Presently, malicious software (malware) such as worms, viruses and the like are capable of wreaking havoc on computing systems, networks and the like by infecting the system and causing bandwidth problems. In many cases, email is used as the method for propagating the malware. Some malware even installs backdoor (e.g., myDoom) access to the infected system. Therefore, even though the infected system might be ultimately cleaned up, (and hopefully recover from any damage via back up) and the network traffic congestion resulting in only a temporary (although costly) problem, the installation of a backdoor on the infected system can lead to total bypass of perimeter defenses both at the network and host level. In many cases, the infected system only gets detected when the latest anti-virus signatures are installed.
In almost all cases, waiting for the anti-virus signature update can leave the system or network vulnerable for a day or more. This delay is the result of the anti-virus vendor investigating the virus, putting together a signature and then being able to distribute the same to all the anti-virus agents. In addition, the anti-virus signatures are not very effective against worms that are polymorphic, e.g., which change their behavior as they self-propagate. For example, instead of opening a backdoor on port 1434 on every infected system, the worm may configure the backdoor on random ports for every system. In other cases, the worm may simply modify certain portions of the email payload to overcome the anti-virus signatures.
Presently, to overcome the propagation of emailed malware from outside the firewall of a network, a spam type recognition engine is used. In general, the spam recognition is used to stop unwanted and unsolicited emails from reaching the devices within the trusted network (e.g., devices behind the firewall). For example, when the system receives an unsolicited or bulk email, the spam filter will update a content filtering engine (e.g., bad boy list, subject, source, and the like) with the address utilized by the unsolicited email. In so doing, the network protected by the anti-spam engine will be able to block the unsolicited email including any email malware attachments therein.
However, this method does not address the problems associated with email malware being passed from one trusted system within the trusted network to another (or plurality of) trusted system(s) within the trusted network. For example, if a user within the trusted network accidentally (or maliciously) provides malware to a system within the trusted network, the spam recognition is useless. That is, since the email is generated with a “good” or recognized email address, the spam recognition engine will let the email pass as being ‘a trusted email within the trusted email network’. Therefore, infection of a large portion of the (or even the entire) trusted network could occur before the virus is detected, resulting in the deleterious problems previously described.