As the worm squirms: Slammer still runs amok

Over the past two days, SQL Slammer was listed as the number one threat on Arbor Network's new ATLAS (Active Threat Level Analysis System), accounting for a whopping 25 percent of all malicious Internet activity detected by Arbor's censors. The bulk of the Slammer attacks are coming from infected hosts in China.

Although the worm isn't dramatically impacting network availability like that January morning in 2003 when it spread like wildfire around the world, the fact that Slammer is still slithering confirms that there some boxes that will never be dewormed.

Microsoft released a patch for the flaw in July 2002 and provided disinfection tools immediately after the attack but, for a myriad of reasons, there are infected boxes out there scanning violently for vulnerable hosts.

In fact, according to sources in the anti-malware community, a high-profile Web company brought up a SQL Slammer host by accident a few weeks ago, setting off all kinds of alarm bells. "They took it down pretty quickly, but you get the idea: everyone is vulnerable," said a source.

According to statistics from Arbor Networks, there are more than 1300 unique SQL Slammer hosts contacting its sensors. This is just a small fraction of infected hosts and signals just how impossible it is to completely kill a virulent network worm.

It's much of the same with the Blaster worm of the summer of 2003. According to statistics culled from Microsoft's monthly updated MSRT (malicious software removal tool), between 500 and 800 copies of Blaster are removed from Windows machines every day. (Most of the Blaster removals came from pre-SP2 Windows machines).

Arbor's ATLAS also shows a high rate of attacks against the ASN.1 vulnerability fixed by Microsoft since February 2004.