Thanks to Aaron Newman of Application Security Inc for emailing myself and Alex to let us know about the new variant of the Oracle voyager worm that has been released to the wild. An anonymous poster has posted a new version of the original code to the Full Disclosure list in a post titled "Oracle - by kwbbwi - Utility to backup you Oracle Password Hashes". I have not looked in detail yet at what it does as I have just seen Aarons email. I have skimmed through and it starts by using the CTXSYS.DRILOAD bug to grant DBA to public!, not good. It has a google search string at the top that looks like it is installing a logon trigger that executes a google query that redirects to a “feeling lucky” site. I just tried the URL and search using IE and it gave me a google error that says (Probably not bright to try it manually but it looks like it should not cause any damage as a search string on its own):
"We're sorry...
... but we can't process your request right now. A computer virus or spyware application is sending us automated requests, and it appears that your computer or network has been infected."
It goes on to suggest that my connection will be restored and to use a spyware and virus checker. The PL/SQL virus at first sight looks like it has had an effect on the web already and that Google is recognising the HTTP request as a virus. There is no indication if this thing is in the wild or if Google have just been prudent.
I will have a better look through the code in a minute.
Blog
Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
[Previous entry: "Metacoretex has been hacked"] [Next entry: "More detailed analysis of the new Oracle worm"]
December 2005
- Pete Finnigan is back after a week away from blogging! - 12/03/2005 by 12/03/2005
- A sample package to manipulate LDAP - 12/04/2005 by 12/04/2005
- Oracle security checklist - 12/05/2005 by 12/05/2005
- Bugs - 12/06/2005 by 12/06/2005
- I am presenting at the DBMS SIG in Melton Mowbray about Oracle security - 12/07/2005 by 12/07/2005
- DBMS SIG conference today - A security focus - 12/08/2005 by 12/08/2005
- Good overview of SOA security - 12/09/2005 by 12/09/2005
- Arup's new book and some networking - 12/10/2005 by 12/10/2005
- A useful perl script to check for listener password brute force attempts - 12/11/2005 by 12/11/2005
- Integration Promises Still Haunting Oracle - 12/14/2005 by 12/14/2005
- The possible complexity level of Oracle database passwords is in question - 12/15/2005 by 12/15/2005
- Another way to monitor the listener log for brute force attacks - 12/16/2005 by 12/16/2005
- A new book "Cryptography in the Database: The Last Line of Defense" - 12/17/2005 by 12/17/2005
- Some more thoughts on the weakness of Oracle database passwords - 12/20/2005 by 12/20/2005
- Mary Ann Davidson announces that Fortify software will be used to find security holes in Oracle software - 12/21/2005 by 12/21/2005
- standalone discoverer clients now sso compliant for E-Business Suite users - 12/22/2005 by 12/22/2005
- A very happy christmas to everyone - 12/24/2005 by 12/24/2005
- State of the nation: referral spam, comments, content management, dedicated hosting and more - 12/29/2005 by 12/29/2005
- Spammers again... - 12/30/2005 by 12/30/2005
- More detailed analysis of the new Oracle worm - 12/31/2005 by 12/31/2005
Archives
Syndication
Powered by gm-rss 2.0.0
