Researchers Estimate Worst-Case Worm Damage at $50 Billion

A pair of security researchers has tried to assess the worst case scenario for a worm attack on the United States targeting commonly used services in the ubiquitous Windows platform. The figure they came up with is $50 billion.

In a 12-page paper, titled "A Worst-Case Worm," Nicholas Weaver and Vern Paxson of the International Computer Science Institute dream up the worst, plausible worm they can think of and then try perform a crude calculation for how much damage it might cause. The purpose of the exercise is to size the potential damage in order to assess how seriously society should take -- and invest in -- the threat. ICSI is a non-profit research institute affiliated with nearby University of California at Berkeley.

The researchers assume a nation state seeking to maximize economic damage against U.S. businesses and government. They assume the nation state's resources include experienced programmers, access to large and diverse testing networks and months to develop and test the worm. "In our analysis, the main differences between an attacker with extensive resources, such as a nation state, and one with relatively limited resources, such as a terrorist group, is that the former can attain more 'zero day' (never-before-seen) exploits, and afford much more extensive testing," Weaver and Paxson write.

The authors contend their model does not require access to Windows source code. For anyone with doubts that experienced programmers can find "zero day" flaws without access to source code, look at all the security researchers who are regularly credited with discovering the flaws that Microsoft patches each month

For the paper, the researchers concocted a hypothetical worm exploiting the SMB/CIFS file sharing service, which is included in various forms in all Windows distributions since Windows 98. The hypothetical worm was also a blended threat -- with mailer worm and Web server exploitation features to help it spread across firewalls, a weakness of SMB/CIFS-targeting worms.

Where the paper begins to become frightening is when the authors discuss how a well-funded opponent seeking damage rather than glory could architect a worm to wipe out computer systems. The authors offer a credible scenario in which the worm could, in addition to corrupting random files and wiping disks, flash the BIOS. The authors reviewed manuals for seven popular BIOS systems and two motherboards and found that all were flashable by software in the default configuration.

Cutting to the chase, the authors arrived at their damage estimate: "We speculate that a plausible worst-case worm could cause $50 billion or more in direct economic damage by attacking widely-used services in Microsoft Windows and carrying a highly destructive payload," Weaver and Paxson write. In fact, that estimate comes with the authors' variables set at lower values. Slightly higher values in a table buried further in the report show potential damage of more than $100 billion.

All the values assume 50 million computers infected, a number the authors support with the fact that eight million infected systems contacted Windows Update for the Blaster removal tool. The Blaster worm was released almost a month after the underlying RPC vulnerability had been patched. Microsoft worked frantically during that intervening month to urge users to apply the patch.

The authors count only lost productivity, repair time, lost data and damage to systems in their estimate. "We exclude hard-to-estimate (and often grossly inflated) secondary losses and follow-on effects, and we also exclude possible impacts on critical infrastructure," Weaver and Paxson write. A third author of the paper, researcher Stuart Staniford, withdrew his name from the paper because he believed the authors lowballed potential damage.

The paper is available here:

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • The 2021 Microsoft Product Roadmap

    From Windows 10X to the next generation of Microsoft's application server products, here are the product milestones coming down the pipeline in 2021.

  • After High-Profile Attacks, Biden Calls for Better Software Security

    Recent high-profile security attacks have prompted the Biden administration to issue an executive order aiming to tighten software security practices across the board.

  • With Hybrid Networks on Rise, Microsoft Touts Zero Trust Security

    Hybrid networks, which combine use of cloud services with on-premises software, require a "zero trust" security approach, Microsoft said this week.

  • Feds Advise Orgs on How To Block Ransomware Amid Colonial Pipeline Attack

    A recent ransomware attack on a U.S. fuel pipeline company has put a spotlight on how "critical infrastructure" organizations can prevent similar attacks.