Slammer worm slithers back online to attack ancient SQL servers

Share this…

If you get taken down by this 13-year-old malware, you probably deserve it.

One of the world’s most famous net menaces, SQL Slammer, has resumed attacking servers some 13 years after it set records by infecting 75,000 servers in 10 minutes, researchers say.

The in-memory worm exploits an ancient flaw in Microsoft SQL server and Desktop Engine triggering denial of service, and at the time of its emergence significantly choking internet traffic.

Researcher Michael Bacarella first raised the alarm to Slammer which was created on the back of public proof-of-concept exploit code published during Black Hat by now Google security boffin David Litchfield.

Check Point researchers detected re-emergent attacks in early December, noting that most targeted machines in the US.

“More than a decade later, Slammer is hitting again,” researchers say.

“The attack attempts detected by Check Point were directed to a large variety of destination countries with 26 percent of the attacks being towards networks in the United States.

“This indicates a wide wave of attacks rather than a targeted one.”

The attacks peaked between 28 November, 2016, and 4 December, 2016, and were some of the biggest by volume over those days.

Slammer attack traffic came from IP addresses in China, Vietnam, and Mexico.

This new batch of Slammer-wielders must be optimists, given that the worm targeted a now-ancient SQL Server 2000 buffer overflow vulnerability that DBAs have had 13 years to fix.

Still, application of even important patches can be slow. Microsoft last year found that the then vulnerability (CVE-2010-2568) exploited by the six-year-old Stuxnet worm, arguably the most famous information security threat, was the most common means to compromise users.