Internet Security Systems - AlertCon(TM)

SQL Slammer Gradually Returns...

Posted by Tom Cross on May 02, 2011 at 2:54 PM EDT.

In March, X-Force, along with a number of other security research organizations, noticed a dramatic event - the SQL Slammer worm all but disappeared from the Internet. This worm had been a relatively consistent source of traffic on the net since it first started propagating back in 2003. Then suddenly, the traffic all but stopped.

For the past few weeks we've seen a slow return in traffic volumes. They are not yet back to the level they were at before, but the worm seems to be making a gradual comeback. See the chart below showing event volumes:

We still do not know what caused SQL Slammer's disappearance, but one hypothesis is that infected hosts may have been taken over and shut down. Eradication seems to have been incomplete, with a few infected hosts still generating traffic. If computers running the vulnerable software are still being introduced to the Internet, one might expect that those computers would become infected by the hosts that survived the eradication. Our data seems to be consistent with this hypothesis, but there are many other plausible explanations for these events. 

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.