Preventing e-mail propagation of malicious computer code

US 7,380,277 B2
Filed: 09/25/2002
Issued: 05/27/2008
Est. Priority Date: 07/22/2002
Status: Active Grant

First Claim

Patent Images

1. A method for detecting by an e-mail proxy interposed between a client computer and an e-mail server the presence of malicious computer code in an e-mail sent from the client computer to the e-mail server, said method comprising the steps of:

intercepting by the e-mail proxy that is interposed between the client computer and the e-mail server e-mails sent from the client computer to the e-mail server, wherein the proxy intercepts an e-mail sent with a file by an application on the client computer;

comparing the file that was intercepted by and now resides within the proxy with the application that sent the e-mail and that resides on the client computer to determine whether the application is attempting to send itself as part of the e-mail;

declaring a suspicion of malicious code in the file and in the application when the file is determined to be a nearly identical copy of the application;

determining whether a digital signature has been affixed to the file;

verifying the digital signature with a trusted source upon determining that a digital signature has been affixed to the file; and

rescinding the declaration of a suspicion of malicious code responsive to the determination and positive verification.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computer-implemented methods, systems, and computer-readable media for detecting the presence of malicious computer code in an e-mail sent from a client computer (1) to an e-mail server (2). An embodiment of the inventive method comprises the steps of: interposing (41) an e-mail proxy server (31) between the client computer (1) and the e-mail server (2); allowing (42) the proxy server (31) to intercept e-mails sent from the client computer (1) to the e-mail server (2); enabling (43) the proxy server (31) to determine when a file (30) is attempting to send itself (30) as part of an e-mail; and declaring (44) a suspicion of malicious computer code when the proxy server (31) determines that a file (30) is attempting to send itself (30) as part of an e-mail.

99 Citations

View as Search Results

18 Claims

1. A method for detecting by an e-mail proxy interposed between a client computer and an e-mail server the presence of malicious computer code in an e-mail sent from the client computer to the e-mail server, said method comprising the steps of:
- intercepting by the e-mail proxy that is interposed between the client computer and the e-mail server e-mails sent from the client computer to the e-mail server, wherein the proxy intercepts an e-mail sent with a file by an application on the client computer;
  
  comparing the file that was intercepted by and now resides within the proxy with the application that sent the e-mail and that resides on the client computer to determine whether the application is attempting to send itself as part of the e-mail;
  
  declaring a suspicion of malicious code in the file and in the application when the file is determined to be a nearly identical copy of the application;
  
  determining whether a digital signature has been affixed to the file;
  
  verifying the digital signature with a trusted source upon determining that a digital signature has been affixed to the file; and
  
  rescinding the declaration of a suspicion of malicious code responsive to the determination and positive verification.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein the proxy resides within the client computer.
  - 3. The method of claim 1 wherein the e-mail server and the proxy adhere to the SMTP protocol.
  - 4. The method of claim 1 further comprising, in response to the declaring step, the step of sending a message to a user of the client computer.
  - 5. The method of claim 4 wherein the message gives the user a plurality of choices, comprising at least one choice from the following group of choices:
    - preventing the application from e-mailing itself;
      
      quarantining the application;
      
      allowing the application to send e-mail attachments; and
      
      always allowing the application to send e-mail attachments.
  - 6. The method of claim 5 further comprising, when the user chooses to quarantine the application, the step of encrypting the application and sending the application to an antivirus software company.
  - 7. The method of claim 1 further comprising, in response to the declaring step, the step of transmitting an alert to each computer in an enterprise associated with the client computer.
  - 8. The method of claim 1 wherein the comparing step comprises the substeps of:
    - decomposing the e-mail into constituent parts; and
      
      determining that the application is attempting to send itself when a replica of the application is detected in one of the constituent parts.
  - 9. The method of claim 1 when near identicalness is defined to mean that no more than one byte out of a preselected threshold number of bytes varies between the file and the application.
  - 10. The method of claim 9 wherein the preselected threshold number is 512.

11. Apparatus for detecting by a proxy computer interposed between a client computer and an e-mail server the presence of malicious computer code in an e-mail sent from the client computer to the e-mail server, said apparatus comprising:
- the proxy computer interposed between the client computer and the e-mail server, said proxy computer comprising;
  
  a redirector module adapted to intercept e-mails sent from the client computer to the e-mail server, wherein the redirector module intercepts an e-mail sent with a file by an application on the client computer; and
  
  coupled to the redirector module, a scan manager module adapted to;
  
  compare the file that was intercepted by and now resides within the proxy with the application that sent the e-mail and that resides on the client computer to determine whether the application is attempting to send itself as part of the e-mail;
  
  declare a suspicion of malicious code in the file and in the application when the file is determined to be a nearly identical copy of the application;
  
  determine whether a digital signature has been affixed to the file;
  
  verify the digital signature with a trusted source upon determining that a digital signature has been affixed to the file; and
  
  rescind the declaration of a suspicion of malicious code responsive to the determination and positive verification.
- View Dependent Claims (12)
- - 12. The apparatus of claim 11 further comprising, coupled to the scan manager module, a decomposer module adapted to:
    - decompose e-mail into constituent parts; and
      
      determine that the application is attempting to send itself as part of an e-mail when a near replica of the application is detected in one of the constituent parts.

13. A computer-readable medium containing computer program instructions for detecting by a proxy interposed between a client computer and an e-mail server the presence of malicious computer code in an e-mail sent from the client computer to the e-mail server computer, said computer program instructions performing the steps of:
- intercepting by the proxy that is interposed between the client computer and the e-mail server e-mails sent from the client computer to the e-mail server, wherein the proxy intercepts an e-mail sent with a file by an application on the client computer;
  
  comparing the file that was intercepted by and now resides within the proxy with the application that sent the e-mail and that resides on the client computer to determine whether the application is attempting to send itself as part of the e-mail;
  
  declaring a suspicion of malicious code in the file and in the application when the file is determined to be a nearly identical copy of the application mail;
  
  determining whether a digital signature has been affixed to the file;
  
  verifying the digital signature with a trusted source upon determining that a digital signature has been affixed to the file; and
  
  rescinding the declaration of a suspicion of malicious code responsive to the determination and positive verification.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer-readable medium of claim 13 further comprising computer program instructions for, in response to the declaring step, sending a message to a user of the client computer giving said user a plurality of choices, comprising at least one choice from the following group of choices:
    - preventing the application from e-mailing itself;
      
      quarantining the application;
      
      allowing the application to send e-mail attachments; and
      
      always allowing the application to send e-mail attachments.
  - 15. The computer-readable medium of claim 14 further comprising computer program instructions for, when the user chooses to quarantine the application, encrypting the application and sending the application to an antivirus software company.
  - 16. The computer-readable medium of claim 13 further comprising computer program instructions for, in response to the declaring step, transmitting an alert to each computer in an enterprise associated with the client computer.
  - 17. The computer-readable medium of claim 13 wherein the application is attempting to send itself as part of an e-mail body.
  - 18. The computer-readable medium of claim 13 wherein the application is attempting to send itself as part of an e-mail attachment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Szor, Peter
Primary Examiner(s)
Moise; Emmanuel L
Assistant Examiner(s)
Abyaneh; Ali S

Application Number

US10/255,658
Publication Number

US 20040015726A1
Time in Patent Office

2,071 Days
Field of Search

713/188, 726/22
US Class Current

726/24
CPC Class Codes

G06F 21/566   Dynamic detection, i.e. det...

H04L 51/18   Commands or executable codes

H04L 51/212   using filtering or selectiv...

H04L 63/145   the attack involving the pr...

Preventing e-mail propagation of malicious computer code

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

99 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Preventing e-mail propagation of malicious computer code

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

99 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others