What's the Best Defense Against Stuxnet?

I. INTRODUCTION

In a nutshell, Stuxnet is an extremely sophisticated worm that targets Siemens supervisory control and data acquisition (SCADA) environments while exploiting a zero-day vulnerability in all recent versions of Microsoft's Windows operating system. Modules of current malware were first detected by VirusBlokAda company specialists on June 17, 2010^[1]. Peter Ferrie and Holly Stewart from Microsoft (www.microsoft.com) and Costin Raiu from Kaspersky Lab (www.kaspersky.com), who had a combined presentation at the 20th Virus Bulletin conference provided a discovery timeline for the malware revealing there is evidence that Stuxnet code dates back as far as January 2009^[2].

The worm initially spreads indiscriminately, but includes a highly specialized malware payload that is designed to target only Siemens SCADA systems that are configured to control and monitor specific industrial processes. Unlike most malware, Stuxnet does little harm to computers and networks that do not meet specific configuration requirements. For its targets, Stuxnet contains, among other things, code for a man-in-the-middle attack that fakes industrial process control sensor signals so an infected system does not shut down due to abnormal behavior^[3].

Stuxnet attacks Windows systems using an unprecedented four zero-day attacks. It is initially spread using infected removable drives such as USB flash drives, and then uses other exploits and techniques such as peer-to-peer RPC to infect and update other computers inside private networks that are not directly connected to the Internet (Fig. 1).

The Stuxnet authors stole VeriSign-issued certificates from two reputable companies: RealTek and JMicron. That is a double attack against reputation. First, it is no easy task to obtain a certificate from VeriSign. Second, there is a long history of trust in the files originating from these companies. Certificate-stealing malware is far from new, in fact, the Zeus trojan has been doing it since 2006. Malware authors have never needed to use those certificates over the years, but that is slowly changing, and Stuxnet is a proof for it. Stuxnet serves indirectly as an eye-opener to Microsoft, making the company realize that it should not allow execution of files that have tampered signatures^[4].

Earlier versions of Stuxnet had been causing problems in some cases (such as downloading the program on a PLC), and no one knew what what happening. Kaspersky Lab reported the 43rd version of Stuxnet on December 23, 2011, showing that Stuxnet is still running and active.^[5]

This paper compares the results of the most well-known security products for detecting Stuxnet malware and for locating infecting or suspicious files that contain Stuxnet. Section II describes the conditions of our test methodology—choosing products, their settings, using virtual machine, etc. Section III lists the included products and their versions. Section IV presents the results of each product for seven infected projects and their comparison with each other. Finally, Section V presents a summary of our conclusions.

II. TEST METHODOLOGY

Products included in this article constitute some very effective antivirus/security packs with relatively high on-demand detection rates. The participated products are selected based on some well-known independent Anti-Virus software tests/reviews, such as AV-Comparatives^[6], PC Magazine^[7], CNET reviews^[8], Virus Bulletin^[9] and Tech Media Network^[10].

Our methodology has the following conditions:

1. Because of using last updates for all antivirus software, the operating system is installed on a virtual machine.
2. The operating system is Microsoft Windows XP-SP3 that includes four zero-day patches for Stuxnet contributed by Microsoft ^[11].
3. Each antivirus product is installed on the OS using default product settings and its related virtual machine files saved to an external hard disk.
4. When the tests started, all antivirus products were updated until March 28, 2012. After that, PC was disconnected from the Internet and isolated.
5. Seven infected projects were used as the set of samples for this article.
6. PCS7 archived projects are very common because of their smaller capacity in comparison with the original project, making them easy to transfer. Therefore archived samples used for these tests were not extracted (retrieved).
7. Samples from all sources were copied to each virtual machine.
8. Infected project names were renamed to make sorting and maintenance more effective.
9. The trial version of each antivirus product was used because original versions of some products are not available in my country, Iran. These products were directly downloaded from their official websites. It is necessary to mention that trial version is exactly like a commercial version, except for the time of usage.
10. The name of the detected malware is really important for alerting users that their systems are infected by Stuxnet. Also the name of infected files and their roots were considered and compared.
11. Most of the industrial computers are not connected to the Internet, so these tests is performed not using an active Internet connection.