SQL Slammer’s mysterious disappearance

Posted by Tom Cross on April 01, 2011 at 7:11 PM EDT.

This week we launched the X-Force 2010 Trend and Risk report – the latest installment of our biannual collection of statistics and observations about computer security. One of the stories that we put together this year involved taking a look at the most commonplace IPS signatures that fire on the thousands of customer networks we monitor. This data is a window into the kinds of pervasive attack activity that you can expect to be hit with any time you plug a computer into the Internet.

The most common malicious network event we saw in 2010 was SQL Slammer. The SQL Slammer worm has blanketed the Internet with packets ever since it was released back in January of 2003. The traffic generated by the worm is so pervasive that our engineers have gotten into the habit of using it as a way to determine whether or not sensors are functioning properly – if you’re getting SQL Slammer hits, you know you’ve got Internet connectivity to your IPS.

A few weeks ago, this traffic all but disappeared. The chart below shows you the traffic levels we’ve seen – note the drop off on March 11th. This drop was also reported by a number of other groups who monitor malicious activity on the Internet. What happened? No one seems to know.

The fate of SQL Slammer is of particular interest to X-Force. Its name, SQL Slammer, was coined on the evening that the worm first start hitting our sensors by our then CTO Chris Rouland. We’ve been digging through the data that we’ve got regarding the drop off and the IP addresses that used to be infected, and we hope that other security research organizations are doing the same. Eventually, the truth will emerge.