Exorcizing the ghost of Slammer

For seven years, the SQL Slammer worm has haunted the Internet. Now, a group wants to cast it out

On a Friday night in January 2003, the Internet went insane. Traffic spiked, clogging corporate connections to critical servers and services.

For corporate America, it was not a pretty moment, shining a harsh light on how quickly the Internet had become integral to their operations. A goodly portion of Bank of America's ATMs failed, many of Microsoft's products could not be activated, and Continental Airlines had to cancel flights because its scheduling system could not be reached.

The cause of the problems was the SQL Slammer worm. Spreading through the UDP (user datagram protocol), the worm inundated corporate networks with traffic. Software maker Siebel Systems, for example, kept out the worm for three days, but on the following Monday, the malicious program managed to find a crack in the company's network perimeter, flooding the LAN with its attempts to spread.

"The quantity of network traffic generated was an order of magnitude greater than anything we had seen before," Mark Sunday, CIO for Siebel, now part of Oracle, said at the time.

Corporate IT departments slowly recovered, killing the worm one reinstallation at a time. Yet, the ghost of Slammer -- remnants of the worm haunting forgotten servers -- continues to rattle its chains around the Internet. Today, seven years later, security professionals can still detect echoes of the worm's attempt to spread on port 1434.

Just in time for Halloween, security professionals hope to put an end to at least this noisome ghost. With the kickoff of the official Cyber Security Awareness Month of October, the SANS Institute has embarked on a mission to contact the providers that play unwitting -- one would imagine -- hosts to the ghost of Slammer.

While the SANS Internet Storm Center only detects approximately 200 hosts infected with Slammer on a daily basis, the worm generates enough traffic to usually take a spot in the top 10 list of network traffic compiled by the group each day.

"It is pretty easy to identify from our data compared to other old worms," says Johannes Ullrich, chief research officer for the SANS Institute. "From that generation -- Blaster, Nimda, SQL Slammer -- it is probably the most commonly seen one."

The group is asking system administrators that follow its daily blog to contact the administrators of compromised systems to remove Slammer from its systems. The group also offers advice on how abuse reports should be managed.

Yet, Ullrich thinks the chances of eradicating the ghost of Slammer are not great. Early posts by the Internet Storm Center suggest that hosting firms are not paying much attention to reports of abuse from their networks.

"We will probably not make a significant dent in this month, but I hope we will get more traction as time moves on," he says.

This article, "Exorcizing the ghost of Slammer," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.

Copyright © 2010 IDG Communications, Inc.