Interested in linking to "What's the Best Defense Against Stuxnet?"?
You may use the Headline, Deck, Byline and URL of this article on your Web site. To link to this article, select and copy the HTML code below and paste it on your own Web site.
The worm initially spreads indiscriminately, but includes a highly specialized malware payload that is designed to target only Siemens SCADA systems that are configured to control and monitor specific industrial processes. Unlike most malware, Stuxnet does little harm to computers and networks that do not meet specific configuration requirements. For its targets, Stuxnet contains, among other things, code for a man-in-the-middle attack that fakes industrial process control sensor signals so an infected system does not shut down due to abnormal behavior.
Stuxnet attacks Windows systems using an unprecedented four zero-day attacks. It is initially spread using infected removable drives such as USB flash drives, and then uses other exploits and techniques such as peer-to-peer RPC to infect and update other computers inside private networks that are not directly connected to the Internet (Fig. 1).
The Stuxnet authors stole VeriSign-issued certificates from two reputable companies: RealTek and JMicron. That is a double attack against reputation. First, it is no easy task to obtain a certificate from VeriSign. Second, there is a long history of trust in the files originating from these companies. Certificate-stealing malware is far from new, in fact, the Zeus trojan has been doing it since 2006. Malware authors have never needed to use those certificates over the years, but that is slowly changing, and Stuxnet is a proof for it. Stuxnet serves indirectly as an eye-opener to Microsoft, making the company realize that it should not allow execution of files that have tampered signatures.
Earlier versions of Stuxnet had been causing problems in some cases (such as downloading the program on a PLC), and no one knew what what happening. Kaspersky Lab reported the 43rd version of Stuxnet on December 23, 2011, showing that Stuxnet is still running and active.
This paper compares the results of the most well-known security products for detecting Stuxnet malware and for locating infecting or suspicious files that contain Stuxnet. Section II describes the conditions of our test methodology—choosing products, their settings, using virtual machine, etc. Section III lists the included products and their versions. Section IV presents the results of each product for seven infected projects and their comparison with each other. Finally, Section V presents a summary of our conclusions.
Products included in this article constitute some very effective antivirus/security packs with relatively high on-demand detection rates. The participated products are selected based on some well-known independent Anti-Virus software tests/reviews, such as AV-Comparatives, PC Magazine, CNET reviews, Virus Bulletin and Tech Media Network.Our methodology has the following conditions:
Nowadays, almost all products run with the highest protection settings by default; some, however, may automatically switch to the highest settings once infections begin to occur. Due to this, and in order to ensure comparable results, all products were tested with their default settings. Also, several products make use of cloud technologies, which require an active Internet connection, but as mentioned in previous section, in this test there was no Internet connection.
Here, seven infected projects named Prj-1 to Prj-7 are shown. For each project, the tests results tables containing the detection malware details of various products are listed in Table I to Table VII.
Based on the results, which are listed in Table I to Table VII, the infected/infecting files are
Although there are more infecting files, like MRXCLS.sys and MRXNET.sys ( and ), those are not listed here because they exist on the infected system, and here we checked only the infected projects on a clean isolated system (see Section III). Also, based on descriptions and reports published on some web pages such as Symantec (, ), ESET, McAfee ( to ), Kaspersky ( to ), Trend Micro (, ) and Avira ( to ) we can say those six files certainly have Stuxnet or are created by it.
CLICK IMAGE TO ENLARGE
On the other hand, four isolated projects were tested and none of them had the six infected/infecting files which are listed before. All infected/infecting files which are found by security products can be found on the roots below, respectively:
For comparison, three kinds of tests were performed—type-detecting test, malware counting test and name-detecting test. For the type detecting test, each product will get a score if it detects an infecting file (Fig. 2). For malware-counting test, the number of detected malware was used (Fig. 3). And in the last test, a name comparison is done because the users must know if their files are infected by Stuxnet (Fig. 4).
Unfortunately, none of the products can detect all various versions of the Stuxnet malware (Table I to Table VII). Our experimental results suggest that scanning each project by both Trend Micro and Kaspersky products is a good way to detect/disinfect Stuxnet, but that is not enough. It can be concluded that manually deleting is the best way to clean infected projects, but that requires having up-to-date knowledge about Stuxnet. It is worth mentioning that the XR000000.MDX file reported as an encrypted copy of Stuxnet by Trend Micro but, surprisingly, surprisingly their product was not able to detect it in all infected projects until the experiment date.
 VIRUSBLOKADA (2012, May 3).
 Helen Martin. (2010, November 1). Vancouver Expedition [Online].
 WIKIPEDIA (2012, April 15). [ONLINE].
 Roel Schouwenberg. ( 2010, September). Breaking the habit [Online].
 SECURELIST (2011, December 23). Worm.Win32.Stuxnet.ai [Online].
 Neil J. Rubenking. (2011, October 5). PC Magazine [Online].
 CNET Reviews
 Virus Bulletin
 Top Ten Reviews
 A. Matrosov, E. Rodionov, D. Harley, J. Malcho. (2011, January). Stuxnet Under Microscope [Online].
 Common Vlnerabilities and Exposures
 N. Falliere, L. O. Murchu, E. Chien, "W32.Stuxnet Dossier", Symantec Corp., Ver. 1.4, February 2011.
 SYMANTEC. (2010, September 17). W32.Stuxnet [Online].
 SYMANTEC. (2010, July 18). W32.Stuxnet!lnk [Online].
 ESET. (2010, July 15). Win32/Stuxnet.A [Online].
 MCAFEE. (2010, July 16). Stuxnet [Online].
 MCAFEE. (2012, March 7). Stuxnet!14E9A18DA7E7 [Online].
 MCAFEE. (2011, April 2). Stuxnet!2D6CEE3D0305 [Online].
 MCAFEE. (2010, December 27). Stuxnet!4BEE6DAC25A4 [Online].
 MCAFEE. (2010, December 27). Stuxnet!6E1B6DBD7348 [Online].
 SECURELIST. (2010, September 20). Rootkit.Win32.Stuxnet.a [Online].
 SECURELIST. (2010, September 20). Rootkit.Win32.Stuxnet.b [Online].
 SECURELIST. (2011, February 24). Worm.Win32.Stuxnet.e [Online].
 SECURELIST. (2011, February 24). Worm.Win32.Stuxnet.m [Online].
 SECURELIST. (2011, February 24). Worm.Win32.Stuxnet.a [Online].
 TRENDMICRO. (2010, July 22). WORM_STUXNET.SM [Online].
 TRENDMICRO. (2010, July 16). WORM_STUXNET.A [Online].
 AVIRA. (2010, November 25). TR/Drop.Stuxnet.A.40 [Online].
 AVIRA. (2010, July 28). TR/Drop.Stuxnet.F [Online].
 AVIRA. (2010, July 16). RKit/Stuxnet.A [Online].
 AVIRA. (2010, July 15). TR/Drop.Stuxnet.A.5 [Online].