Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why Old SQL Worms Won't Die

Posted by ScuttleMonkey on from the looking-for-a-user-security-patch dept.

narramissic writes "In a recent ITworld article, Security researcher Brent Huston ponders how it is that versions of SQL worms dating back to 2002 represent nearly 70% of all malicious traffic on the Internet today. 'I have made a few attempts to backtrack hosts that perform the scans and at first blush many show the signs of common botnet infections. Most are not running exposed SQL themselves, so that means that the code has likely been implemented into many bot-net exploitation frameworks. Perhaps the bot masters have the idea that when they infiltrate a commercial network, the SQL exploits will be available and useful to them? My assessment team says this is pretty true. Even today, they find blank "sa" passwords and other age-old SQL issues inside major corporate clients. So perhaps, that is why these old exploits continue to thrive."

4 of 64 comments (clear)

  1. of course by stoolpigeon · · Score: 4, Funny

    cut them in half and now you just have 2 worms! stop the madness!

    --
    It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
  2. Team 17 just made it too good by Alzheimers · · Score: 3, Funny

    What can I say? Team 17 made it a fun, accessible, simple yet requiring thought and strategy. The later 3D versions had problems with the camera, and the humor never matched up to the original.

  3. stop the madness! by Gary+W.+Longsine · · Score: 4, Interesting

    I'm surprised by this article. I thought it was common knowledge that botnets are full of these old exploits. The guessed purpose is exactly what's going on. Worms these days don't spread as rapidly as they used to on the wild internet because botnets are serving a purpose -- they are making somebody money. If they spread like wildfire on the internet as a whole, they would attract too much attention, and get cleaned up. They can't get into most corporate networks using worm probes, either, but they can and do get in by exploiting browsers, as email attachments, and so forth. Once inside, they probe around looking for all manner of things. It's not just SQL exploits, either. I'd guess the sample data they looked at was biased somehow. Maybe some big botnet was running a sweep with those particular exploits during the sample period.

    --
    If you mod me down, I shall become more powerful than you could possibly imagine.
  4. Re:70% really? by tcopeland · · Score: 3, Informative

    > I used to get a lot of traffic from SSH brute force attacks

    Yup. One of the first bits I install on a new server is DenyHosts; "service denyhosts start" and an hour later there are a half dozen IPs in /etc/hosts.deny. Good times.

    --
    The Army reading list