Slammer is a really old worm. It exploits this[1] vulnerability so it's not surprising that it's dying off. The entire worm is small enough to fit in a single UDP packet as it just generates random IP addresses, launches itself on UDP port 1434, and if the packets hit a vulnerable windows 2000 server, then the exploit kicks in and we have a new infected host to propogate the worm.
Bearing in mind that the vulnerability exploits a weakness in a very old no longer supported version of Windows, and that the patch came out 9 years ago it's not surprising that slammer activity has decreased.
There are a number of possible reasons for this - for example, maybe there were just a few infected servers and these have been taken offline, or that some form of filtering has been put in place at the ISP or country level so ISS' sensors no longer pick it up, but the reality is we just don't know.
All worms have a shelf life, perhaps slammer's just reached the end of it's one. 8 years isn't a bad run. After all, how many Morris worm infections does anyone see these days?
that doesn't justify the sudden silence in matter of months that the article shows in the graphic, I wonder if analyzing the worm's code shows if there is a time condition or bug that disables it after X date.
launches itself on UDP port 1434, and if the packets hit a vulnerable windows 2000 server
Technically speaking, UDP Port 1434 is a SQL Server service-discovery port and it would depend on SQL Server (2000) to be installed to have any affect.
My experience as a former SQL-Server consultant is that most organizations have been phasing out SQL Server 2000 for quite a while now, and only business-critical applications which for one reason or another are impossible to migrate to a newer version of SQL Server seems to be the only reason it is still around.
This doesn't explain the sudden drop, but just thought I'd clear up what I considered factually incorrect ;)
[+] [-] _b8r0|15 years ago|reply
Bearing in mind that the vulnerability exploits a weakness in a very old no longer supported version of Windows, and that the patch came out 9 years ago it's not surprising that slammer activity has decreased.
There are a number of possible reasons for this - for example, maybe there were just a few infected servers and these have been taken offline, or that some form of filtering has been put in place at the ISP or country level so ISS' sensors no longer pick it up, but the reality is we just don't know.
All worms have a shelf life, perhaps slammer's just reached the end of it's one. 8 years isn't a bad run. After all, how many Morris worm infections does anyone see these days?
[1] - http://www.microsoft.com/technet/security/bulletin/MS02-039....
[+] [-] ilcavero|15 years ago|reply
[+] [-] trezor|15 years ago|reply
Technically speaking, UDP Port 1434 is a SQL Server service-discovery port and it would depend on SQL Server (2000) to be installed to have any affect.
My experience as a former SQL-Server consultant is that most organizations have been phasing out SQL Server 2000 for quite a while now, and only business-critical applications which for one reason or another are impossible to migrate to a newer version of SQL Server seems to be the only reason it is still around.
This doesn't explain the sudden drop, but just thought I'd clear up what I considered factually incorrect ;)
[+] [-] romland|15 years ago|reply
On the other hand, it's a bit hard to believe that IBM Security Systems would miss that... So while perhaps plausible, doubtful.
[+] [-] hnfwerr|15 years ago|reply
*edit, maybe an April fools joke? Article is from april 1st.
[+] [-] caf|15 years ago|reply
[+] [-] sucuri2|15 years ago|reply
[+] [-] thorax|15 years ago|reply