worrying new event for anyone running insecure databases.
Pete Finnigan,
Oracle expert

"The code looks incomplete as the worm does not replicate itself. This could be changed," Pete Finnigan, an Oracle expert and author of Oracle Security Step By Step, warned in his blog Tuesday. "This is a worrying new event for anyone running insecure databases. Take simple precautions, revoke the execute privileges on UTL_TCP, change all default passwords, do not use 1521 for the listener and disable local authentication on the 10g listener and instead use a strong password."

About system security:

Topic center: SAP security

Customers warned of critical SAP flaw

SAP Security Learning Guide

The Bethesda, Md.-based SANS Internet Storm Center (ISC) issued a similar warning on its Web site, saying, "In its current state, the worm isn't a terribly significant threat. However, is can be treated as an early warning sign for future variants of the worm that include additional propagation methods."

Details of the worm first emerged Monday on the Full Disclosure list hosted and sponsored by Danish vulnerability watcher Secunia. It was posted anonymously and appeared under the heading "Trick or treat Larry."

According to the ISC, Voyager "uses the UTL_TCP package to scan for remote Oracle databases on the same local network. Upon finding another database, the SID is retrieved and the worm uses several default username and password combinations to attempt to login to the remote database." Currently, the ISC said, the default/username password list includes: system/manager, sys/change_on_install; dbsnmp/dbsnmp; outln/outln; scott/tiger; mdsys/mdsys; and ordcommon/ordcommon.

"When the worm discovers a default username and password, it creates a table 'X' in the current user's schema with a date column called 'Y,'" the ISC said. "This could easily be changed to a more dramatic payload."

The ISC said Oracle database administrators can take several steps to block the worm and possible future variants:

  • Change the Oracle listener from the default port of TCP/1521 (and set a listener password while you are at it).
  • Drop or lock default user accounts if possible. Ensure all default accounts do not use default passwords. Revoke PUBLIC privileges to the UTL_TCP, UTL_INADDR packages.
  • Revoke CREATE DATABASE LINK privileges granted to users who do not need to link to remote databases, including the CONNECT role.
    This story also appears at, part of the TechTarget network.
  • Dig Deeper on SAP security

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.