[ISN] Worst-Case Worm Could Rack Up $50 Billion In U.S. Damages

From: InfoSec News (isn@private)
Date: Sun Jun 06 2004 - 23:38:35 PDT

  • Next message: InfoSec News: "[ISN] Linux Security Week - June 7th 2004"

    By Gregg Keizer  
    Courtesy of TechWeb News  
    June 04, 2004
    A worst-case worm attack on the U.S. could easily cost the country $50
    billion in direct damages, a pair of security experts said Friday.
    Nicholas Weaver and Vern Paxson, two security researchers who work
    with the International Computer Science Institute (ICSI), a nonprofit
    research group associated with the University of California at
    Berkeley, modeled a worst-case scenario in which state-sponsored
    attackers construct a worm exploiting an unpublished vulnerability,
    then launch it over the Internet.
    Weaver is a postdoctoral researcher at ICSI, while Paxson is also a
    staff scientist at the Lawrence Berkeley National Laboratory.
    "Although our estimates are at best approximations, a plausible
    worst-case worm could cause $50 billion or more in direct economic
    damage by attacking widely used services in Microsoft Windows and
    carrying a highly destructive payload," said Weaver and Paxson in
    their paper.
    And that boggling economic disaster doesn't include secondary losses,
    such as possible impacts on IT infrastructure, but only accounts for
    loss productivity, lost data, damaged desktops and servers, and repair
    Weaver and Paxson make a number of assumptions to arrive at their
    worst-case worm, including attackers with extensive resources, such as
    those sponsored by an enemy nation state; the ability to sniff out an
    as-yet-undiscovered vulnerability in Windows; and a resulting worm
    that could spread so quickly that anti-virus firms wouldn't be able to
    react in time with updated signatures before the majority of the
    damage had been done.
    "An electronic attack [of this magnitude] could cause widespread
    economic damage by disrupting or even destroying a large fraction of
    the computers responsible for day-to-day business," said Weaver and
    Paxson. "It's not implausible to conceive of attacks that could
    disrupt 50 million or more business computers."
    By comparison, Weaver and Paxson said, last summer's MSBlast worm,
    which exploited a vulnerability that was known for almost a month
    before the worm appeared, infected a minimum of 8 million machines.
    Worms would be the weapon of choice for such an attack, the
    researchers said, because they can spread very quickly, as evidenced
    by the Slammer worm of 2003, which managed to infect tens of thousands
    of systems worldwide in less than ten minutes. Speed would be crucial
    to any successful worst-case worm, since, once it's released, the race
    begins against propagation and security firms' ability to create new
    signature files to defend against the threat.
    The reason it's likely such a superworm would be developed with
    support from a nation state, said the duo, is that it would require
    the additional resources that smaller, less well-funded groups lack.  
    State-sponsored hackers would have the personnel and time to discover
    one or more "zero-day" vulnerabilities in Windows-so called, because
    they would be vulnerabilities never before seen, and so without a
    patch--and thoroughly test the worm to make sure it could successfully
    infect a wide range of Windows operating systems.
    Among the most likely candidates for a zero-day exploit, said Weaver
    and Paxson, is Windows' SMB/CIFS file-sharing service, which is used
    by all versions of Microsoft's operating system since Windows 98.  
    SMB/CIFS is used for desktop file and print sharing, and by Windows
    files servers.
    "SMB/CIFS makes a good target because it's on by default in most
    installs, it enables some exploits to connect without requiring
    authentication, any successful attack gains complete control of the
    machine, organizations cannot lightly disable it, and vulnerabilities
    [in it] have been discovered in the past," said Weaver and Paxson.
    Worst-case worm makers could steal already proven techniques, such as
    those used by 2001's Nimda worm, to first rapidly scan the Internet
    for vulnerable systems, then apply a mass-mailed version to penetrate
    internal networks secured at the gateway.
    "Although it is probably impossible to estimate more precisely," said
    the researchers, "if released during U.S. business hours, it could
    infect all the vulnerable machines before a reaction is possible, as
    even the highly disruptive and detectable Slammer worm was effectively
    unperturbed for three hours."
    Attackers with the right resources could dedicate months to testing
    their worm in order to ensure that it successfully infects as many
    different versions of Windows as possible. Historically, that's been
    one of the major flaws of most single-author or small-group worms,
    which may reliably attack Windows XP systems, for instance, but not
    work against Windows NT machines.
    "Considerable attacker effort needs to be spent in testing [worm]
    components in a wide range of environments," said Weaver and Paxson.  
    "The more diverse the testing, the more widely the resulting worm is
    likely to penetrate."
    Once infected, machines could be directed to install a backdoor Trojan
    horse for deploying additional malicious payloads, randomly corrupt
    files, erase all found drives on the local machine and the network,
    and even corrupt the flash memory used by the PC's BIOS.
    Weaver and Paxson investigated seven popular system and two
    motherboard manufacturers' wares, and found that, in a third of the
    cases, it's possible for a worm to cause enough damage that the
    motherboard would need to be replaced. The other two-thirds of the
    time, the BIOS could be restored, but that's "a complex procedure
    that's beyond the skills of most computer users and perhaps even many
    system administrators," said the researchers.
    Businesses and government can take some steps to mitigate the damage
    that might be caused by a worst-case worm, including turning to
    SMB/CIFS-compatible servers, such as Samba, deploying mass-mailed worm
    defenses, disabling the BIOS reflash feature by setting jumpers on PC
    motherboards, and restricting desktop use of file sharing and other
    related services that might be exploited.
    But with damages that range from a low estimate of $50 billion to as
    high as over $100 billion--depending on the breaks, so to speak--no
    strategy can make such a worm anything but a disaster of monumental
    "Current defenses are not capable of dealing with threats of this
    magnitude," said Weaver and Paxson.
    ISN mailing list
    Sponsored by: OSVDB.org

    This archive was generated by hypermail 2b30 : Mon Jun 07 2004 - 03:56:56 PDT