News

Researchers Estimate Worst-Case Worm Damage at $50 Billion

A pair of security researchers has tried to assess the worst case scenario for a worm attack on the United States targeting commonly used services in the ubiquitous Windows platform. The figure they came up with is $50 billion.

In a 12-page paper, titled "A Worst-Case Worm," Nicholas Weaver and Vern Paxson of the International Computer Science Institute dream up the worst, plausible worm they can think of and then try perform a crude calculation for how much damage it might cause. The purpose of the exercise is to size the potential damage in order to assess how seriously society should take -- and invest in -- the threat. ICSI is a non-profit research institute affiliated with nearby University of California at Berkeley.

The researchers assume a nation state seeking to maximize economic damage against U.S. businesses and government. They assume the nation state's resources include experienced programmers, access to large and diverse testing networks and months to develop and test the worm. "In our analysis, the main differences between an attacker with extensive resources, such as a nation state, and one with relatively limited resources, such as a terrorist group, is that the former can attain more 'zero day' (never-before-seen) exploits, and afford much more extensive testing," Weaver and Paxson write.

The authors contend their model does not require access to Windows source code. For anyone with doubts that experienced programmers can find "zero day" flaws without access to source code, look at all the security researchers who are regularly credited with discovering the flaws that Microsoft patches each month

For the paper, the researchers concocted a hypothetical worm exploiting the SMB/CIFS file sharing service, which is included in various forms in all Windows distributions since Windows 98. The hypothetical worm was also a blended threat -- with mailer worm and Web server exploitation features to help it spread across firewalls, a weakness of SMB/CIFS-targeting worms.

Where the paper begins to become frightening is when the authors discuss how a well-funded opponent seeking damage rather than glory could architect a worm to wipe out computer systems. The authors offer a credible scenario in which the worm could, in addition to corrupting random files and wiping disks, flash the BIOS. The authors reviewed manuals for seven popular BIOS systems and two motherboards and found that all were flashable by software in the default configuration.

Cutting to the chase, the authors arrived at their damage estimate: "We speculate that a plausible worst-case worm could cause $50 billion or more in direct economic damage by attacking widely-used services in Microsoft Windows and carrying a highly destructive payload," Weaver and Paxson write. In fact, that estimate comes with the authors' variables set at lower values. Slightly higher values in a table buried further in the report show potential damage of more than $100 billion.

All the values assume 50 million computers infected, a number the authors support with the fact that eight million infected systems contacted Windows Update for the Blaster removal tool. The Blaster worm was released almost a month after the underlying RPC vulnerability had been patched. Microsoft worked frantically during that intervening month to urge users to apply the patch.

The authors count only lost productivity, repair time, lost data and damage to systems in their estimate. "We exclude hard-to-estimate (and often grossly inflated) secondary losses and follow-on effects, and we also exclude possible impacts on critical infrastructure," Weaver and Paxson write. A third author of the paper, researcher Stuart Staniford, withdrew his name from the paper because he believed the authors lowballed potential damage.

The paper is available here:
www.icir.org/vern/papers/worst-case-worm.WEIS04.pdf.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • FTC Expands Microsoft Antitrust Investigation Under Trump Administration

    The Federal Trade Commission (FTC) is pressing ahead with a broad investigation into Microsoft's business practices, an inquiry that began in the final weeks of the Biden administration.

  • An image of planes flying around a globe

    2025 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Microsoft to Shut Down Skype Services

    Microsoft will discontinue its Skype telecommunications and video calling services on May 5, 2025, marking the end of the platform's decades-long run.

  • Big Blue To Acquire Datastax in Enterprise AI Play

    In a bid to bolster its enterprise-aimed AI capabilities, IBM is planning to acquire Datastax, a leading AI and data solutions provider, for an undisclosed amount.