Why Old SQL Worms Won't Die

narramissic writes "In a recent ITworld article, Security researcher Brent Huston ponders how it is that versions of SQL worms dating back to 2002 represent nearly 70% of all malicious traffic on the Internet today. 'I have made a few attempts to backtrack hosts that perform the scans and at first blush many show the signs of common botnet infections. Most are not running exposed SQL themselves, so that means that the code has likely been implemented into many bot-net exploitation frameworks. Perhaps the bot masters have the idea that when they infiltrate a commercial network, the SQL exploits will be available and useful to them? My assessment team says this is pretty true. Even today, they find blank "sa" passwords and other age-old SQL issues inside major corporate clients. So perhaps, that is why these old exploits continue to thrive."

Umm....SQL?

[Karellen]

Uh.....so what is so special about SQL? Why are SQL worms so prevalent compared to C worms, or PHP worms, or Java worms, etc...?

OK, so SQL injection doesn't require the kind of in-depth knowledge to exploit that buffer overflows in C do, so I imagine SQL exploits might be easier to craft to begin with ... but surely they're easier to spot. If you're pasting values into an SQL string instead of using named/positional parameters, you're vulnerable. That sort of thing should be much easier to do an automated search for in your source than buffer size tracking through C sources.

Also, does anyone else think the following does not make much sense: "Most [botnet hosts that perform the scans] are not running exposed SQL themselves..."? Why not "...running badly-written SQL..." or "vulnerable SQL"? Seems like a really weird choice of words.