A computer worm that resulted in a wave of distributed denial-of-service attacks in 2003 has mysteriously returned to the Internet in a series of attempted attacks late last year.

Security firm Check Point Software Technologies Ltd. detected the worm, called SQL Slammer, between Nov. 28 and Dec. 4 in what it described as a “massive surge” in attempted attacks.

“More than a decade later, Slammer is hitting again,” the company said in a blog post. “The attack attempts detected by Check Point were directed to a large variety of destination countries with 26 percent of the attacks being towards networks in the United States” indicating “a wide wave of attacks rather than a targeted one.” IP addresses in China, Vietnam, and Mexico were used in the Slammer attack.

Slammer exploits a buffer overflow vulnerability in Microsoft SQL Server 2000 and MSDE 2000 with the worm sending a formatted request a port to infect the server. Once a server is infected, the worm attempts to spread rapidly by sending the same payload to random IP addresses, causing a denial-of-service condition on its targets.

The worm made headlines in 2003 when it dramatically slowed down Internet traffic by infecting some 75,000 victims within 10 minutes, resulting in the collapse of numerous routers due to a bombardment of traffic from infected servers.

What makes the attempted distribution of the worm interesting is that it is only capable of exploiting an extremely old flaw in Microsoft’s SQL server and Desktop Engine, which was not only patched at the time but the software itself has long since been superseded.

“Although the Slammer worm was primarily spread during 2003, and has barely been observed in the wild over the last decade,” Check Point noted, “the massive spike in propagation attempts that was observed in our data leads us to wonder – is the worm trying to make a comeback?”

Image: wheatfields/Flickr/CC by 2.0