Saturday, April 4, 2009

The gift that keeps on giving

So... years ago, I wrote a program called WormRadar. It was designed to detect and measure the malware of the day, worms. More recently, the web became the main attack vector, and we started building programs to detect and measure that activity (which is where LinkScanner came from), and WormRadar gradually fell into disuse. Really recently (as opposed to more recently, and yes, my old English teacher wants to rap my knuckles for that), we cranked up a WormRadar node again, just to see what new things were circulating, and the number one thing we're detecting is .... Slammer!!!!!!

Now, many readers will already see the funny side of that, but many will also not, so for the "nots" ... SqlSlammer was a worm that appeared in January 2003, and really hit the Internet hard. That was pretty amazing at the time, because it exploited a vulnerabilty that had been patched as MS02-039... _six_ months earlier. In other words, although a patch had been released for six months, so many people had not patched, that the worm was able to be a major spreader six months later.

Then, in 2004, Microsoft released XP Service Pack 2, in which the firewall was on by default for first time, and this was really an Extinction Level Event for most worms, because even little old Windows firewall is enough to stop all worms. There have not been any worms since then that can force their way thru the firewall from outside. Conficker, for example, relies on gettin ginside the firewall by some other method... USB drive... social engineering ... whatever... and then runs rampant inside a network, but it can't _force_ its way in.

This then, is the amusing and amazing thing about Slammer... it's still alive and well six _years_ after its first appearance, which is six _years and six months_ after the patch was released!

In other words, there are computers which are just never patched!!!!

There is a name for this type of user .... Victims!

Keep safe folks! (Oh, and keep patched! ;-))

Roger