Interested in linking to "What's the Best Defense Against Stuxnet?"?
You may use the Headline, Deck, Byline and URL of this article on your Web site. To link to this article, select and copy the HTML code below and paste it on your own Web site.
The worm initially spreads indiscriminately, but includes a highly specialized malware payload that is designed to target only Siemens SCADA systems that are configured to control and monitor specific industrial processes. Unlike most malware, Stuxnet does little harm to computers and networks that do not meet specific configuration requirements. For its targets, Stuxnet contains, among other things, code for a man-in-the-middle attack that fakes industrial process control sensor signals so an infected system does not shut down due to abnormal behavior.
Stuxnet attacks Windows systems using an unprecedented four zero-day attacks. It is initially spread using infected removable drives such as USB flash drives, and then uses other exploits and techniques such as peer-to-peer RPC to infect and update other computers inside private networks that are not directly connected to the Internet (Fig. 1).
The Stuxnet authors stole VeriSign-issued certificates from two reputable companies: RealTek and JMicron. That is a double attack against reputation. First, it is no easy task to obtain a certificate from VeriSign. Second, there is a long history of trust in the files originating from these companies. Certificate-stealing malware is far from new, in fact, the Zeus trojan has been doing it since 2006. Malware authors have never needed to use those certificates over the years, but that is slowly changing, and Stuxnet is a proof for it. Stuxnet serves indirectly as an eye-opener to Microsoft, making the company realize that it should not allow execution of files that have tampered signatures.
Earlier versions of Stuxnet had been causing problems in some cases (such as downloading the program on a PLC), and no one knew what what happening. Kaspersky Lab reported the 43rd version of Stuxnet on December 23, 2011, showing that Stuxnet is still running and active.
This paper compares the results of the most well-known security products for detecting Stuxnet malware and for locating infecting or suspicious files that contain Stuxnet. Section II describes the conditions of our test methodology—choosing products, their settings, using virtual machine, etc. Section III lists the included products and their versions. Section IV presents the results of each product for seven infected projects and their comparison with each other. Finally, Section V presents a summary of our conclusions.
Products included in this article constitute some very effective antivirus/security packs with relatively high on-demand detection rates. The participated products are selected based on some well-known independent Anti-Virus software tests/reviews, such as AV-Comparatives, PC Magazine, CNET reviews, Virus Bulletin and Tech Media Network.Our methodology has the following conditions: