Why Old SQL Worms Won't Die

narramissic writes "In a recent ITworld article, Security researcher Brent Huston ponders how it is that versions of SQL worms dating back to 2002 represent nearly 70% of all malicious traffic on the Internet today. 'I have made a few attempts to backtrack hosts that perform the scans and at first blush many show the signs of common botnet infections. Most are not running exposed SQL themselves, so that means that the code has likely been implemented into many bot-net exploitation frameworks. Perhaps the bot masters have the idea that when they infiltrate a commercial network, the SQL exploits will be available and useful to them? My assessment team says this is pretty true. Even today, they find blank "sa" passwords and other age-old SQL issues inside major corporate clients. So perhaps, that is why these old exploits continue to thrive."

stop the madness!

[Gary W. Longsine]

I'm surprised by this article. I thought it was common knowledge that botnets are full of these old exploits. The guessed purpose is exactly what's going on. Worms these days don't spread as rapidly as they used to on the wild internet because botnets are serving a purpose -- they are making somebody money. If they spread like wildfire on the internet as a whole, they would attract too much attention, and get cleaned up. They can't get into most corporate networks using worm probes, either, but they can and do get in by exploiting browsers, as email attachments, and so forth. Once inside, they probe around looking for all manner of things. It's not just SQL exploits, either. I'd guess the sample data they looked at was biased somehow. Maybe some big botnet was running a sweep with those particular exploits during the sample period.