More detailed analysis of the new Oracle worm
The worm was posted to the Full Disclosure list on 29th December by someone called "kwbbwi at findnot.com". Aaron Newman of Application Security Inc altered myself and Alex to this. Alex has posted a note about it in my Oracle security forum in a post titled "New / Modified Oracle Worm" where he has announced that he has done some initial analysis of the new worm. His page is titled "Oracle Worm Voyager - Analysis of the Proof of concept code" - the worm does these basic steps:
Grant DBA to PUBLIC
create a database login trigger and in it if a random value equals 32 then send a google search request that appears to request the source code from the first site in the search request. If it ran the HTTP request it then appears to install a copy of itself and do it all again. As I said in my last post and also found by Alex this is blocked by Google as a virus. Google are taking this new worm seriously.
It then sends an email to Larry@oracle.com using UTL_SMTP containing all of the password hashes in the database
It then modifies the listener.log to add the command ALTER USER MDYS IDENTIFIED BY MDSYS to the glogin.sql file which is run on the server when SQL*Plus is started on the server.
it creates database links to all the databases it can find on the same network and then guesses passwords
Then it stops the listener using UTL_TCP and techniques learned from tnscmd initially.
This is a much more dangerous version of the Oracle worm but still does not seem to have a replication mechanism that copies the code to another database from the one that it is installed in. What it does do that is worse is potentially email hashes, grant DBA to PUBLIC, create a backdoor with MDSYS and potentially spam Google and download the source and then potentially do it again and again. The probability for this is extremely low though.
This worm has shown how it is possible to download dynamic PL/SQL and load it into the database - this is a bad sign. It also shows more malicious tendencies such as backdoors, privilege escalation, finding more databases, Denial of Service with stopping the listener.
Still a proof of concept in my opinion but more dangerous. I wonder how many people will download and install it and try it, either as a learning exercise or maliciously on employers databases! - now is the time to audit your databases for security issues and harden them.