Connect with us

Hi, what are you looking for?


Malware & Threats

SQL Slammer Worm Crawls Back

SQL Slammer, a tiny worm that managed to wreak havoc across the Internet on January 25, 2003, appears to have recommenced activity, Check Point security researchers warn.

SQL Slammer, a tiny worm that managed to wreak havoc across the Internet on January 25, 2003, appears to have recommenced activity, Check Point security researchers warn.

The computer worm was first spotted on the day it caused a denial of service condition on tens of thousands of servers worldwide by overloading Internet objects such as servers and routers with a massive number of network packets. Within 10 minutes of its first emergence, SQL Slammer had managed to infect most of its roughly 75,000 victims.

SQL Slammer was based on proof-of-concept code demonstrated at the Black Hat Briefings by David Litchfield, who discovered a buffer overflow bug in Microsoft’s flagship SQL Server and Desktop Engine database products. Although the vulnerability had been patched by Microsoft six months before the worm hit, many installations weren’t patched, and the malicious code could easily propagate.

Also referred to as the Sapphire Worm and Helkern, SQL Slammer is only 376 bytes in size, thus fitting inside a single packet, a feature that allowed it enjoy rapid propagation when it hit. The worm was sending a formatted request to UDP port 1434 and was causing infected routers to start sending the malicious code to random IP addresses, which resulted in a denial of service condition on targets.

Although it remained dormant for over a decade, SQL Slammer appears to have restarted activity, Check Point security researchers warn. According to data collected by Check Point, there was a massive increase in the number of attack attempts between November 28 and December 4, 2016. SQL Slammer was one of the top malware detected in the timeframe.

Chart of SQL Slammer Infections

(Image Credit: Check Point)

The number of destination countries of the observed attack attempts was of 172 countries, with 26% of the attacks targeting networks in the United States. According to Check Point, this data shows that the newly recorded SQL Slammer activity wasn’t a targeted attack, but rather a larger wave of attacks.

Advertisement. Scroll to continue reading.

The security firm also notes that the largest number of attack attempts came from IP addresses located in China, Vietnam, Mexico, and Ukraine.

“To summarize, although the Slammer worm was primarily spread during 2003, and has barely been observed in the wild over the last decade, the massive spike in propagation attempts that was observed in our data leads us to wonder – is the worm trying to make a comeback?” Check Point concludes.

Related: Mirai-Based Worm Targets Devices via New Attack Vector

Related: IoT Worm “Hajime” Uses BitTorrent Protocols for Communications

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...