http://nwc.securitypipeline.com/showArticle.jhtml?articleID=21401701 By Gregg Keizer Courtesy of TechWeb News June 04, 2004 A worst-case worm attack on the U.S. could easily cost the country $50 billion in direct damages, a pair of security experts said Friday. Nicholas Weaver and Vern Paxson, two security researchers who work with the International Computer Science Institute (ICSI), a nonprofit research group associated with the University of California at Berkeley, modeled a worst-case scenario in which state-sponsored attackers construct a worm exploiting an unpublished vulnerability, then launch it over the Internet. Weaver is a postdoctoral researcher at ICSI, while Paxson is also a staff scientist at the Lawrence Berkeley National Laboratory. "Although our estimates are at best approximations, a plausible worst-case worm could cause $50 billion or more in direct economic damage by attacking widely used services in Microsoft Windows and carrying a highly destructive payload," said Weaver and Paxson in their paper. And that boggling economic disaster doesn't include secondary losses, such as possible impacts on IT infrastructure, but only accounts for loss productivity, lost data, damaged desktops and servers, and repair expenses. Weaver and Paxson make a number of assumptions to arrive at their worst-case worm, including attackers with extensive resources, such as those sponsored by an enemy nation state; the ability to sniff out an as-yet-undiscovered vulnerability in Windows; and a resulting worm that could spread so quickly that anti-virus firms wouldn't be able to react in time with updated signatures before the majority of the damage had been done. "An electronic attack [of this magnitude] could cause widespread economic damage by disrupting or even destroying a large fraction of the computers responsible for day-to-day business," said Weaver and Paxson. "It's not implausible to conceive of attacks that could disrupt 50 million or more business computers." By comparison, Weaver and Paxson said, last summer's MSBlast worm, which exploited a vulnerability that was known for almost a month before the worm appeared, infected a minimum of 8 million machines. Worms would be the weapon of choice for such an attack, the researchers said, because they can spread very quickly, as evidenced by the Slammer worm of 2003, which managed to infect tens of thousands of systems worldwide in less than ten minutes. Speed would be crucial to any successful worst-case worm, since, once it's released, the race begins against propagation and security firms' ability to create new signature files to defend against the threat. The reason it's likely such a superworm would be developed with support from a nation state, said the duo, is that it would require the additional resources that smaller, less well-funded groups lack. State-sponsored hackers would have the personnel and time to discover one or more "zero-day" vulnerabilities in Windows-so called, because they would be vulnerabilities never before seen, and so without a patch--and thoroughly test the worm to make sure it could successfully infect a wide range of Windows operating systems. Among the most likely candidates for a zero-day exploit, said Weaver and Paxson, is Windows' SMB/CIFS file-sharing service, which is used by all versions of Microsoft's operating system since Windows 98. SMB/CIFS is used for desktop file and print sharing, and by Windows files servers. "SMB/CIFS makes a good target because it's on by default in most installs, it enables some exploits to connect without requiring authentication, any successful attack gains complete control of the machine, organizations cannot lightly disable it, and vulnerabilities [in it] have been discovered in the past," said Weaver and Paxson. Worst-case worm makers could steal already proven techniques, such as those used by 2001's Nimda worm, to first rapidly scan the Internet for vulnerable systems, then apply a mass-mailed version to penetrate internal networks secured at the gateway. "Although it is probably impossible to estimate more precisely," said the researchers, "if released during U.S. business hours, it could infect all the vulnerable machines before a reaction is possible, as even the highly disruptive and detectable Slammer worm was effectively unperturbed for three hours." Attackers with the right resources could dedicate months to testing their worm in order to ensure that it successfully infects as many different versions of Windows as possible. Historically, that's been one of the major flaws of most single-author or small-group worms, which may reliably attack Windows XP systems, for instance, but not work against Windows NT machines. "Considerable attacker effort needs to be spent in testing [worm] components in a wide range of environments," said Weaver and Paxson. "The more diverse the testing, the more widely the resulting worm is likely to penetrate." Once infected, machines could be directed to install a backdoor Trojan horse for deploying additional malicious payloads, randomly corrupt files, erase all found drives on the local machine and the network, and even corrupt the flash memory used by the PC's BIOS. Weaver and Paxson investigated seven popular system and two motherboard manufacturers' wares, and found that, in a third of the cases, it's possible for a worm to cause enough damage that the motherboard would need to be replaced. The other two-thirds of the time, the BIOS could be restored, but that's "a complex procedure that's beyond the skills of most computer users and perhaps even many system administrators," said the researchers. Businesses and government can take some steps to mitigate the damage that might be caused by a worst-case worm, including turning to SMB/CIFS-compatible servers, such as Samba, deploying mass-mailed worm defenses, disabling the BIOS reflash feature by setting jumpers on PC motherboards, and restricting desktop use of file sharing and other related services that might be exploited. But with damages that range from a low estimate of $50 billion to as high as over $100 billion--depending on the breaks, so to speak--no strategy can make such a worm anything but a disaster of monumental proportions. "Current defenses are not capable of dealing with threats of this magnitude," said Weaver and Paxson. _________________________________________ ISN mailing list Sponsored by: OSVDB.org
This archive was generated by hypermail 2b30 : Mon Jun 07 2004 - 03:56:56 PDT