This week Tim Ecott, managing consultant of Integralis, warns of the danger of a return of SQL Slammer, the fastest propagating worm on the internet to date.
Slammer was one of those virus events we would be happy never to see again.
But the chances are we will.
Just as recently we've seen new variants of Bugbear and SoBig malware, so too will we see Slammer variants and new outbreaks.
The SQL Slammer (or Sapphire) worm of January 2003 was by far the fastest propagating worm the internet has experienced. As it began spreading, the infected population of systems doubled in number every few seconds.
The worm achieved its full scanning rate (over 55 million scans per second) in approximately three minutes, after which its rate of growth slowed down - because significant portions of the internet did not have enough bandwidth to allow it to operate unhindered.
It infected more than 75,000 systems on the internet within 10 minutes.
Although rapid propagation worms had been talked of in theoretical terms, the spread of SQL Slammer provided the first real proof of the capabilities of such a high-speed worm.
It was faster than Code Red, the worm that infected over 350,000 hosts in July 2001. The Code Red worm population doubled at the pedestrian rate of 35 minutes.
The reason that SQL Slammer spread so much faster than Code Red despite having infected fewer systems, is that Code Red was latency-limited, whereas SQL Slammer was constrained only by available bandwidth.
Once Slammer compromised a system, it would try to propagate itself by crafting packets of 376 bytes and sending them to randomly chosen IP addresses on port 1434/UDP.
If one of these packets reached a vulnerable system, this system would become infected and would also begin to propagate. Each infected system would transmit packets as fast as the network could deliver them.
The amount of traffic alone caused significant disruption to non-infected systems by using up all available bandwidth. Due to the high traffic volume, many network devices such as routers, switches and firewalls were unable to carry out normal processing, and legitimate internet traffic suffered.
Central to the success of SQL Slammer was the widespread use of Microsoft SQL Server on internet-facing systems. The worm exploited a buffer overflow vulnerability in Microsoft SQL Server or Microsoft SQL Server Desktop Engine (MSDE) 2000.
The weakness in the underlying indexing service was discovered in July 2002 and Microsoft released a patch for the vulnerability soon afterwards.
The fact that MSDE was vulnerable too is important. MSDE is often incorporated into other Microsoft software products, and a growing number of third-party applications install MSDE, some of them silently.
As a result, many system administrators would have been unaware that their system was vulnerable and would not have known that they needed to take corrective action.
One might wonder why so many internet-facing SQL servers existed that were not protected by even basic firewall rules. Weak firewalling and lack of adequate system maintenance and hardening were major factors in the success of this worm.
Though simple, SQL Slammer represented a major milestone in the evolution of computer worms. Beyond the scanning activity for new hosts, it did not contain a destructive payload.
Despite this, it spread worldwide in roughly 10 minutes, attacking not only systems directly related to the internet, but also disrupting seemingly unrelated systems, such as banking ATM services.
The prospect of the worm being developed further is pretty much inevitable.
A more hostile worm might destroy or copy data stored locally on infected systems, or might stop scanning once the entire susceptible population is infected, leaving itself dormant to do harm at some point in the future.
A 'latent' variant would be difficult to detect, and it is highly likely that a variant of this worm will appear in time.
Today, almost five months after the attack, remnants of the SQL Slammer worm are still evident, indicating that numerous infected systems remain undetected on the internet.
Make no mistake, however, SQL Slammer will be back. Its effects may not be so radical this time around, since many people are patching their vulnerabilities now.
But once a good hack has been discovered it never goes away.
Loon's balloons will bring the internet to remote areas of the country
New clues into the biosphere on Earth in the lead up to the emergence of animal life
Planetary collision might shed light on the chaotic processes behind a star's early development
Success boosted by streamer Ninja and celebrity gamers