Conficker's estimated economic cost? $9.1 billion

In a recent blog post, the Cyber Secure Institute claims that based on their previous studies into the average cost of such malware attacks, the economic loss due to the Conficker worm could be as high as $9.1 billion.

In a recent blog post, the Cyber Secure Institute claims that based on their previous studies into the average cost of such malware attacks, the economic loss due to the Conficker worm could be as high as $9.1 billion.

Despite that their analysis also considered a much limited infection rate (200,000 infected hosts), they claim that the cost of the virus in this case is still around $200 million. The research excludes an important fact though - not only is Conficker still active and infecting, but also, according to the most recent infection rate estimate courtesy of the Conficker Working Group, the number of infected hosts is 3.5 million.

Here are more details from the analysis:

"Any analysis of the true impact of Conficker must also factor in the (wasted) time, resources, and energies of the cyber-community, governments, companies and individuals.  Extrapolating out from studies on the average cost of similar past attacks, the total economic cost of this worm (including the cost of efforts to combat the worm, the cost of purchasing counter-measure software) could be as high as $9.1 billion.  Even using the single, outlying data source that suggests a much more limited scope of infection (<200,000 —vastly less than all other sources  suggest—the cost of this virus is still roughly $200 million dollars."

The number of Conficker infected hosts is in fact much higher than the number provided by the Conficker Working Group in the sense that behind a single IP there may be many other hosts NAT-ed in the local network, adding up yet another variable that has the potential to undermine such estimates. Moreover, the analysis cites that the estimate includes the cost of purchasing counter-measure software, a cost which from my perspective has to be excluded due to the fact that working counter-measures are virtually free due to the impact of the worm.

Therefore no additional costs are added for purchasing counter-measure software since based on the current agreements with security vendors, the enterprises are supposed to be automatically protected from the worm.

In the past, there have been numerous attempts to estimate the cost of malware, from mi2g's $157 billion and $192 billion worldwide loss in 2004 due to malware infections, followed by Computer Economics study stating that In 2006, direct damages fell to $13.3 billion, from $14.2 billion in 2005, and $17.5 billion in 2004. The huge difference of the estimates is due to the different variables taken into consideration by the two companies.

In a perfect world all affected parties would be sharing information on the actual infection rate and the costs due to the worm's infection, thereby confirming that their enterprises have been compromised and potentially ruining business relations for the sake of contributing to the quality of such global studies. In the real world, a Conficker infected international company would try to stay beneath the radar if it can, just as the average Internet user would continue getting exploited through one/two years old client side vulnerabilities, a paradox that's driving cybercrime globally.

Moreover, based on the geolocated chart courtesy of IBM's ISS and Symantec's logical conclusion that users, perhaps even companies with illegal copies of Windows represent the largest proportion of the infected set, it's worth pointing out that denying access to critical patches used as foundation for such worms citing pirated copies, ends up in a situation where the legal owners of the OS would feel the spam/phishing/DDoS/crimeware effect coming from the infected owners of the illegal copies in the long term. Now, would someone located in these countries bother allocating additional resources to protect against Conficker, given that they didn't even bother to purchase the OS at the first place?

Personally, I never take these rough estimates seriously. There are simply way too many variables to take into consideration, especially the worm's global impact, the different allocation for asset protection across the world based on the local economic climate, and the efficiencies and inefficients achieved in cleaning malware within a particular company - factors that can greatly decrease or even increase the estimate.