3 of 15Image
SQL Slammer is the undisputed speed champion for vulnerabilities. With a tiny payload and through the magic of UDP, it spread across the world in a matter of minutes on January 25, 2003. (How tiny? The picture above is a complete disassembly of the worm, with comments added!)
The actual vulnerabilities exploited, multiple buffer overflows in the Resolution Service for Microsoft SQL Server 2000 and Microsoft Desktop Engine 2000 (MSDE), had been patched months before by Microsoft, but there wasn't quite the sense of urgency back then that there is now about applying updates.
The breathtaking speed with which Slammer hit created fear of similar future attacks, but fortunately it was not to be. Slammer isn't the only worm we've had, but it's the only one that crossed the globe before anyone knew what was going on.
Image: Disassembly of Slammer worm, courtesy Immunity, Inc.
The Morris Worm
Just six months ago we celebrated the 25th anniversary of the Morris Worm. By today's standards the raw number of systems affected — 6,000 — is not impressive. It looks different when you see that there were only 60,000 systems on the entire Internet on November 2, 1988.
Yes, Robert Morris, then a student at Cornell, brought down 10 percent of the entire Internet, and he did it by accident. Morris wrote a worm program as a selfish intellectual experiment. Exploiting known vulnerabilities in Unix sendmail, finger, and rsh/rexec, as using a list of weak passwords with which to access accounts, it attempted to span the entire Internet. But a bug in the worm turned it instead into a massive distributed denial of service attack against the entire Internet.
Computer security was an academic issue before the Morris worm. After November 2, 1988 it became very real.
Conficker: Still botting after all these years
On Thursday, October 23, 2008 (yes, it was "out of band"), Microsoft published MS08-067: Vulnerability in Server Service Could Allow Remote Code Execution. This was one of the really bad ones in that a remote user could gain administrator control of a PC and turn it into a bot. The word went out that it was important to apply the update, but you know how people are; security firm Qualys estimated that in January 30% of vulnerable PCs were still unpatched.
It was almost a month later that the first variant of Conficker, also known as Downadup and which spawned the great Waledac spam botnet, was detected. Conficker was — make that "is" because it's still alive — pretty sophisticated malware. It was capable of updating itself and was one of the principal bots to spread via file shares and USB drives.
In Europe the spread was particularly severe, affecting the military networks in France, the UK and Germany. It spread to over 200 countries and became one of the largest botnets ever.
In fact, Conficker would be blocked by decent firewall rules as well as the update. The fact that it spread so far and still lives shows just how widespread bad configurations are.
Image: The Conficker Working Group