14 DAY TRIAL // Security researchers from Symantec revealed that computers infected with the Stuxnet worm are capable of communicating in a P2P-like network and updating each other.
Until this summer, highly complex malware like the Stuxnet worm ony existed in theory. It is the ultimate industrial espionage tool and bears all the hallmarks of a professional design.
Even though it was discovered months ago, researchers are still to make some of their findings public.
And as they do, it becomes more and more clear that Stuxnet is the most sophisticated piece of malware discovered to date.
"Our continued research has revealed that as well as being controlled via a command and control infrastructure, the threat also has the ability to update itself via a peer-to-peer component," Symantec security researcher Liam O. Murchu, announces.
Normally, Stuxnet contacts a couple of hard-coded command and control servers in order to receive new updates, as regular botnet clients do.
However, it seems the malware also installs a RPC (Remote Procedure Call) server and client on computers, which allows it to communicate with other infected machines.
This is probably done for both redundancy, in case the C&C servers are taken down, and for situations when the computer doesn't have Internet access, as with mission critical systems.
When a Stuxnet-infected machine contacts another, it enquires about the version of the malware running on it. If the variant is newer, it will request a copy and update itself.
However, if the other machine reports an older version, a copy of the malware from the current system is sent to it along with an instruction to upgrade.
"In this way an update can be introduced to any infected machine on a network and it will eventually spread to all other infected machines," Mr. Murchu explains.
A full technical paper about the Stuxnet malware will be presented next week at the VB 2010 Conference in Vancouver. It will be interesting to see if there are any more surprises.
So far it was revealed that Stuxnet exploits four different previously unknown vulnerabilities in Windows, has a rootkit component signed with digital certificates stolen from major companies and is capable of programming SCADA systems.