Estimating the cost of a Windows Armageddon

Experts say one carefully planned worm attack could cost U.S. businesses more than the gross domestic product of Guatemala within a few hours.

Some of the folks who predicted, accurately it turned out, that the Internet would be subject to “Warhol Worms” are at it again. This time they say one carefully planned worm attack could cost U.S. businesses more than the gross domestic product of Guatemala within a few hours.

In their latest paper, “A Worst-Case Worm”, researchers Nicholas Weaver and Vern Paxson explored the possible worst- case damages from an Internet-based worm attack on Windows. They assumed that the attackers would be working for a country that wanted to cause economic harm to the U.S. (there do seem to be more than a few candidate countries these days) and use an unreported vulnerability in Windows.

They also assumed the attack would be designed to do as much harm as it could, including destroying the data on the disk and destroying the boot ROM where possible. They say the worm would be programmed to use different attacks on different vendors’ systems and be smart enough to recognize that it had infected a laptop but not destroy it until the laptop was reconnected to a network, such as one behind a corporate firewall. Such an attack could infect as many as 50 million computers far faster than the vendors of virus checkers could react.

Even though the authors put the cost of damage to home PCs at zero, they came up with the estimate of $50 billion worth of damage for one well-planned attack. The damages could be a lot higher. Stuart Stanford, co-author with Weaver and Paxson of the “Warhol Worm” paper (see “Doing better than Andy”), felt that damages could be “substantially larger.”

The estimate in the paper was discussed on the Nanog mailing list and some people disagreed with the $50 billion estimate. But even if the actual damages were only half that, we still are talking about real money.

So now we are scared. What should we do? The authors of the article do not offer any magic shields. They suggest that the ability to rewrite boot ROMs be physically disabled where possible, but that’s a lot of work and only reduces the potential impact. The hypothetical attack in the article used a yet-to-be-discovered flaw in Windows SMB/CIFS file sharing. But SMB/CIFS is at least as much of an example of the kind of target as it is a prediction. As we find out constantly, there are many possible targets in a system as complex as Windows.

Not to be a fatalist, but I don’t see any way to eliminate the risk of a major attack like the one Weaver and Paxson describe anytime soon. Microsoft (finally) has internalized the message that security is more important than ease of use when ease of use, as interpreted by Microsoft, has meant leaving the barn door open by default.

A major message from Microsoft’s current security road show is that Windows XP Service Pack II disables rather than enables things by default. That will help, but Windows is complex and there are many security holes yet to be discovered.

Disclaimer: Even for Harvard, $50 billion is real money, but the university did not comment on this topic – I did.