As the worm squirms: Slammer still runs amok

Summary:More than four years after Slammer started exploiting holes in Microsoft's SQL Server and Desktop Engine database products, the worm continues to squirm in machines that serve as eternal carriers for the worm.

More than four years after Slammer started exploiting holes in Microsoft's SQL Server and Desktop Engine database products, the worm continues to squirm in machines that some believe will never be disinfected.

Over the past two days, SQL Slammer was listed as the number one threat on Arbor Network's new ATLAS (Active Threat Level Analysis System), accounting for a whopping 25 percent of all malicious Internet activity detected by Arbor's censors. The bulk of the Slammer attacks are coming from infected hosts in China.

Although the worm isn't dramatically impacting network availability like that January morning in 2003 when it spread like wildfire around the world, the fact that Slammer is still slithering confirms that there some boxes that will never be dewormed.

Microsoft released a patch for the flaw in July 2002 and provided disinfection tools immediately after the attack but, for a myriad of reasons, there are infected boxes out there scanning violently for vulnerable hosts.

In fact, according to sources in the anti-malware community, a high-profile Web company brought up a SQL Slammer host by accident a few weeks ago, setting off all kinds of alarm bells. "They took it down pretty quickly, but you get the idea: everyone is vulnerable," said a source.

According to statistics from Arbor Networks, there are more than 1300 unique SQL Slammer hosts contacting its sensors. This is just a small fraction of infected hosts and signals just how impossible it is to completely kill a virulent network worm.

It's much of the same with the Blaster worm of the summer of 2003. According to statistics culled from Microsoft's monthly updated MSRT (malicious software removal tool), between 500 and 800 copies of Blaster are removed from Windows machines every day. (Most of the Blaster removals came from pre-SP2 Windows machines).

Arbor's ATLAS also shows a high rate of attacks against the ASN.1 vulnerability fixed by Microsoft since February 2004.

Topics: Tech Industry

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.