Software The $50 Billion Worm

			HOME 	
			ARTICLES 				
			LIST NOW FOR FREE! 
			ABOUT US 
			CONTACT US 
			LOG IN			
		

The $50 Billion Worm
At the International Computer Science Institute in Berkeley, researchers predict that there may be a computer worm that could cause $50 billion in direct economic damage to the US alone.

Go to Web Site

The $50 Billion Worm

"...could destroy the computers responsible for day-to-day business."

The Study

At the International Computer Science Institute in Berkeley, California, researchers predict that there may be a computer worm that could cause $50 billion in direct economic damage to the US alone. The study, released on May 5th, 2004 by researchers Nicholas Weaver and Vern Paxson, describes how a plausible worst-case worm (a malicious, self-propagating network program) could cause at least $50 Billion or more in direct economic damage in the United States by simply attacking "widely-used services in Microsoft Windows" and carrying a highly destructive payload.

Assessing The Damage

According to the study, a worm might be able to use techniques used very successfully by the Nimda worm, for example, to obtain initial penetration of corporate intranets and Windows domains. First, it could spread rapidly across the entire Internet using a scanning technique, and then include various "secondary modes" such as encasing the worm in an email-attachment or by infecting webservers that can then infect browsers even inside internal networks. Other approaches could also use "little-known vulnerabilities" in external services such as the Microsoft Internet Information Server (IIS) web server. A final approach could then be taking advantage of notebooks and wireless access cards.

As soon as the worm "compromises the machine", the total cost arising from the damage done can accumulate from any of the following four sources listed below. It is, of course, assumed that the attacker will desire to maximize all these costs by using a "highly malicious payload". The total costs given below are based on a set of baseline assumptions of 2 days lost, 10% permanent data loss, and 10% permanent BIOS damage. The researchers believe these are only conservative figures, since they only attempted to estimate direct costs using what they believe were conservative parameter values in their model:

• Total cost of $52 billion for restoring attacked systems to normal operation
• Total cost of $80 billion that is lost to increased downtime
• Total value of $62 billion for any data that is permanently lost
• Total cost of $65 billion due to the hardware irrevocably damaged by BIOS corruption

The researchers admit that their model's biggest limitation is the inability of it to "evaluate possible damage to critical infrastructure, as there is a nonnegligible chance that such a worm might also affect the power grid, hospital systems, telecommunications, or other systems."

The Slammer worm, for example, managed to infect an off-line nuclear power plant control computer, disrupt Bellevue Washington's 911 system, and Bank of America teller machines. The Welchia worm "managed to directly infect Diebold ATMs, and disrupt the Navy-Marine Corps Intranet while the United States was engaged in substantial military action." All of these events are documented further in the study.

This kind of "worst-case scenario" attack, plausibly represents (at least) fifty billion dollars in direct damages alone. The additional difficult-to-estimate indirect damages could quite possibly be large. The costs of even non-violent attacks would cause serious harm to the United States economy. This is of particular interest to parties such as other nation states or groups competing ecomonically with the United States, as well as terrorist organizations.

Who's Responsible For All This?

Primary responsibility, of course, goes to the attacker. But is this a shared culpability?

The attacker could be a single hacker, an organized group, or may even be a nation state. Certainly they would need extensive available resources. In any case, for the purposes of this study, the attacker is assumed to have the specific goal of causing as much economic damage as possible to both commerical and governmental computing infrastructure.

However, even the weakest of attacks can become lethal, if it is aided and abetted by the victim.

The study points out the most widely-used service to exploit is Microsoft Windows SMB/CIFS file sharing. This service acts as a server, and is "included as part of all Windows distributions since Windows 98, although the Windows 98 family (98/ME) and the NT family (NT/2K/XP) use different implementations." This service is used usually by corporate intranets internally to enable file sharing, printer sharing, and by centralized Windows file servers.

There are several factors that make the Microsoft Windows SMB/CIFS particularly attractive to attackers who know any SMB/CIFS exploits which enable arbitrary remote execution:

• The SMB/CIFS is turned on, by default, on most installs
• It is widely deployed across the world
• It affects both servers and workstations allowing an attacker to target an entire corporate or governmental computing infrastructure in a single attack
• Allows default anonymous login capabilities so that connections can be made without any authentication
• Workstations can authenticate using other workstations instead of using the servers within a domain
• Vulnerabilities have been discovered and documented publicly in the past
• Complete control of the machine is possible since the SMB server runs at "ring 0" permission level as part of the Windows operating system kernel
• Since the service is on-by-default, any newly discovered exploit automatically makes all Windows PCs vulnerable
• File sharing is considered to be critical by many organizations, and therefore cannot lightly disable it
• Any newly discovered exploit could still target all Windows systems, regardless if they are properly patched and maintained
• After a worm compromises a PC, it can query the local Windows domain controller for a complete list of all the local PCs in the domain and can then quickly compromise all those PCs within seconds

As late as the summer of 2003, a major vulnerability that allowed arbitrary remote execution was discovered in the SMB/CIFS service. The attacker only had to be authenticated in the domain to gain remote control over the target machine. Similar exposures such as the Remote Procedure Call (RPC) vulnerability used in the Blaster worm could have also been used as the basis for this study.

What Can Be Done?

The study points out that the current level of defenses taken today by most individuals and organizations "are not capable of dealing with threats of this magnitude." It points out that signature-based scanning used by most anti-virus scanners is both easily avoidable and cannot detect new worms. In addition, most intrusion systems deployed to protect organizations from external attack probably won't work since the worm will infect the local intranet using an internal connection. A good example of that would be through a "trusted connection" made by a corporate executive's notebook PC.

Email attachments are certainly one of the most popular forms of spreading viruses, trojans as well as worms. However, these are probably the easiest to deal with. These can be largely eliminated by employing virus scanning on all incoming email, and allowing all attachments (executables, etc.) to be quarantined for a reasonable amount of time. The study suggests the quarantine period should be long enough that the anti-virus signature files can be updated in time in the presence of a new virus, trojan horse, or worm.

Additional filters can also be deployed that search for unusual characteristics. For example, a scanner can be enabled that detects unusually long strings in headers which may be required by exploits targeting email readers or internet browsers. The study suggests that such messages could then be quarantined or modified before being forwarded.

Of course, the substantially harder task, is preventing a worm using Microsoft Windows SMB/CIFS, SMB, or similar technologies from spreading throughout an organization's trusted Intranet. All PCs could be restricted from accessing any other PC using that machine's file sharing and related services. Any file or printer services should be allowed only to dedicated administrative machines running no other services at all. This prevents an infected desktop or notebook workstation or server from compromising others.

The study points out, however, that probably the best defense "requires restricting the network topology either at the switches or using desktop firewalls." The researchers also note that this might not be palatable to some users (like maybe top corporate executives). However, this offers a substantial defense.

Conclusion

To mitigate the potential damage from a "worst-case worm", the researchers point out the various defenses that can be implemented such as:

• Protecting BIOSes
• Complete and "Solid" Backups
• Email-Worm Defenses
• Reducing Mono-Cultures
• Modifying Network Topologies
• Implementing Firewalls on Every Desktop

In addition, they note that even though there are other vulnerable "ecologies" that can support widespread worms, the Microsoft Windows SMB/CIFS (and the related Windows RPC service) is "particulary ubiquitous, and therefore a highly attractive target meriting somewhat specialized defenses."

Downloading

This study has been released to the general public, after the authors "elided certain how-to details...worked out privately that might materially help an attacker". The study is in Adobe Portable Document Format (PDF), and you will need Adobe's Acrobat Reader installed on your computer to read it.

Download Study in PDF Format - http://www.dtc.umn.edu/weis2004/weaver.pdf

If you don't have Adobe Acrobat Reader installed on your PC, you can download it at:

Adobe's Main Web Site - http://www.adobe.com

Thomas Straub
http://antispyware.topsoftwareinfo.com