Worst-Case Worm Could Rack Up $50 Billion In U.S. Damages

[InfoSec News <isn () c4i org>]

http://nwc.securitypipeline.com/showArticle.jhtml?articleID=21401701

By Gregg Keizer  
Courtesy of TechWeb News  
June 04, 2004

A worst-case worm attack on the U.S. could easily cost the country $50
billion in direct damages, a pair of security experts said Friday.

Nicholas Weaver and Vern Paxson, two security researchers who work
with the International Computer Science Institute (ICSI), a nonprofit
research group associated with the University of California at
Berkeley, modeled a worst-case scenario in which state-sponsored
attackers construct a worm exploiting an unpublished vulnerability,
then launch it over the Internet.

Weaver is a postdoctoral researcher at ICSI, while Paxson is also a
staff scientist at the Lawrence Berkeley National Laboratory.

"Although our estimates are at best approximations, a plausible
worst-case worm could cause $50 billion or more in direct economic
damage by attacking widely used services in Microsoft Windows and
carrying a highly destructive payload," said Weaver and Paxson in
their paper.

And that boggling economic disaster doesn't include secondary losses,
such as possible impacts on IT infrastructure, but only accounts for
loss productivity, lost data, damaged desktops and servers, and repair
expenses.

Weaver and Paxson make a number of assumptions to arrive at their
worst-case worm, including attackers with extensive resources, such as
those sponsored by an enemy nation state; the ability to sniff out an
as-yet-undiscovered vulnerability in Windows; and a resulting worm
that could spread so quickly that anti-virus firms wouldn't be able to
react in time with updated signatures before the majority of the
damage had been done.

"An electronic attack [of this magnitude] could cause widespread
economic damage by disrupting or even destroying a large fraction of
the computers responsible for day-to-day business," said Weaver and
Paxson. "It's not implausible to conceive of attacks that could
disrupt 50 million or more business computers."

By comparison, Weaver and Paxson said, last summer's MSBlast worm,
which exploited a vulnerability that was known for almost a month
before the worm appeared, infected a minimum of 8 million machines.

Worms would be the weapon of choice for such an attack, the
researchers said, because they can spread very quickly, as evidenced
by the Slammer worm of 2003, which managed to infect tens of thousands
of systems worldwide in less than ten minutes. Speed would be crucial
to any successful worst-case worm, since, once it's released, the race
begins against propagation and security firms' ability to create new
signature files to defend against the threat.

The reason it's likely such a superworm would be developed with
support from a nation state, said the duo, is that it would require
the additional resources that smaller, less well-funded groups lack.  
State-sponsored hackers would have the personnel and time to discover
one or more "zero-day" vulnerabilities in Windows-so called, because
they would be vulnerabilities never before seen, and so without a
patch--and thoroughly test the worm to make sure it could successfully
infect a wide range of Windows operating systems.

Among the most likely candidates for a zero-day exploit, said Weaver
and Paxson, is Windows' SMB/CIFS file-sharing service, which is used
by all versions of Microsoft's operating system since Windows 98.  
SMB/CIFS is used for desktop file and print sharing, and by Windows
files servers.

"SMB/CIFS makes a good target because it's on by default in most
installs, it enables some exploits to connect without requiring
authentication, any successful attack gains complete control of the
machine, organizations cannot lightly disable it, and vulnerabilities
[in it] have been discovered in the past," said Weaver and Paxson.

Worst-case worm makers could steal already proven techniques, such as
those used by 2001's Nimda worm, to first rapidly scan the Internet
for vulnerable systems, then apply a mass-mailed version to penetrate
internal networks secured at the gateway.

"Although it is probably impossible to estimate more precisely," said
the researchers, "if released during U.S. business hours, it could
infect all the vulnerable machines before a reaction is possible, as
even the highly disruptive and detectable Slammer worm was effectively
unperturbed for three hours."

Attackers with the right resources could dedicate months to testing
their worm in order to ensure that it successfully infects as many
different versions of Windows as possible. Historically, that's been
one of the major flaws of most single-author or small-group worms,
which may reliably attack Windows XP systems, for instance, but not
work against Windows NT machines.

"Considerable attacker effort needs to be spent in testing [worm]
components in a wide range of environments," said Weaver and Paxson.  
"The more diverse the testing, the more widely the resulting worm is
likely to penetrate."

Once infected, machines could be directed to install a backdoor Trojan
horse for deploying additional malicious payloads, randomly corrupt
files, erase all found drives on the local machine and the network,
and even corrupt the flash memory used by the PC's BIOS.

Weaver and Paxson investigated seven popular system and two
motherboard manufacturers' wares, and found that, in a third of the
cases, it's possible for a worm to cause enough damage that the
motherboard would need to be replaced. The other two-thirds of the
time, the BIOS could be restored, but that's "a complex procedure
that's beyond the skills of most computer users and perhaps even many
system administrators," said the researchers.

Businesses and government can take some steps to mitigate the damage
that might be caused by a worst-case worm, including turning to
SMB/CIFS-compatible servers, such as Samba, deploying mass-mailed worm
defenses, disabling the BIOS reflash feature by setting jumpers on PC
motherboards, and restricting desktop use of file sharing and other
related services that might be exploited.

But with damages that range from a low estimate of $50 billion to as
high as over $100 billion--depending on the breaks, so to speak--no
strategy can make such a worm anything but a disaster of monumental
proportions.

"Current defenses are not capable of dealing with threats of this
magnitude," said Weaver and Paxson.



_________________________________________
ISN mailing list
Sponsored by: OSVDB.org