February 21st, 2007
As the worm squirms: Slammer still runs amok
More than four years after Slammer started exploiting holes in Microsoft’s SQL Server and Desktop Engine database products, the worm continues to squirm in machines that some believe will never be disinfected.
Over the past two days, SQL Slammer was listed as the number one threat on Arbor Network’s new ATLAS (Active Threat Level Analysis System), accounting for a whopping 25 percent of all malicious Internet activity detected by Arbor’s censors. The bulk of the Slammer attacks are coming from infected hosts in China.
Although the worm isn’t dramatically impacting network availability like that January morning in 2003 when it spread like wildfire around the world, the fact that Slammer is still slithering confirms that there some boxes that will never be dewormed.
Microsoft released a patch for the flaw in July 2002 and provided disinfection tools immediately after the attack but, for a myriad of reasons, there are infected boxes out there scanning violently for vulnerable hosts.
In fact, according to sources in the anti-malware community, a high-profile Web company brought up a SQL Slammer host by accident a few weeks ago, setting off all kinds of alarm bells. “They took it down pretty quickly, but you get the idea: everyone is vulnerable,” said a source.
According to statistics from Arbor Networks, there are more than 1300 unique SQL Slammer hosts contacting its sensors. This is just a small fraction of infected hosts and signals just how impossible it is to completely kill a virulent network worm.
It’s much of the same with the Blaster worm of the summer of 2003. According to statistics culled from Microsoft’s monthly updated MSRT (malicious software removal tool), between 500 and 800 copies of Blaster are removed from Windows machines every day. (Most of the Blaster removals came from pre-SP2 Windows machines).
Arbor’s ATLAS also shows a high rate of attacks against the ASN.1 vulnerability fixed by Microsoft since February 2004.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
