For a week in November and December 2016, someone tried to resurrect the 14-year-old SQL Slammer worm, according to security firm Check Point, who reported today that they've "detected a massive increase in the number of attack attempts."
According to a chart based on detections from Check Point security software, attacks only lasted for seven days, between November 28 and December 4, 2016, and were massive enough to make the SQL Slammer worm "one of the top malware detected in this timeframe."
The SQL Slammer worm appeared on January 25, 2003, and it spread to over 75,000 computers in just the first ten minutes, being one of the most viral computer viruses known to date.
Under the hood, the worm leveraged proof of concept (PoC) code from a buffer overflow bug discovered by security researcher David Litchfield, which affected Microsoft's SQL Server and Desktop Engine database products.
Microsoft patched the vulnerability, but SQL Slammer's author used the PoC to craft the worm, and also added self-replication features.
The worm operated by infecting servers or desktops computers that ran Internet-connected SQL Server or Desktop Engine servers, choosing a random IP, and attempting to infect a new host.
At the time it appeared, the worm caused many routers to crash due to the high volume of traffic resulted from the worm's automatic scanning and self-replication behavior.
Back in the early 2000s, Internet bandwidth was not sufficient to support this constant scanning from so many infected hosts, and a general worldwide Internet slowdown was recorded at the time of the initial attack. The first SQL Slammer wave was so massive that 5 of 13 root nameservers went down.
Since the worm lived only in memory, most sysadmins removed the infection by rebooting their devices, and the worm died down in the following months after most security products updated defenses to prevent and mitigate SQL Slammer's attacks.
The worm's recent comeback is mysterious, but SQL Slammer is now outdated and will never cause the havoc it did when it first appeared.
Nevertheless, it's sudden appearance proves that more than a decade later, there are still many hosts connected to the Internet that are still running software vulnerable to 14-year-old vulnerabilities.