

SQL Slammer’s mysterious disappearance - caf
http://blogs.iss.net/archive/sqlslam.html

======
iuguy
Slammer is a really old worm. It exploits this[1] vulnerability so it's not
surprising that it's dying off. The entire worm is small enough to fit in a
single UDP packet as it just generates random IP addresses, launches itself on
UDP port 1434, and if the packets hit a vulnerable windows 2000 server, then
the exploit kicks in and we have a new infected host to propogate the worm.

Bearing in mind that the vulnerability exploits a weakness in a very old no
longer supported version of Windows, and that the patch came out 9 years ago
it's not surprising that slammer activity has decreased.

There are a number of possible reasons for this - for example, maybe there
were just a few infected servers and these have been taken offline, or that
some form of filtering has been put in place at the ISP or country level so
ISS' sensors no longer pick it up, but the reality is we just don't know.

All worms have a shelf life, perhaps slammer's just reached the end of it's
one. 8 years isn't a bad run. After all, how many Morris worm infections does
anyone see these days?

[1] -
[http://www.microsoft.com/technet/security/bulletin/MS02-039....](http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx)

~~~
ilcavero
that doesn't justify the sudden silence in matter of months that the article
shows in the graphic, I wonder if analyzing the worm's code shows if there is
a time condition or bug that disables it after X date.

~~~
Natsu
Maybe some independent hacker finally got sick of it and decided to send the
hosts some kind of shutdown code?

------
romland
This almost sounds as if it's a bug, say, an int that flipped over. Wouldn't
an unsigned 16 bit int of milliseconds flip over after some 8-9 years?

On the other hand, it's a bit hard to believe that IBM Security Systems would
miss that... So while perhaps plausible, doubtful.

------
hnfwerr
Probably a bug, since I am still getting hit byt SQL slammer on our IDS.

*edit, maybe an April fools joke? Article is from april 1st.

~~~
caf
After reading the article, I checked my own IDS logs and saw the same drop to
zero after March 11.

------
sucuri2
Article from April 1st...

~~~
thorax
I didn't download their full report, but other sources reported it as in their
final report (not produced on April 1st).

