What's the Best Defense Against Stuxnet?

A Comparison of Which Tools Are the Best for Finding Stuxnet in a System

By Morteza Rezaei

Share Print Related RSS
Page 2 of 3 1 | 2 | 3 View on one page

Type detecting test

Figure 2. Each product receives a score for finding an infecting file.

The conditions for participation in our tests are listed in the Section II. The products were updated and frozen on March 28, 2012. The following 24 up-to-date products were included in these tests:

  1. Bitdefender Total Security 2012
  2. AVG Internet Security 2012
  3. Symantec Endpoint Protection 12.1
  4. ESET NOD32 Smart Security 5.0.93.0
  5. Microsoft Essential Security 2.1.1116.0
  6. McAfee Virus Scan Enterprise 8.8
  7. Avira Antivirus Professional 10.2
  8. G Data Total Core 2012
  9. Trust Port Total Protection 2012
  10. Avast Internet Security v7.0
  11. Outpost Security Suite Pro 7.5
  12. Kaspersky Internet Security 2012
  13. Trend Micro Titanium Maximum Security 2012
  14. Panda Global Protection 2012
  15. K7 Ultimate Security 2012
  16. eScan Internet Security 11.0
  17. Adware Total Security 2011
  18. Norman Security Suite 16.0.0.400
  19. Bullgaurd 12.0.217
  20. Comodo Internet Security Pro 2012
  21. Dr. Web 7.0.0.10140
  22. Sophos Endpoint Security 10.0
  23. ZoneAlarm Extreme Security 2012
  24. Webroot Secure Anywhere 8.0.1.154

Nowadays, almost all products run with the highest protection settings by default; some, however, may automatically switch to the highest settings once infections begin to occur. Due to this, and in order to ensure comparable results, all products were tested with their default settings. Also, several products make use of cloud technologies, which require an active Internet connection, but as mentioned in previous section, in this test there was no Internet connection.

Here, seven infected projects named Prj-1 to Prj-7 are shown. For each project, the tests results tables containing the detection malware details of various products are listed in Table I to Table VII.

IV. RESULTS

According to results, each product gives a different name to the malware. Despite some existing organizations such as CVE that provide a dictionary of common names for publicly known information security vulnerabilities [12], there is no unique name for each malware.

Based on the results, which are listed in Table I to Table VII, the infected/infecting files are

  1. cc_tlg7.sav
  2. cc_alg.sav
  3. cc_tag.sav
  4. s7hkimdb.dll
  5. XR000000.MDX
  6. S7000001.MDX

Although there are more infecting files, like MRXCLS.sys and MRXNET.sys ([11] and [13]), those are not listed here because they exist on the infected system, and here we checked only the infected projects on a clean isolated system (see Section III). Also, based on descriptions and reports published on some web pages such as Symantec ([14], [15]), ESET[16], McAfee ([17] to [21]), Kaspersky ([22] to [26]), Trend Micro ([27], [28]) and Avira ([29] to [33]) we can say those six files certainly have Stuxnet or are created by it.

Figure 4
CLICK IMAGE TO ENLARGE
Name detecting test
Figure 4. This test shows which systems are
best at detecting the common names
of the malware.

On the other hand, four isolated projects were tested and none of them had the six infected/infecting files which are listed before. All infected/infecting files which are found by security products can be found on the roots below, respectively:

%ProjectRoot%/wincproj/OS/GraCS/cc_tlg7.sav

%ProjectRoot%/wincproj/OS/GraCS/cc_alg.sav

%ProjectRoot%/wincproj/OS/GraCS/cc_tag.sav

%ProjectRoot%/HOmSave7/{whatever}/s7hkimdb.dll

%ProjectRoot%/XUTILS/listen/XR000000.MDX

%ProjectRoot%/XUTILS/listen/S7000001.MDX

For comparison, three kinds of tests were performed—type-detecting test, malware counting test and name-detecting test. For the type detecting test, each product will get a score if it detects an infecting file  (Fig. 2). For malware-counting test, the number of detected malware was used (Fig. 3). And in the last test, a name comparison is done because the users must know if their files are infected by Stuxnet (Fig. 4).

Page 2 of 3 1 | 2 | 3 View on one page
Share Print Reprints Permissions

What are your comments?

Join the discussion today. Login Here.

Comments

No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments