The decline and fall of Slammer?

Me and Slammer (Helkern) go back a long way…to 25 January 2003 to be precise. It was a baptism of fire for me in my new role as a virus analyst at Kaspersky Lab. It was a weekend and I was alone, in charge of monitoring the incoming flow of suspicious files. I had barely been at the company a month.

On that day the Internet suffered one of the biggest virus epidemics in its history – within the space of just fifteen minutes a worm using a vulnerability in MS SQL Server infected hundreds of thousands of computers worldwide and knocked out the Internet in South Korea for a few hours.

Those 376 bytes were the implementation of a so-called ‘bodyless’ virus, which does not write itself to the system but only stays in the operational memory.

That was more than 8 years ago, but Slammer is still hanging around and is constantly among the leaders in our network attack ratings. Millions and billions of malicious packets are sent out each day searching for victims and generating a considerable amount of junk traffic.

Then something strange happened on 9 March 2011. Our automated threat analysis system, Kaspersky Security Network, recorded a significant drop in the number of machines carrying out attacks and an even bigger reduction in the number of computers being attacked. We received the data from our IDS (Intrusion Detection System) module which monitors network attacks. The system also determines the source of an attack.

Take a look at the following graph:

You can see that over the last few months the number of machines that were attacked by Slammer worm packets has fluctuated dramatically, but never dropped below 200000 unique hosts in a single day. On 9 March, however, the number fell virtually ten-fold and currently stands at around 15000 unique hosts per day.

At first we suspected that this sharp decline was the result of numerous Internet channels being disabled following the earthquake in Japan. That theory was soon rejected, however. Prior to Slammer’s decline we recorded just 150 or so machines that had been attacked by the worm. After 11 March that number fell to 35, but clearly this had no bearing on the overall change in the number of sources that ran into hundreds of thousands.

The second theory is based on the fact that the worm started disappearing on the same day the latest patches were released from Microsoft. This appears a possibility, but not one of the patches released that day had anything to do with MS SQL. Moreover, the computers that are acting as a source of the worm are obviously not being updated because the worm manages to use a vulnerability that dates back to 2002.

Another theory suggests that a major Internet provider has started filtering port 1434 traffic (the port used by the worm). But there has yet to be any confirmation of this. Here is a list of the 10 leading countries/regions in terms of attacks as of on 8 March:

This is what the same 10 entries looked like on 12 March:

The biggest drop was seen on the Chinese mainland, but the downward trend was repeated in Russia, Brazil, the USA and Spain. The odd one out is Taiwan, where an increase was recorded. These statistics also put paid to the major provider theory, because there is no known provider that operates in all these countries.

The most interesting aspect is the change in the number of sources from which the worm spread on these days.

On 8 March outgoing packets were recorded coming from 711 computers in almost 50 different countries. The 10 most common attack sources were as follows:

Four days later on 12 March these figures had more than halved to 296 computers in just 18 countries.

Data from the SANS Institute also confirms the fall in the number of attack sources:

The institute’s experts are also wondering what the reason for the decline is,but as yet there is no clear answer.

What we have here is an almost ten-fold decrease in the worm’s activity (number of computers targeted) coinciding with a more than 50% decrease in the number of sources spreading the worm.