Worm Attack Could Rack Up $50 Billion In U.S. Damages

Two security researchers say a worst-case scenario attack could easily cost the country $50 billion in direct damages alone.
A worst-case worm attack on the United States could easily cost the country $50 billion in direct damages, a pair of security experts said Friday.

Nicholas Weaver and Vern Paxson, security researchers who work with the International Computer Science Institute (ICSI), a nonprofit research group associated with the University of California at Berkeley, modeled a worst-case scenario in which state-sponsored attackers construct a worm exploiting an unpublished vulnerability, then launch it over the Internet.

Weaver is a postdoctoral researcher at ICSI, while Paxson is also a staff scientist at the Lawrence Berkeley National Laboratory.

"Although our estimates are at best approximations, a plausible worst-case worm could cause $50 billion or more in direct economic damage by attacking widely used services in Microsoft Windows and carrying a highly destructive payload," Weaver and Paxson said in their paper.

That figure doesn't include secondary losses, such as possible impacts on IT infrastructure; it only accounts for loss productivity, lost data, damaged desktops and servers, and repair expenses.

Weaver and Paxson make a number of assumptions to arrive at their worst-case worm, including attackers with extensive resources, such as those sponsored by an enemy nation; the ability to sniff out an as-yet-undiscovered vulnerability in Windows; and a resulting worm that could spread so quickly that anti-virus firms wouldn't be able to react in time with updated signatures before the majority of the damage had been done.

An electronic attack of this magnitude "could cause widespread economic damage by disrupting or even destroying a large fraction of the computers responsible for day-to-day business," said Weaver and Paxson. "It's not implausible to conceive of attacks that could disrupt 50 million or more business computers."

By comparison, Weaver and Paxson said, last summer's Blaster worm, which exploited a vulnerability that was known for almost a month before the worm appeared, infected a minimum of 8 million machines.

Worms would be the weapon of choice for such an attack, the researchers said, because they can spread very quickly, as evidenced by the Slammer worm of 2003, which managed to infect tens of thousands of systems worldwide in less than 10 minutes. Speed would be crucial to any successful worst-case worm, since, once it's released, the race begins against propagation and security firms' ability to create new signature files to defend against the threat.

The reason it's likely such a superworm would be developed with support from a nation state, said the duo, is that it would require the additional resources that smaller, less well-funded groups lack. State-sponsored hackers would have the personnel and time to discover one or more "zero-day" vulnerabilities in Windows--so called, because they would be vulnerabilities never before seen, and so without a patch--and thoroughly test the worm to make sure it could successfully infect a wide range of Windows operating systems.

Among the most likely candidates for a zero-day exploit, said Weaver and Paxson, is Windows' SMB/CIFS file-sharing service, which is used by all versions of Microsoft's operating system since Windows 98. SMB/CIFS is used for desktop file and print sharing, as well as by Windows files servers.

"SMB/CIFS makes a good target because it's on by default in most installs, it enables some exploits to connect without requiring authentication, any successful attack gains complete control of the machine, organizations cannot lightly disable it, and vulnerabilities [in it] have been discovered in the past," Weaver and Paxson said.

Worst-case worm makers could steal already-proven techniques, such as those used by 2001's Nimda worm, to first rapidly scan the Internet for vulnerable systems, then apply a mass-mailed version to penetrate internal networks secured at the gateway.

"Although it is probably impossible to estimate more precisely," said the researchers, "if released during U.S. business hours, it could infect all the vulnerable machines before a reaction is possible, as even the highly disruptive and detectable Slammer worm was effectively unperturbed for three hours."

Attackers with the right resources could dedicate months to testing their worm in order to ensure that it successfully infects as many different versions of Windows as possible. Historically, that's been one of the major flaws of most single-author or small-group worms, which may reliably attack Windows XP systems, for instance, but not work against Windows NT machines.

"Considerable attacker effort needs to be spent in testing [worm] components in a wide range of environments," said Weaver and Paxson. "The more diverse the testing, the more widely the resulting worm is likely to penetrate."

Once infected, machines could be directed to install a backdoor Trojan horse for deploying additional malicious payloads, randomly corrupt files, erase all found drives on the local machine and the network, and even corrupt the flash memory used by the PC's BIOS.

Weaver and Paxson investigated seven popular system and two motherboard manufacturers' wares, and found that, in a third of the cases, it's possible for a worm to cause enough damage that the motherboard would need to be replaced. The other two-thirds of the time, the BIOS could be restored, but that's "a complex procedure that's beyond the skills of most computer users and perhaps even many system administrators," said the researchers.

Businesses and government can take some steps to mitigate the damage that might be caused by a worst-case worm, including turning to SMB/CIFS-compatible servers, such as Samba, deploying mass-mailed worm defenses, disabling the BIOS reflash feature by setting jumpers on PC motherboards, and restricting desktop use of file sharing and other related services that might be exploited.

But with damages that range from a low estimate of $50 billion to as high as over $100 billion--depending on the breaks, so to speak--no strategy can make such a worm anything but a disaster of monumental proportions.

"Current defenses are not capable of dealing with threats of this magnitude," Weaver and Paxson said.

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing