After a decade of silence, this computer worm is back and researchers don't know why

SQL Slammer worm returns after a decade, but why?
Written by Danny Palmer, Senior Writer

SQL Slammer first apppeared in 2003

Image: iStock

A 14 year old computer worm has suddenly made a surprise comeback following a decade of almost no activity - and nobody knows why.

After it first appeared in January 2003, SQL Slammer carried out distributed denial of service (DDoS) attacks against tens of thousands of servers across the globe, using servers and routers to overload over 75,000 networks within 10 minutes of its emergence.

Exploiting a buffer overflow vulnerability in Microsoft SQL Server 2000 or MSDE 2000, the memory resident worm sends a formatted request to UDP port 1434 to infect the server. Once this occures, it rapidly spreads itself by sending its payload to random IP addresses and causing further DDoS attacks.

Microsoft released a patch to prevent SQL Slammer attacks, but now, almost a decade and a half after it first appeared in the wild, cybersecurity researchers at Check Point have noticed a sudden upsurge in this form of cyberattack. The spike is to such an extent SQL Slammer became one of the most common malware attacks during December.

SQL Slammer surged between November 28 and December 4, 2016 and attacked targets in 172 countries across the globe. The US was by far the most common target of the worm, accounting for 26 percent of SQL Slammer attacks, followed by the UK and Israel on seven percent each.

The IP addresses responsible for initiating the largest number of attempted attacks were registered in China, Vietnam, Mexico, and Ukraine, although outside of that there's no indication of who revived the SQL Slammer attacks or why.

'Could be an aberration, could be the start of something - it's hard to speculate!' said a Check Point spokesperson.


Where the most Slammer attached were launched from

Image: Check Point

SQL Slammer isn't the only old computer virus which has given organisations issues years after it first appeared; the eight year old Conficker virus is still responsible for a large number of attacks, accounting for over 500,000 incidents in a year.


Editorial standards