The Slammer worm is back after 13 years to target ancient SQL servers

The SQL Slammer worm, one of the most long-lived malware, now seems to be back online to compromise ancient SQL servers worldwide.

SQL Slammer is probably one of the most long-lived threats, it first appeared 14 years ago and now it is back to compromise ancient SQL servers.

SQL Slammer exploits an ancient flaw in Microsoft SQL server and Desktop Engine causing a denial of service, it was 2003 when the security researcher Michael Bacarella raised the alarm to Slammer Slammer and the worm caused a denial of service condition on tens of thousands of systems around the world.

The researcher noticed a “massive packet loss to various points on the globe” caused by a worm affecting MS SQL Server which was pingflooding addresses at some random sequence.

The worm is able to exploits a buffer overflow vulnerability in Microsoft SQL Server 2000 or MSDE 2000 by sending a formatted request to UDP port 1434.

After the worm infects a server, it attempts to spread rapidly by sending the same payload to random IP addresses, causing a denial of service condition on the victim’s machine.

SQL Slammer was created starting from a proof-of-concept exploit code published during Black Hat by now the Google security researcher David Litchfield.

The Slammer Worm was using a SQL Server Resolution service buffer overflow flaw, discovered by NGSSoftware, and patched by MS in July 2013.

Now researchers at Check Point researchers confirmed that the threat has risen in early December (between 28 November, 2016, and 4 December, 2016), it mostly targeted machines in the US.

“During a routine analysis of global data collected by Check Point ThreatCloud, we detected a massive increase in the number of attack attempts between November 28 and December 4, 2016, making the SQL Slammer worm one of the top malware detected in this timeframe:” reads the analysis published by Check Point.

“The attack attempts detected by Check Point were directed to a large variety of destination countries (172 countries in total), with 26% of the attacks being towards networks in the United States. This indicates a wide wave of attacks rather than a targeted one.”

The researchers noticed that the largest volume of traffic associated with the Slammer Worm was originated from IP addresses in China, Vietnam, and Mexico.

This is absurd because it seems that the worm targeted a now-ancient SQL Server 2000 buffer overflow vulnerability that DB administrators still haven’t fixed after more than 13 years.

“To summarize, although the Slammer worm was primarily spread during 2003, and has barely been observed in the wild over the last decade, the massive spike in propagation attempts that was observed in our data leads us to wonder – is the worm trying to make a comeback?” states the report.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – SQL Slammer Worm, malware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.