The Slammer worm is back after 13 years to target ancient SQL servers

on February 8, 2017 |

The SQL Slammer worm, one of the most long-lived malware, now seems to be back online to compromise ancient SQL servers worldwide.

SQL Slammer is probably one of the most long-lived threats, it first appeared  14 years ago and now it is back to compromise ancient SQL servers.

SQL Slammer exploits an ancient flaw in Microsoft SQL server and Desktop Engine causing a denial of service, it was 2003 when the security researcher Michael Bacarella raised the alarm to SlammerSlammer and the worm caused a denial of service condition on tens of thousands of systems around the world.

The researcher noticed a “massive packet loss to various points on the globe” caused by a worm affecting MS SQL Server which was pingflooding addresses at some random sequence.

The worm is able to exploits a buffer overflow vulnerability in Microsoft SQL Server 2000 or MSDE 2000 by sending a formatted request to UDP port 1434.

After the worm infects a server, it attempts to spread rapidly by sending the same payload to random IP addresses, causing a denial of service condition on the victim’s machine.

SQL Slammer was created starting from a proof-of-concept exploit code published during Black Hat by now the Google security researcher David Litchfield.

The Slammer Worm was using a SQL Server Resolution service buffer overflow flaw, discovered by NGSSoftware, and patched by MS in July 2013.

Now researchers at Check Point researchers confirmed that the threat has risen in early December (between 28 November, 2016, and 4 December, 2016), it mostly targeted machines in the US.

“During a routine analysis of global data collected by Check Point ThreatCloud, we detected a massive increase in the number of attack attempts between November 28 and December 4, 2016, making the SQL Slammer worm one of the top malware detected in this timeframe:” reads the analysis published by Check Point.

“The attack attempts detected by Check Point were directed to a large variety of destination countries (172 countries in total), with 26% of the attacks being towards networks in the United States. This indicates a wide wave of attacks rather than a targeted one.”

The researchers noticed that the largest volume of traffic associated with the Slammer Worm was originated from IP addresses in China, Vietnam, and Mexico.

This is absurd because it seems that the worm targeted a now-ancient SQL Server 2000 buffer overflow vulnerability that DB administrators still haven’t fixed after more than 13 years.

“To summarize, although the Slammer worm was primarily spread during 2003, and has barely been observed in the wild over the last decade, the massive spike in propagation attempts that was observed in our data leads us to wonder – is the worm trying to make a comeback?” states the report.

Pierluigi Paganini

Show Buttons
Hide Buttons