Interested in linking to "What's the Best Defense Against Stuxnet?"?
You may use the Headline, Deck, Byline and URL of this article on your Web site. To link to this article, select and copy the HTML code below and paste it on your own Web site.
Nowadays, almost all products run with the highest protection settings by default; some, however, may automatically switch to the highest settings once infections begin to occur. Due to this, and in order to ensure comparable results, all products were tested with their default settings. Also, several products make use of cloud technologies, which require an active Internet connection, but as mentioned in previous section, in this test there was no Internet connection.
Here, seven infected projects named Prj-1 to Prj-7 are shown. For each project, the tests results tables containing the detection malware details of various products are listed in Table I to Table VII.
Based on the results, which are listed in Table I to Table VII, the infected/infecting files are
Although there are more infecting files, like MRXCLS.sys and MRXNET.sys ( and ), those are not listed here because they exist on the infected system, and here we checked only the infected projects on a clean isolated system (see Section III). Also, based on descriptions and reports published on some web pages such as Symantec (, ), ESET, McAfee ( to ), Kaspersky ( to ), Trend Micro (, ) and Avira ( to ) we can say those six files certainly have Stuxnet or are created by it.
CLICK IMAGE TO ENLARGE
On the other hand, four isolated projects were tested and none of them had the six infected/infecting files which are listed before. All infected/infecting files which are found by security products can be found on the roots below, respectively:
For comparison, three kinds of tests were performed—type-detecting test, malware counting test and name-detecting test. For the type detecting test, each product will get a score if it detects an infecting file (Fig. 2). For malware-counting test, the number of detected malware was used (Fig. 3). And in the last test, a name comparison is done because the users must know if their files are infected by Stuxnet (Fig. 4).
Unfortunately, none of the products can detect all various versions of the Stuxnet malware (Table I to Table VII). Our experimental results suggest that scanning each project by both Trend Micro and Kaspersky products is a good way to detect/disinfect Stuxnet, but that is not enough. It can be concluded that manually deleting is the best way to clean infected projects, but that requires having up-to-date knowledge about Stuxnet. It is worth mentioning that the XR000000.MDX file reported as an encrypted copy of Stuxnet by Trend Micro but, surprisingly, surprisingly their product was not able to detect it in all infected projects until the experiment date.