bluebay2014 - Fotolia

SQL Slammer worm makes a comeback 14 years later

The SQL Slammer worm returned to take down systems that have been left unpatched for the past 14 years, but experts are unsure if the attacks will continue.

Researchers spotted the infamous SQL Slammer worm used recently to attack servers that have not been patched for the past 14 years.

The SQL Slammer worm, first seen in the wild in January 2003, exploits a buffer-overflow vulnerability in Microsoft SQL Server 2000 or MSDE 2000. The worm infects the server via User Datagram Protocol port 1434 and carries out distributed denial-of-service attacks on target IP addresses.

Researchers from the Check Point threat intelligence team said they saw a spike in SQL Slammer worm activity late last year.

"During a routine analysis of global data collected by Check Point ThreatCloud, we detected a massive increase in the number of attack attempts between Nov. 28, and Dec. 4, 2016, making the SQL Slammer worm one of the top malware detected in this time frame," Check Point wrote in a blog post. "The attack attempts detected by Check Point were directed to a large variety of destination countries (172 countries in total), with 26% of the attacks being toward networks in the United States."

Check Point said the attacks originated mainly from IP addresses located in China, Vietnam, Mexico and Ukraine.

Lamar Bailey, senior director of security research and development at Tripwire Inc., based in Portland, Ore., said there is no hope for unpatched systems to be patched, given that Microsoft released a patch to protect against the SQL Slammer worm in July 2002 and Microsoft SQL Server 2000 hit its end of life in 2013.

"There are still unpatched SQL Server systems in the wild. So, as long as they are running, there will be more targets for this worm. It can propagate and scan subnets quite fast, so it does not take long to [infect] new targets," Bailey told SearchSecurity. "These targets may not be traditional servers, either, because SQL Server is embedded in various other devices. When the worm first came out, we saw it launching from vending machines that had SQL Server embedded to track inventory."

In its first run in 2003, the SQL Slammer worm was a major threat and set a record by infecting 10,000 servers and overloading 75,000 networks in just 10 minutes. So far, Check Point has only seen the one surge in usage, so the company cannot say whether the attacks will continue.

There are still unpatched SQL Server systems in the wild. So, as long as they are running, there will be more targets for this worm. It can propagate and scan subnets quite fast, so it does not take long to [infect] new targets.
Lamar Baileyenior director of security research and development at Tripwire

Bailey said this should be "a learning moment for vulnerability management."

"Organizations cannot expect to run out-of-date systems with known vulnerabilities without accepting a huge risk. We also find that many organizations do not know what is on their own network, so it is possible that this is a surprise for them," Bailey said.

"Vulnerability management, change control, configuration management, asset management and patch management are all foundational controls; invest in them and get good at them, or pay the price later," he continued. "It's cheaper to fix it before it becomes a security incident affecting your business, data and reputation."

Next Steps

Learn more about vulnerability management tools.

Find out more on how to manage server patches in a multi-OS data center.

Read more about best practices for upgrading to Microsoft SQL Server 2016

Dig Deeper on Application and platform security