The following text is copyright 2004 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
Estimating the cost of a Windows Armageddon
By Scott Bradner
Some of the folks who predicted, accurately it turned out, that the Internet would be subject to "Warhol Worms" are at it again. This time they predict that a single carefully planned worm attack could cost US businesses more than the gross domestic product of Guatemala within a few hours.
In their latest paper, "A Worst-Case Worm" (http://www.icir.org/vern/papers/worst-case-worm.WEIS04.pdf) Nicholas Weaver and Vern Paxson explore the possible "worst case" damages from an Internet-based worm attack on the Windows operating system. They assumed that the attackers would be working for a country that wanted to cause economic harm to the US (there do seem to be more than a few candidate countries these days) and use a yet unreported vulnerability in Windows. The also assumed that the attack would be designed to do as much harm, including destroying the data on the disk and destroying the boot ROM where possible, as it could and that the worm would be programmed to use different attacks on different vendor's systems and be smart enough to recognize that it had infected a laptop and not destroy the laptop until the laptop was reconnected to a network, for example, a network behind a corporate firewall. Such an attack could infect as many as 50 million computers far faster than the vendors of virus checkers could react.
Even though the authors put the cost of damage to home PCs at zero they came up with the estimate of $50 billion worth of damage for a single well planned attack. The damages could be a lot higher. Stuart Stanford,a coauthor with Weaver and Paxson of the "Warhol Worm" paper (See "Doing better than Andy http://www.nwfusion.com/columnists/2003/0210bradner.html.), felt that damages could be "substantially larger."
The estimate was discussed on the Nanog mailing list (http://www.merit.edu/mail.archives/nanog/index.html) and some people disagreed with the $50 billion estimate but even if the actual damages were only half of that we are still talking about real money here.
So now we are scared, what should you do? The article's authors do not offer any magic shields. They do suggest that the ability to rewrite boot ROMs be physically disabled where possible but that is not possible in all systems, itŐs a lot of work to do and it only reduces the potential impact. The hypothetical attack in the article used a yet to be discovered flaw in Windows SMB/CIFS file sharing. But SMB/CIFS is at least as much of an example of the kind of target as it is a prediction. As we find out constantly, there are many possible targets in a system as complex as Windows.
Not to be a fatalist, but I do not see any way to eliminate the risk of a major attack like the one that Weaver and Paxson describe anytime soon. I do think that Microsoft has (finally) internalized the message that security is more important than ease of use when ease of use, as interpreted by Microsoft, has meant leaving the barn door open by default. A major message from Microsoft's current security road show is that Windows XP Service Pack II disables rather than enables things by default. That will help but Windows is complex and there are many security holes yet to be discovered.
disclaimer: Even for Harvard, $50 billion is real money but the University did not comment on this topic - I did