CONFERENCE NOW LIVE: Threat Detection & Incident Response (TDIR) Summit - Join the Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

SQL Slammer Worm Crawls Back

SQL Slammer, a tiny worm that managed to wreak havoc across the Internet on January 25, 2003, appears to have recommenced activity, Check Point security researchers warn.

SQL Slammer, a tiny worm that managed to wreak havoc across the Internet on January 25, 2003, appears to have recommenced activity, Check Point security researchers warn.

The computer worm was first spotted on the day it caused a denial of service condition on tens of thousands of servers worldwide by overloading Internet objects such as servers and routers with a massive number of network packets. Within 10 minutes of its first emergence, SQL Slammer had managed to infect most of its roughly 75,000 victims.

SQL Slammer was based on proof-of-concept code demonstrated at the Black Hat Briefings by David Litchfield, who discovered a buffer overflow bug in Microsoft’s flagship SQL Server and Desktop Engine database products. Although the vulnerability had been patched by Microsoft six months before the worm hit, many installations weren’t patched, and the malicious code could easily propagate.

Also referred to as the Sapphire Worm and Helkern, SQL Slammer is only 376 bytes in size, thus fitting inside a single packet, a feature that allowed it enjoy rapid propagation when it hit. The worm was sending a formatted request to UDP port 1434 and was causing infected routers to start sending the malicious code to random IP addresses, which resulted in a denial of service condition on targets.

Although it remained dormant for over a decade, SQL Slammer appears to have restarted activity, Check Point security researchers warn. According to data collected by Check Point, there was a massive increase in the number of attack attempts between November 28 and December 4, 2016. SQL Slammer was one of the top malware detected in the timeframe.

Chart of SQL Slammer Infections

(Image Credit: Check Point)

The number of destination countries of the observed attack attempts was of 172 countries, with 26% of the attacks targeting networks in the United States. According to Check Point, this data shows that the newly recorded SQL Slammer activity wasn’t a targeted attack, but rather a larger wave of attacks.

The security firm also notes that the largest number of attack attempts came from IP addresses located in China, Vietnam, Mexico, and Ukraine.

Advertisement. Scroll to continue reading.

“To summarize, although the Slammer worm was primarily spread during 2003, and has barely been observed in the wild over the last decade, the massive spike in propagation attempts that was observed in our data leads us to wonder – is the worm trying to make a comeback?” Check Point concludes.

Related: Mirai-Based Worm Targets Devices via New Attack Vector

Related: IoT Worm “Hajime” Uses BitTorrent Protocols for Communications

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Jeremy Koppen has left Mandiant after 13 years to become the CISO of Equifax.

Engineering and technology solutions provider Amentum has appointed Max Shier as its CISO.

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.