Saturday, September 18, 2010

Stuxnet P2P component

Our analysis of Stuxnet has been ongoing for some time now, although we have not posted any information on our blog about it we have been continuously analyzing the threat since it was discovered earlier this year. Initial investigation into the threat pointed to a command and control infrastructure as the method to control the threat. The command and control servers used were taken offline shortly after this control mechanism was discovered.

Our continued research has revealed that as well as being controlled via a command and control infrastructure, the threat also has the ability to update itself via a peer-to-peer component.

Infected machines contact each other and check which machine has the latest version of the threat installed. Whichever machine has the latest version transfers it to the other machine and in this way the worm is able to update itself without contacting a central command and control server. P2P networks are often used for the very reason that they are difficult to take down as there is no central point of failure. The creators of Stuxnet were aware that they might lose control of their command and control servers so they built in a P2P update function to prepare for that eventuality.


All of this means that even though the command and control servers for Stuxnet have been taken offline sometime ago, the attacks may stay be capable of updating and controlling the worm via this P2P communication channel.

We are preparing a full technical paper about Stuxnet and will be presenting it at VB 2010 in Vancouver on Sept 29th.

No comments:

Post a Comment