What's the Best Defense Against Stuxnet?

III. DETECTING TESTS

The conditions for participation in our tests are listed in the Section II. The products were updated and frozen on March 28, 2012. The following 24 up-to-date products were included in these tests:

1. Bitdefender Total Security 2012
2. AVG Internet Security 2012
3. Symantec Endpoint Protection 12.1
4. ESET NOD32 Smart Security 5.0.93.0
5. Microsoft Essential Security 2.1.1116.0
6. McAfee Virus Scan Enterprise 8.8
7. Avira Antivirus Professional 10.2
8. G Data Total Core 2012
9. Trust Port Total Protection 2012
10. Avast Internet Security v7.0
11. Outpost Security Suite Pro 7.5
12. Kaspersky Internet Security 2012
13. Trend Micro Titanium Maximum Security 2012
14. Panda Global Protection 2012
15. K7 Ultimate Security 2012
16. eScan Internet Security 11.0
17. Adware Total Security 2011
18. Norman Security Suite 16.0.0.400
19. Bullgaurd 12.0.217
20. Comodo Internet Security Pro 2012
21. Dr. Web 7.0.0.10140
22. Sophos Endpoint Security 10.0
23. ZoneAlarm Extreme Security 2012
24. Webroot Secure Anywhere 8.0.1.154

Nowadays, almost all products run with the highest protection settings by default; some, however, may automatically switch to the highest settings once infections begin to occur. Due to this, and in order to ensure comparable results, all products were tested with their default settings. Also, several products make use of cloud technologies, which require an active Internet connection, but as mentioned in previous section, in this test there was no Internet connection.

Here, seven infected projects named Prj-1 to Prj-7 are shown. For each project, the tests results tables containing the detection malware details of various products are listed in Table I to Table VII.

IV. RESULTS

According to results, each product gives a different name to the malware. Despite some existing organizations such as CVE that provide a dictionary of common names for publicly known information security vulnerabilities ^[12], there is no unique name for each malware.

Based on the results, which are listed in Table I to Table VII, the infected/infecting files are

1. cc_tlg7.sav
2. cc_alg.sav
3. cc_tag.sav
4. s7hkimdb.dll
5. XR000000.MDX
6. S7000001.MDX

Although there are more infecting files, like MRXCLS.sys and MRXNET.sys (^[11] and ^[13]), those are not listed here because they exist on the infected system, and here we checked only the infected projects on a clean isolated system (see Section III). Also, based on descriptions and reports published on some web pages such as Symantec (^[14], ^[15]), ESET^[16], McAfee (^[17] to ^[21]), Kaspersky (^[22] to ^[26]), Trend Micro (^[27], ^[28]) and Avira (^[29] to ^[33]) we can say those six files certainly have Stuxnet or are created by it.

CLICK IMAGE TO ENLARGE Name detecting test Figure 4. This test shows which systems are best at detecting the common names of the malware.

On the other hand, four isolated projects were tested and none of them had the six infected/infecting files which are listed before. All infected/infecting files which are found by security products can be found on the roots below, respectively:

%ProjectRoot%/wincproj/OS/GraCS/cc_tlg7.sav

%ProjectRoot%/wincproj/OS/GraCS/cc_alg.sav

%ProjectRoot%/wincproj/OS/GraCS/cc_tag.sav

%ProjectRoot%/HOmSave7/{whatever}/s7hkimdb.dll

%ProjectRoot%/XUTILS/listen/XR000000.MDX

%ProjectRoot%/XUTILS/listen/S7000001.MDX

For comparison, three kinds of tests were performed—type-detecting test, malware counting test and name-detecting test. For the type detecting test, each product will get a score if it detects an infecting file  (Fig. 2). For malware-counting test, the number of detected malware was used (Fig. 3). And in the last test, a name comparison is done because the users must know if their files are infected by Stuxnet (Fig. 4).

V. CONCLUSION

Unfortunately, none of the products can detect all various versions of the Stuxnet malware (Table I to Table VII). Our experimental results suggest that scanning each project by both Trend Micro and Kaspersky products is a good way to detect/disinfect Stuxnet, but that is not enough. It can be concluded that manually deleting is the best way to clean infected projects, but that requires having up-to-date knowledge about Stuxnet. It is worth mentioning that the XR000000.MDX file reported as an encrypted copy of Stuxnet by Trend Micro^[28] but, surprisingly, surprisingly their product was not able to detect it in all infected projects until the experiment date.