Aleks Gostev

Me and Slammer (Helkern) go back a long way… to 25 January 2003 to be precise. It was a baptism of fire for me in my new role as a virus analyst at Kaspersky Lab. It was a weekend and I was alone, in charge of monitoring the incoming flow of suspicious files. I had barely been at the company a month.

On that day the Internet suffered one of the biggest virus epidemics in its history – within the space of just fifteen minutes a worm using a vulnerability in MS SQL Server infected hundreds of thousands of computers worldwide and knocked out the Internet in South Korea for a few hours.

Those 376 bytes were the implementation of a so-called ‘bodyless’ virus, which does not write itself to the system but only stays in the operational memory.

That was more than 8 years ago, but Slammer is still hanging around and is constantly among the leaders in our network attack ratings. Millions and billions of malicious packets are sent out each day searching for victims and generating a considerable amount of junk traffic.

Then something strange happened on 9 March 2011. Our automated threat analysis system, Kaspersky Security Network, recorded a significant drop in the number of attacks. We received the data from our IDS (Intrusion Detection System) module which monitors network attacks. The system also determines the source of an attack.

Take a look at the following graph:

You can see that over the last few months the number of machines sending out packets of this worm has fluctuated dramatically, but never dropped below 200000 unique hosts in a single day. On 9 March, however, the number fell virtually ten-fold and currently stands at around 15000 unique hosts per day. At first we suspected that this sharp decline was the result of numerous Internet channels being disabled following the earthquake in Japan. That theory was soon rejected, however. Prior to Slammer’s decline we recorded just 150 or so infected machines. After 11 March that number fell to 35, but clearly this had no bearing on the overall change in the number of sources that ran into hundreds of thousands.

The second theory is based on the fact that the worm started disappearing on the same day the latest patches were released from Microsoft. This appears a possibility, but not one of the patches released that day had anything to do with MS SQL. Moreover, the computers that are acting as a source of the worm are obviously not being updated because the worm manages to use a vulnerability that dates back to 2002.

Another theory suggests that a major Internet provider has started filtering port 1434 traffic (the port used by the worm). But there has yet to be any confirmation of this. Here is a list of the 10 leading countries/regions in terms of attacks as of on 8 March:

This is what the same 10 entries looked like on 12 March:

The biggest drop was seen on the Chinese mainland, but the downward trend was repeated in Russia, Brazil, the USA and Spain. The odd one out is Taiwan, where an increase was recorded. These statistics also put paid to the major provider theory, because there is no known provider that operates in all these countries.

Data from the SANS Institute also confirms the fall in the number of attack sources:

The institute’s experts are also wondering what the reason for the decline is, but as yet there is no clear answer.

*Aleks Gostev is chief security expert in Kaspersky Lab’s Global Research & Analysis Team.

Categories: Malware, Vulnerabilities

Comments (3)

  1. David Litchfield

    Perhaps someone’s been going around popping the boxes. Let’s face it – if you want to find easy-to-own boxes to add to your botnet just look for systems still spewing out old worms.

  2. Anonymous

    China has been actively taking down spam servers and the like in China proper. I imagine that is why you see the sharp decline.

Comments are closed.