Each week vnunet.com asks a different expert to give their views on recent virus and security issues, with advice, warnings and information on the latest threats.

This week Pete Simpson, ThreatLab manager at Clearswift, examines research that estimates the possible economic impact of a 'worst-case worm' attack.

Estimating the damage that serious worm infections cost businesses is a tough job, and in the past some puzzling figures have emerged.

That's why a recent analysis by academics Nicholas Weaver and Vern Paxson, members of the International Computer Science Institute (ICSI), is worth attention.

Weaver and Paxson estimate that a sophisticated - and hypothetical - 'worst-case worm' attack, targeted specifically at the US and designed for maximum economic impact, would cause $50bn in damage.

Such an attack would be carried out by a complex worm, a 'superworm', targeting one or more publicly unknown security weaknesses.

This superworm is also assumed capable of secondary spreading through conventional vectors such as email, web pages and local area networks (dubbed a 'blended threat' by some in the antivirus community).

The secondary phase of the attack is directed at infiltration of internal networks not directly exposed to the internet. The superworm's payload is assumed to involve widespread destruction of data and disabling of platforms.

Weaver and Paxson present a simple, linear damage model based on lost productivity, repair time, lost data, and damage to systems. Their model assumes that backups are generally available and most data loss is not permanent.

They estimate a total of 50 million hosts infected - 60 per cent of the population of Windows systems in the commercial and government sectors - resulting in losses of $50bn in the US alone.

The study estimates the most costly factor to be machine downtime. But it excludes secondary losses as too difficult to estimate and often grossly exaggerated. Home PCs are also not included in the estimate.

This superworm scenario is entirely plausible, but overlooks one crucial shortcoming.

Network perimeter defences can be breached only where firewalls remain open to traffic: primarily port 25 (SMTP) and to a lesser degree port 80 (HTTP). A third and yet smaller means of ingress may be portable devices such as laptops.

With many large corporates filtering executable email attachments the progress of the attack against the main targets - the US commercial and government sectors - would be seriously impeded.

HTTP provides an alternative route, but is relatively slow and poorly focused as it requires human intervention (web surfing activity).

So what if we were faced with a worst-case worm attack?

Antivirus defences would be useless in the early stages of a superworm incident and would perhaps be impeded in later stages by aggressive anti-antivirus action on the desktop and distributed denial-of-service attacks on the signature update servers.

Organisations should be ready to implement a 'siege mode' content policy at their email gateways, quarantining all attachments for the duration of the incident.

The browser and mail client represent the last line of defence and are technically the weakest link in the chain. IT directors should consider the cost benefits, in the light of a worst-case worm scenario, of installing more secure alternatives such as Mozilla applications.

How probable is a worst-case worm incident? Technically, it is feasible. If it does materialise, we can be quite confident that it will be the work of a well-resourced hostile government, as the only source possessing the necessary motivation, skills and resources. It would not be an operation to be undertaken lightly, as retaliation would no doubt be severe.

Still, publication of the ICSI damage model must be applauded. Some may see it as too simplistic, but it does represent a valuable contribution to the antivirus research community as a 'stake in the ground'.

The full Weaver and Paxson report is available here.