Worst cast worm damage estimates: Research

Sean Donelan sean at donelan.com
Sat Jun 5 08:49:21 UTC 2004


On Fri, 4 Jun 2004, Vern Paxson wrote:
> > Some people regularly rebuild their Windows computer a few
> > times a year.
>
> Including recovering from a trashed BIOS?

As you point out in the paper, the BIOS scrambler attack is the one with
the most variation between platforms.  It could have a relatively low
success rate.  On the other hand, board and even system replacement occurs
pretty frequently.  Even without a superworm, computer repair depots
return alot of computers to the factory instead of trying to fix them
locally, especially if the computer is new/recent/under warranty.  The
newest computers are most likely to have a fast replacement cycle from
inventory.  I agree the BIOS scrambler is a particular nasty form of
attack, but the current state of computer repair expertise means its
not that different from the problems created by current viruses.

In 2000 Intel needed to recall over one million motherboards already
shipped to end-users due to a defect. Instead of fixing the defective
otherboards, Intel offered to replace them with new motherboards. Analysts
estimated that recall cost $300 million to $400 million dollars including
the labor to replace the motherboard.  That's less than $400 per defective
motherboard.  Your paper estimates it would cost more than double to
replace a scrambled BIOS.

Although some people have a personal attachment to their computers,
business PCs are very fungible.  If the PC was more than a few years old,
the business probably has depreciated it, and may just replace it sooner
than planned with newer (faster, more productive?) model.  If the business
has more than one computer, again the BIOS scrambler has the most
variables, some of the other computers may be different vintage.  The
business may just use one of the working computers instead.  The damaged
computers don't need to be replaced with the exact same make and model, in
the short term even older models may be sufficient or do all those
executives and other people need their computers 24x7?  On a CPU hour
basis, PC's have a very low utilization.  SETI at HOME may have fewer free
CPU cycles to borrow because any working "personal" computers will be
shared by multiple people timesharing until their own replacement
computers arrive.

According to the banking industry, on average 5% of the cash machines in
the country aren't working on any particular day.  Its even higher during
a holiday weekend.  What's the economic impact of 5% failure rate of
cash machines?  If 10% of the cach machines had their BIOS scrambled,
would the impact be doubled?

Instead of an economic loss, do you create a Y2K effect of companies
accelerating the replacement of equipment and hiring consultants to fix
problems creating a mini-economic boom.

Captalism seems to make more money treating illness than preventing it.



More information about the NANOG mailing list