The present invention relates to a method of, and system for, detecting mass mailing viruses.
The internet and local- and wide-area networks are susceptible to the exploits of mass mailing viruses. Typically, these viruses involve an email with an executable attachment which, when it executes, causes more virus-containing emails to be created and sent, flooding the network with traffic and its email users with unwanted emails.
These mass mailing viruses have become increasingly sophisticated: early forms of them chose the addressees from the name and address book associated with the recipient's email client, while more recent forms use a variety of techniques to gather addresses.
As the number of mass mailing viruses has grown, the authors of anti-virus scanning systems have had to enhance their systems to try and keep up with the threat. One tried and tested technique for detecting viruses is “signature scanning”, where a file, an executable attachment in the case of email, is scanned for signatures, i.e. sequences, or patterns of sequences, of bytes which have been identified as characteristic of particular viruses. However, signature-based scanning is not particularly effective for dealing with mass mailing viruses, because the time taken for the virus to do its work and cause copies of itself to be sent is small compared with the time it takes for anti-virus software houses to disseminate updates to their system to deal with it when an outbreak of a new virus occurs. This is particularly a problem where the anti-virus service is being operated on behalf of a large number of users, as may be the case where an ISP (Internet Service Provider) carries out anti-virus scanning, of email and other files in transit, on behalf of customers as a value-added service.
The present invention is based upon an appreciation of the fact that concentrating on executable attachments overlooks a fertile source of viral-indicating information, namely the email itself and operates by carefully considering the whole email, rather than just the attachments.
According to the present invention, there is provided a method of anti-virus processing an email having one or more executable attachments comprising the steps, executed by a machine, of:
a) extracting structural elements from the email;
b) examining the executable attachments for code, data or encoded data that could have created the structural elements extracted earlier; and
c) examining signalling that the attachment is possibly viral or not on the basis of the extent to which the examining step b) finds evidence that the structural elements have been created.
The invention also provides a system for anti-virus processing an email having an executable attachment comprising the following means, implemented by a machine:
a) means for extracting structural elements from the email;
b) means for examining the executable attachments for code, data or encoded data that could have created the structural elements extracted earlier; and
c) means for signalling that the attachment is possibly viral or not on the basis of the extent to which the examining step b) finds evidence that the structural elements have been created by that attachment.