Oracle "voyager" worm discovered

The "Voyager" worn is a primitive "proof of concept" worm that was delivered from a British e-mail list titled with the message Trick or Treat Larry". Click here to see the original publication and the PL/SQL source code.

http://lists.grok.org.uk/pipermail/full-disclosure/2005-October/038290.html

The Voyager worm exploits human errors (i.e. an under-trained Oracle DBA) who has the "USER" parameter in their xxx.ora file and who has not changed the Oracle user accounts from their default passwords. Here are the passwords, from the Voyager worm source code:

if iLoop = 1 then
             username1 := 'system';
             password1 := 'manager';

           else if iLoop = 2 then
             username1 := 'sys';
             password1 := 'change_on_install';

           else if iLoop = 3 then
             username1 := 'dbsnmp';
             password1 := 'dbsnmp';

           else if iLoop = 4 then
             username1 := 'outln';
             password1 := 'outln';

           else if iLoop = 5 then
             username1 := 'scott';
             password1 := 'tiger';

           else if iLoop = 6 then
             username1 := 'mdsys';
             password1 := 'mdsys';

           else if iLoop = 7 then
             username1 := 'ordcommon';
             password1 := 'ordcommon';

Metalink has issued this warning about the Voyage worm, recommending immediate checks for all databases.

http://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=340009.1

According to DBA Village, the new worm is written in PL/SQL and these are the Oracle worm access details. It appears that the most vulnerable database are those prior to Oracle 10g (where default passwords were used), and where the DBA forgot to lock-down with new passwords:

Obtains the IP address of the server (using the utl_inaddr procedure or "SELECT SYS_CONTEXT('USERENV', 'IP_ADDRESS', 15) from dual;")
Scans all IP addresses in the same network range, Voyager checks for active listeners on other servers (using the utl_tcp procedure to issue "lsnrctl stat" commands)
Each active listener responds with the $ORACLE_SID, and Voyager now has the three things needed to access a database via TNS (protocol, IP Address, ORACLE_SID).
Voyager then issues a series of logon attempts using the Oracle installers default user/ID combinations (prior to 10g). These would include "system/manager" and sys/change_on_install".

This article discuss the first-even Oracle worm, designed specifically to target Oracle databases. Named "Trick ort Treat Larry", the worm seeks-out Oracle database and tries to penetrate their security:

http://news.com.com/Halloween+treat+for+Oracle+A+database+worm/2100-7349_3-5926641.html?tag=html.alert

"Especially worrying about this Oracle concept worm, compared with the SQL Slammer pest, is that it actually enters the database and can meddle with the data stored in it, said Shlomo Kramer, CEO of security vendor Imperva. "Today, the payload is not malicious. But adding a malicious payload to it can do enormous damage," he said.

A variant of the worm could erase information or send it somewhere else, Kramer noted. "The potential impact of this type of database worm can be very serious," he said.

A hardened database would be protected against database worm attacks, according to Kornbrust. "A real malicious Oracle worm could destroy thousands of Oracle databases within hours and cause a damage of several billion dollars," he said.

Oracle performance Tuning 10g reference poster

Oracle training & performance tuning books