News

Researchers Estimate Worst-Case Worm Damage at $50 Billion

• By Scott Bekker
• June 07, 2004

In a 12-page paper, titled "A Worst-Case Worm," Nicholas Weaver and Vern Paxson of the International Computer Science Institute dream up the worst, plausible worm they can think of and then try perform a crude calculation for how much damage it might cause. The purpose of the exercise is to size the potential damage in order to assess how seriously society should take -- and invest in -- the threat. ICSI is a non-profit research institute affiliated with nearby University of California at Berkeley.

The researchers assume a nation state seeking to maximize economic damage against U.S. businesses and government. They assume the nation state's resources include experienced programmers, access to large and diverse testing networks and months to develop and test the worm. "In our analysis, the main differences between an attacker with extensive resources, such as a nation state, and one with relatively limited resources, such as a terrorist group, is that the former can attain more 'zero day' (never-before-seen) exploits, and afford much more extensive testing," Weaver and Paxson write.

The authors contend their model does not require access to Windows source code. For anyone with doubts that experienced programmers can find "zero day" flaws without access to source code, look at all the security researchers who are regularly credited with discovering the flaws that Microsoft patches each month

For the paper, the researchers concocted a hypothetical worm exploiting the SMB/CIFS file sharing service, which is included in various forms in all Windows distributions since Windows 98. The hypothetical worm was also a blended threat -- with mailer worm and Web server exploitation features to help it spread across firewalls, a weakness of SMB/CIFS-targeting worms.

Where the paper begins to become frightening is when the authors discuss how a well-funded opponent seeking damage rather than glory could architect a worm to wipe out computer systems. The authors offer a credible scenario in which the worm could, in addition to corrupting random files and wiping disks, flash the BIOS. The authors reviewed manuals for seven popular BIOS systems and two motherboards and found that all were flashable by software in the default configuration.

Cutting to the chase, the authors arrived at their damage estimate: "We speculate that a plausible worst-case worm could cause $50 billion or more in direct economic damage by attacking widely-used services in Microsoft Windows and carrying a highly destructive payload," Weaver and Paxson write. In fact, that estimate comes with the authors' variables set at lower values. Slightly higher values in a table buried further in the report show potential damage of more than $100 billion.

All the values assume 50 million computers infected, a number the authors support with the fact that eight million infected systems contacted Windows Update for the Blaster removal tool. The Blaster worm was released almost a month after the underlying RPC vulnerability had been patched. Microsoft worked frantically during that intervening month to urge users to apply the patch.

The authors count only lost productivity, repair time, lost data and damage to systems in their estimate. "We exclude hard-to-estimate (and often grossly inflated) secondary losses and follow-on effects, and we also exclude possible impacts on critical infrastructure," Weaver and Paxson write. A third author of the paper, researcher Stuart Staniford, withdrew his name from the paper because he believed the authors lowballed potential damage.

The paper is available here:
www.icir.org/vern/papers/worst-case-worm.WEIS04.pdf.