SlideShare a Scribd company logo

A filter that prevents the spread of mail attachment-type trojan horse computer worms

U
UltraUploader

The document describes a mail filter developed to prevent the spread of the "W32/Sircam" computer worm via email attachments. The filter checks for specific phrases and file extensions associated with W32/Sircam. When implemented on an email server, the filter successfully rejected all emails containing W32/Sircam without delaying other email traffic, ending the worm outbreak on the network within 4 days. The filter demonstrates how targeted filtering can block malware spread through email without overly restricting normal email flows.

1 of 5
Download to read offline
P1: GVH/IBV P2: GDR Journal of Medical Systems [joms] PP405-368574 March 23, 2002 17:39 Style file version Nov. 19th, 1999 Journal of Medical Systems, Vol. 26, No. 3, June 2002 ( C 2002) A Filter That Prevents the Spread of Mail-Attachment-Type Trojan Horse Computer Worms Shinji Kobayashi,1,4 Masamichi Goudge,2 Toshio Makie,1 Eisuke Hanada,1 Mine Harada,3 and Yoshiaki Nose1 The malicious code “W32/Sircam” is spread via e-mail and potentially through the file space shared by local area networks. Such Trojan-horse-type computer worms easily penetrate Internet firewalls and propagate via the “backdoor” to other computers. Once a malicious code, such as “W32/Sircam,” has been executed on a system, it may reveal or delete confidential data, such as clinical records. In order to protect against the leakage of clinical records, we devised a mail filter that successfully prevents the spread of mail containing this malicious code. It is significant that neither access control nor packet filtering is guaranteed to prevent the spread of this mail-attachment-type Trojan horse computer worm. KEY WORDS: Internet; security issue; clinical record; e-mail; computer worm; filter. INTRODUCTION The Internet is a powerful environment for communication and data transac- tion. Biology and medical science has benefited from the Internet, and new findings and clinical investigation are shared worldwide simultaneously by the Pubmed®, publication database.(1) Various medical applications are available on the Internet, including telemedicine,(2) educational programs,(3) and interhospital data relays.(4) On the other hand, unscrupulous individuals often attempt to use the Internet to access and steal confidential information, alter web pages or bank deposits, and spread computer viruses. CERT® reported that the number of Internet incidents has increased rapidly recently (Fig. 1).(5) 1Department of Medical Information Science, Kyushu University Graduate School of Medical Sciences, Fukuoka 812-8582, Japan. 2Kyowakai Medical Corporation, 119-1 Fudokoro, Kanuma, Tochigi 322-0033, Japan. 3Medicine and Biosystemic Science, Internal Medicine, Medicine and Surgery, Kyushu University Graduate School of Medical Sciences, Fukuoka 812-8582, Japan. 4To whom correspondence should be addressed; e-mail:skoba@intmed1.med.kyushu-u.ac.jp. 221 0148-5598/02/0600-0221/0 C 2002 Plenum Publishing Corporation
P1: GVH/IBV P2: GDR Journal of Medical Systems [joms] PP405-368574 March 23, 2002 17:39 Style file version Nov. 19th, 1999 222 Kobayashi, Goudge, Makie, Hanada, Harada, and Nose Fig. 1. CERT reported incidents on the Internet. Some network techniques have been developed to protect against such improper access. Packet filtering is a well-known Internet firewall that checks and controls the port of entry and the passage of packets; it allows only a secure port from the In- ternet to the intranet, and does not transmit unsecured packets from the intranet to the Internet. Hospital information systems that contain patients’ clinical records have to be carefully isolated and protected by firewalls. When clinical records are transmitted between institutions, they usually have to be encrypted to prevent unau- thorized access. Virtual private network and virtual LAN technologies are expected solutions to this security issue.(6,7) However, mail-attachment-type Trojan worms, such as “W32/Sircam,” easily get past packet filters and can send unencrypted mail to others,(8) because the worm’s own SMTP (simple mail transfer protocol) engine uses the normal SMTP port, 25, and other mail transfer agents identify the malicious code as normal mail. Once “W32/Sircam” has been executed on a Microsoft Win- dows system, it can distribute or delete files in the “My Documents” folder, such as clinical patient records. To prevent an outbreak of Trojan-horse-type worms, such as “W32/Sircam,” and to protect against leaks of medical information, we devised a filter that is used in the mail transfer agent (MTA), which successfully rejects mail contaminated with
P1: GVH/IBV P2: GDR Journal of Medical Systems [joms] PP405-368574 March 23, 2002 17:39 Style file version Nov. 19th, 1999 A Filter Prevents the Spread of Mail-Attachment-Type Computer Worms 223 “W32/Sircam.” This filter system should also be applicable to other malicious codes, such as “W32/Nimda.”(9) METHODS Mail Server Settings Our mail server consists of a Compaq Prolinea 4/33cx, an IBM PC/AT com- patible machine, which has an i486SX/33 MHz CPU, 12 Mbytes RAM, a 340-Mbyte HDD, and an NE-2000-compatible ethernet interface card. The network software was based on FreeBSD 2.2.8-stable as the operating system, and Postfix 20010228pl3 was installed as the mail transfer agent with the PCRE (Perl Compatible Regu- lar Expression) option. The configuration file was changed to enable the new filter (List 1). Filter Setup The filter (List 2) was taken from a Postfix users’ mailing list.(10) First, the filter checks whether mail contains the “W32/Sircam” phrase “Hi! How are you!=3F.” Then, the filter checks whether the mail attachment has a double file extension, such as “vbs.pif.,” enabling it to reject “W32/Sircam” and its variants. As described, the filter should be able to detect specific expressions allowing it to be applied to other malicious mail. We used the “W32/Nimda” phrase to test this. RESULTS The system log (List 3) shows that the MTA rejected “W32/Sircam” and trans- ferred other mail normally. We adopted the filter 1 day after we had received the first mail contaminated with “W32/Sircam,” and the next day, this filter successfully rejected all “W32/Sircam” mail without delaying mail transactions, thereby ending the “W32/Sircam” epidemic (Fig. 2) on our network. DISCUSSION From the beginning, the Internet has been constructed and managed by well- intentioned people, using an open network policy and protocols. It has expanded and grown worldwide into a standard global network. There are many helpful medical applications on the Internet.(2–5) Some malicious individuals seek to attack the vulnerability of the Internet; CERT® has reported a rapid increase in such incidents.(6) Health information sys- tems usually adopt Internet security measures, including restricted access policies, multilevel firewalls, and verbose encryption for site-to-site data transmission.(6,7)
P1: GVH/IBV P2: GDR Journal of Medical Systems [joms] PP405-368574 March 23, 2002 17:39 Style file version Nov. 19th, 1999 224 Kobayashi, Goudge, Makie, Hanada, Harada, and Nose List 1. The main.cf (Postfix configuration file) included the following phrase to enable the filter. List 2. body checks. The body of the filter checks for “W32/Sircam” phrases and extensions using PCRE (Perl Compatible Regular Expression) obtained from a Postfix users’ mailing list (http://www.postfix.org/lists/). Lines 1 and 2 check for the “W32/Sircam” phrase. Lines 3 and 4 check for the “W32/Sircam” attachment files. Line 5 checks for the “W32/Nimda” phrase. List 3. This log shows that our mail server, “hitokage,” checked the mail and rejected contam- inated mail. The e-mail address, IP address, and host name are hidden for privacy. Because the novel and malicious code of “W32/Sircam” has the potential to leak confidential clinical patient records, and cannot be easily monitored, we used a filter on the MTA. If we adopted more restrictive checking rules, the MTA might reject normal mail and intrude on the privacy of users. Every user is informed of mail
P1: GVH/IBV P2: GDR Journal of Medical Systems [joms] PP405-368574 March 23, 2002 17:39 Style file version Nov. 19th, 1999 A Filter Prevents the Spread of Mail-Attachment-Type Computer Worms 225 Fig. 2. “W32/Sircam” epidemic. “W32/Sircam” reached our mail server on Day 1 and we adopted the filter the next day. The epidemic ended after 4 days. The line shows the total mail the server transferred (on the left axis). The solid bar is the number of contaminated e-mails and the open bar shows the number of e-mails the filter checked and rejected (on the right axis). security policy, but some people do not check any of their mail carefully, so ultimately the mail filter must be used on each computer and operating system. It is very significant that a firewall, site-to-site security model does not guarantee protection against “W32/Sircam,” so we must develop the next generation of security model. REFERENCES 1. Wheeler, D. L., Church, D. M., Lash, A. E., Leipe, D. D., Madden, T. L., Pontius J. U., Schuler, G. D., Schriml, L. M., Tatusova, T. A., Wagner, L., and Rapp, B. A., Database resources of the National Center for Biotechnology Information. Nucleic Acids Res. 28(1):10–14, 2000. 2. Aris, I. B., Wagie, A. A., Mariun, N. B., and Jammal, A. B., An Internet-based blood pressure moni- toring system for patients. J. Telemed. Telecare 7(1):51–53, 2001. 3. Danier, P., Le Beux, P., Delamarre, D., Fresnel, A., Cleret, M., Courtin, C., Seka, L. P., Pouliquen, B., Cleran, L., Riou, C., Burgun, A., Jarno, P., Leduff, F., Lesaux, H., and Duvauferrier, R., A network of web multimedia medical information servers for a medical school and university hospital. Int. J. Med. Inf. 46(1):41–51, 1997. 4. Interhospital network system using the world wide web and the common gateway interface, J. Digit. Imaging 12(2 Suppl. 1):205–207, 1999. 5. CERT® Coordination Center, CERT/CC Statistics 1988–2001 Number of incidents, 2001. Available from: http://www.cert.org/stats/ 6. Bergeron, B., Is it safe? Security speed bumps on the information highway. J. Med. Pract. Manage. 16(6):297–300, 2001. 7. Sakamoto, N., A secure framework on the basis of public key infrastructure for dynamic healthcare information services in wide area distributed environments, Japan J. Med. Inf. 20(2):125–134, 2001. 8. Danyliw, R., Dougherty, C., and Householder, A., CERT® Advisory CA-2001-22 W32/Sircam Malicious Code, 2001. Available from: http://www.cert.org/advisories/CA-2001-22.html 9. Danyliw, R., Dougherty, C., Householder, A., and Ruefle, R., CERT® Advisory CA-2001-26 W32/Nimda Worm, 2001. Available from: http://www.cert.org/advisories/CA-2001-26.html 10. Postfix users mailing list, http://www.postfix.org/lists/

Recommended

A survey on evil twin detection methods for wireless local area network
A survey on evil twin detection methods for wireless local area networkA survey on evil twin detection methods for wireless local area network
A survey on evil twin detection methods for wireless local area network
IAEME Publication
 
Comsnets wban ppt
Comsnets wban pptComsnets wban ppt
Comsnets wban ppt
hemanthdreamz
 
Design and Development of a Warning System for Early Season Control of Powder...
Design and Development of a Warning System for Early Season Control of Powder...Design and Development of a Warning System for Early Season Control of Powder...
Design and Development of a Warning System for Early Season Control of Powder...
IOSRJEEE
 
Broadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorBroadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitor
UltraUploader
 
Wireless Body Area network
Wireless Body Area networkWireless Body Area network
Wireless Body Area network
Rajeev N
 
Method and apparatus for network immunization
Method and apparatus for network immunizationMethod and apparatus for network immunization
Method and apparatus for network immunization
Tal Lavian Ph.D.
 
A physiological decomposition of virus and worm programs
A physiological decomposition of virus and worm programsA physiological decomposition of virus and worm programs
A physiological decomposition of virus and worm programs
UltraUploader
 
Anatomy of a semantic virus
Anatomy of a semantic virusAnatomy of a semantic virus
Anatomy of a semantic virus
UltraUploader
 

Recommended

A survey on evil twin detection methods for wireless local area network
A survey on evil twin detection methods for wireless local area networkA survey on evil twin detection methods for wireless local area network
A survey on evil twin detection methods for wireless local area network
IAEME Publication
 
Comsnets wban ppt
Comsnets wban pptComsnets wban ppt
Comsnets wban ppt
hemanthdreamz
 
Design and Development of a Warning System for Early Season Control of Powder...
Design and Development of a Warning System for Early Season Control of Powder...Design and Development of a Warning System for Early Season Control of Powder...
Design and Development of a Warning System for Early Season Control of Powder...
IOSRJEEE
 
Broadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorBroadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitor
UltraUploader
 
Wireless Body Area network
Wireless Body Area networkWireless Body Area network
Wireless Body Area network
Rajeev N
 
Method and apparatus for network immunization
Method and apparatus for network immunizationMethod and apparatus for network immunization
Method and apparatus for network immunization
Tal Lavian Ph.D.
 
A physiological decomposition of virus and worm programs
A physiological decomposition of virus and worm programsA physiological decomposition of virus and worm programs
A physiological decomposition of virus and worm programs
UltraUploader
 
Anatomy of a semantic virus
Anatomy of a semantic virusAnatomy of a semantic virus
Anatomy of a semantic virus
UltraUploader
 
Anti disassembly using cryptographic hash functions
Anti disassembly using cryptographic hash functionsAnti disassembly using cryptographic hash functions
Anti disassembly using cryptographic hash functions
UltraUploader
 
A memory symptom based virus detection approach
A memory symptom based virus detection approachA memory symptom based virus detection approach
A memory symptom based virus detection approach
UltraUploader
 
An overview of computer viruses in a research environment
An overview of computer viruses in a research environmentAn overview of computer viruses in a research environment
An overview of computer viruses in a research environment
UltraUploader
 
Anti virus in the corporate arena
Anti virus in the corporate arenaAnti virus in the corporate arena
Anti virus in the corporate arena
UltraUploader
 
Advanced routing worm and its security challenges
Advanced routing worm and its security challengesAdvanced routing worm and its security challenges
Advanced routing worm and its security challenges
UltraUploader
 
A general definition of malware
A general definition of malwareA general definition of malware
A general definition of malware
UltraUploader
 
Adequacy of checksum algorithms for computer virus detection
Adequacy of checksum algorithms for computer virus detectionAdequacy of checksum algorithms for computer virus detection
Adequacy of checksum algorithms for computer virus detection
UltraUploader
 
A software authentication system for the prevention of computer viruses
A software authentication system for the prevention of computer virusesA software authentication system for the prevention of computer viruses
A software authentication system for the prevention of computer viruses
UltraUploader
 
A semantics based approach to malware detection
A semantics based approach to malware detectionA semantics based approach to malware detection
A semantics based approach to malware detection
UltraUploader
 
A virtual honeypot framework
A virtual honeypot frameworkA virtual honeypot framework
A virtual honeypot framework
UltraUploader
 
An email worm vaccine architecture
An email worm vaccine architectureAn email worm vaccine architecture
An email worm vaccine architecture
UltraUploader
 
A study of detecting computer viruses in real infected files in the n-gram re...
A study of detecting computer viruses in real infected files in the n-gram re...A study of detecting computer viruses in real infected files in the n-gram re...
A study of detecting computer viruses in real infected files in the n-gram re...
UltraUploader
 
A model for detecting the existence of unknown computer viruses in real time
A model for detecting the existence of unknown computer viruses in real timeA model for detecting the existence of unknown computer viruses in real time
A model for detecting the existence of unknown computer viruses in real time
UltraUploader
 
Analysis and detection of metamorphic computer viruses
Analysis and detection of metamorphic computer virusesAnalysis and detection of metamorphic computer viruses
Analysis and detection of metamorphic computer viruses
UltraUploader
 
An approach to containing computer viruses
An approach to containing computer virusesAn approach to containing computer viruses
An approach to containing computer viruses
UltraUploader
 
A theoretical model of differential social attributions toward computing tech...
A theoretical model of differential social attributions toward computing tech...A theoretical model of differential social attributions toward computing tech...
A theoretical model of differential social attributions toward computing tech...
UltraUploader
 
Application of data mining based malicious code detection techniques for dete...
Application of data mining based malicious code detection techniques for dete...Application of data mining based malicious code detection techniques for dete...
Application of data mining based malicious code detection techniques for dete...
UltraUploader
 
A REVIEW OF COMPUTER AND NETWORK SECURITY
A REVIEW OF COMPUTER AND NETWORK SECURITYA REVIEW OF COMPUTER AND NETWORK SECURITY
A REVIEW OF COMPUTER AND NETWORK SECURITY
ijiert bestjournal
 
The internet
The internetThe internet
The internet
Beryl Mergal
 
Peripheral Review and Analysis of Internet Network Security
Peripheral Review and Analysis of Internet Network SecurityPeripheral Review and Analysis of Internet Network Security
Peripheral Review and Analysis of Internet Network Security
IJRES Journal
 
Prevention based mechanism for attacks in Network Security
Prevention based mechanism for attacks in Network SecurityPrevention based mechanism for attacks in Network Security
Prevention based mechanism for attacks in Network Security
Editor IJMTER
 
Secret key generation
Secret key generationSecret key generation
Secret key generation
Karthikeyan Ece venkatesan
 

More Related Content

Viewers also liked

Anti disassembly using cryptographic hash functions
Anti disassembly using cryptographic hash functionsAnti disassembly using cryptographic hash functions
Anti disassembly using cryptographic hash functions
UltraUploader
 
A memory symptom based virus detection approach
A memory symptom based virus detection approachA memory symptom based virus detection approach
A memory symptom based virus detection approach
UltraUploader
 
An overview of computer viruses in a research environment
An overview of computer viruses in a research environmentAn overview of computer viruses in a research environment
An overview of computer viruses in a research environment
UltraUploader
 
Anti virus in the corporate arena
Anti virus in the corporate arenaAnti virus in the corporate arena
Anti virus in the corporate arena
UltraUploader
 
Advanced routing worm and its security challenges
Advanced routing worm and its security challengesAdvanced routing worm and its security challenges
Advanced routing worm and its security challenges
UltraUploader
 
A general definition of malware
A general definition of malwareA general definition of malware
A general definition of malware
UltraUploader
 
Adequacy of checksum algorithms for computer virus detection
Adequacy of checksum algorithms for computer virus detectionAdequacy of checksum algorithms for computer virus detection
Adequacy of checksum algorithms for computer virus detection
UltraUploader
 
A software authentication system for the prevention of computer viruses
A software authentication system for the prevention of computer virusesA software authentication system for the prevention of computer viruses
A software authentication system for the prevention of computer viruses
UltraUploader
 
A semantics based approach to malware detection
A semantics based approach to malware detectionA semantics based approach to malware detection
A semantics based approach to malware detection
UltraUploader
 
A virtual honeypot framework
A virtual honeypot frameworkA virtual honeypot framework
A virtual honeypot framework
UltraUploader
 
An email worm vaccine architecture
An email worm vaccine architectureAn email worm vaccine architecture
An email worm vaccine architecture
UltraUploader
 
A study of detecting computer viruses in real infected files in the n-gram re...
A study of detecting computer viruses in real infected files in the n-gram re...A study of detecting computer viruses in real infected files in the n-gram re...
A study of detecting computer viruses in real infected files in the n-gram re...
UltraUploader
 
A model for detecting the existence of unknown computer viruses in real time
A model for detecting the existence of unknown computer viruses in real timeA model for detecting the existence of unknown computer viruses in real time
A model for detecting the existence of unknown computer viruses in real time
UltraUploader
 
Analysis and detection of metamorphic computer viruses
Analysis and detection of metamorphic computer virusesAnalysis and detection of metamorphic computer viruses
Analysis and detection of metamorphic computer viruses
UltraUploader
 
An approach to containing computer viruses
An approach to containing computer virusesAn approach to containing computer viruses
An approach to containing computer viruses
UltraUploader
 
A theoretical model of differential social attributions toward computing tech...
A theoretical model of differential social attributions toward computing tech...A theoretical model of differential social attributions toward computing tech...
A theoretical model of differential social attributions toward computing tech...
UltraUploader
 
Application of data mining based malicious code detection techniques for dete...
Application of data mining based malicious code detection techniques for dete...Application of data mining based malicious code detection techniques for dete...
Application of data mining based malicious code detection techniques for dete...
UltraUploader
 

Viewers also liked (17)

Anti disassembly using cryptographic hash functions
Anti disassembly using cryptographic hash functionsAnti disassembly using cryptographic hash functions
Anti disassembly using cryptographic hash functions
 
A memory symptom based virus detection approach
A memory symptom based virus detection approachA memory symptom based virus detection approach
A memory symptom based virus detection approach
 
An overview of computer viruses in a research environment
An overview of computer viruses in a research environmentAn overview of computer viruses in a research environment
An overview of computer viruses in a research environment
 
Anti virus in the corporate arena
Anti virus in the corporate arenaAnti virus in the corporate arena
Anti virus in the corporate arena
 
Advanced routing worm and its security challenges
Advanced routing worm and its security challengesAdvanced routing worm and its security challenges
Advanced routing worm and its security challenges
 
A general definition of malware
A general definition of malwareA general definition of malware
A general definition of malware
 
Adequacy of checksum algorithms for computer virus detection
Adequacy of checksum algorithms for computer virus detectionAdequacy of checksum algorithms for computer virus detection
Adequacy of checksum algorithms for computer virus detection
 
A software authentication system for the prevention of computer viruses
A software authentication system for the prevention of computer virusesA software authentication system for the prevention of computer viruses
A software authentication system for the prevention of computer viruses
 
A semantics based approach to malware detection
A semantics based approach to malware detectionA semantics based approach to malware detection
A semantics based approach to malware detection
 
A virtual honeypot framework
A virtual honeypot frameworkA virtual honeypot framework
A virtual honeypot framework
 
An email worm vaccine architecture
An email worm vaccine architectureAn email worm vaccine architecture
An email worm vaccine architecture
 
A study of detecting computer viruses in real infected files in the n-gram re...
A study of detecting computer viruses in real infected files in the n-gram re...A study of detecting computer viruses in real infected files in the n-gram re...
A study of detecting computer viruses in real infected files in the n-gram re...
 
A model for detecting the existence of unknown computer viruses in real time
A model for detecting the existence of unknown computer viruses in real timeA model for detecting the existence of unknown computer viruses in real time
A model for detecting the existence of unknown computer viruses in real time
 
Analysis and detection of metamorphic computer viruses
Analysis and detection of metamorphic computer virusesAnalysis and detection of metamorphic computer viruses
Analysis and detection of metamorphic computer viruses
 
An approach to containing computer viruses
An approach to containing computer virusesAn approach to containing computer viruses
An approach to containing computer viruses
 
A theoretical model of differential social attributions toward computing tech...
A theoretical model of differential social attributions toward computing tech...A theoretical model of differential social attributions toward computing tech...
A theoretical model of differential social attributions toward computing tech...
 
Application of data mining based malicious code detection techniques for dete...
Application of data mining based malicious code detection techniques for dete...Application of data mining based malicious code detection techniques for dete...
Application of data mining based malicious code detection techniques for dete...
 

Similar to A filter that prevents the spread of mail attachment-type trojan horse computer worms

A REVIEW OF COMPUTER AND NETWORK SECURITY
A REVIEW OF COMPUTER AND NETWORK SECURITYA REVIEW OF COMPUTER AND NETWORK SECURITY
A REVIEW OF COMPUTER AND NETWORK SECURITY
ijiert bestjournal
 
The internet
The internetThe internet
The internet
Beryl Mergal
 
Peripheral Review and Analysis of Internet Network Security
Peripheral Review and Analysis of Internet Network SecurityPeripheral Review and Analysis of Internet Network Security
Peripheral Review and Analysis of Internet Network Security
IJRES Journal
 
Prevention based mechanism for attacks in Network Security
Prevention based mechanism for attacks in Network SecurityPrevention based mechanism for attacks in Network Security
Prevention based mechanism for attacks in Network Security
Editor IJMTER
 
Secret key generation
Secret key generationSecret key generation
Secret key generation
Karthikeyan Ece venkatesan
 
AN EFFICIENT SEMANTIC DATA ALIGNMENT BASED FCM TO INFER USER SEARCH GOALS USI...
AN EFFICIENT SEMANTIC DATA ALIGNMENT BASED FCM TO INFER USER SEARCH GOALS USI...AN EFFICIENT SEMANTIC DATA ALIGNMENT BASED FCM TO INFER USER SEARCH GOALS USI...
AN EFFICIENT SEMANTIC DATA ALIGNMENT BASED FCM TO INFER USER SEARCH GOALS USI...
pharmaindexing
 
IRJET- Security from Threats of Computer System
IRJET- Security from Threats of Computer SystemIRJET- Security from Threats of Computer System
IRJET- Security from Threats of Computer System
IRJET Journal
 
Application of hardware accelerated extensible network nodes for internet wor...
Application of hardware accelerated extensible network nodes for internet wor...Application of hardware accelerated extensible network nodes for internet wor...
Application of hardware accelerated extensible network nodes for internet wor...
UltraUploader
 
Understanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and ApplicationsUnderstanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and Applications
EMMAIntl
 
07 analysis of scada security models
07 analysis of scada security models07 analysis of scada security models
07 analysis of scada security models
omriyad
 
Protocols for Wireless Sensor Networks and Its Security
Protocols for Wireless Sensor Networks and Its SecurityProtocols for Wireless Sensor Networks and Its Security
Protocols for Wireless Sensor Networks and Its Security
IJERA Editor
 
EMERGENCY RESPONSE COMMUNICATIONS AND ASSOCIATED SECURITY CHALLENGES
EMERGENCY RESPONSE COMMUNICATIONS AND ASSOCIATED SECURITY CHALLENGESEMERGENCY RESPONSE COMMUNICATIONS AND ASSOCIATED SECURITY CHALLENGES
EMERGENCY RESPONSE COMMUNICATIONS AND ASSOCIATED SECURITY CHALLENGES
IJNSA Journal
 
Kr3618261830
Kr3618261830Kr3618261830
Kr3618261830
IJERA Editor
 
Experimental analysis of intrusion detection systems using machine learning a...
Experimental analysis of intrusion detection systems using machine learning a...Experimental analysis of intrusion detection systems using machine learning a...
Experimental analysis of intrusion detection systems using machine learning a...
IJECEIAES
 
Cybercrimes
CybercrimesCybercrimes
Cybercrimes
Elanthendral Mariappan
 
04.01.26.Handout
04.01.26.Handout04.01.26.Handout
04.01.26.Handout
Mohammad Al-Ubaydli
 
A Cloud-Based Prototype Implementation of a Disease Outbreak Notification System
A Cloud-Based Prototype Implementation of a Disease Outbreak Notification SystemA Cloud-Based Prototype Implementation of a Disease Outbreak Notification System
A Cloud-Based Prototype Implementation of a Disease Outbreak Notification System
IJCSEA Journal
 
Ii3415521555
Ii3415521555Ii3415521555
Ii3415521555
IJERA Editor
 
Utilization of Encryption for Security in SCADA Networks
Utilization of Encryption for Security in SCADA NetworksUtilization of Encryption for Security in SCADA Networks
Utilization of Encryption for Security in SCADA Networks
International Journal of Engineering Inventions www.ijeijournal.com
 
Encryption Security in SCADA Networks
Encryption Security in SCADA NetworksEncryption Security in SCADA Networks
Encryption Security in SCADA Networks
IJRES Journal
 

Similar to A filter that prevents the spread of mail attachment-type trojan horse computer worms (20)

A REVIEW OF COMPUTER AND NETWORK SECURITY
A REVIEW OF COMPUTER AND NETWORK SECURITYA REVIEW OF COMPUTER AND NETWORK SECURITY
A REVIEW OF COMPUTER AND NETWORK SECURITY
 
The internet
The internetThe internet
The internet
 
Peripheral Review and Analysis of Internet Network Security
Peripheral Review and Analysis of Internet Network SecurityPeripheral Review and Analysis of Internet Network Security
Peripheral Review and Analysis of Internet Network Security
 
Prevention based mechanism for attacks in Network Security
Prevention based mechanism for attacks in Network SecurityPrevention based mechanism for attacks in Network Security
Prevention based mechanism for attacks in Network Security
 
Secret key generation
Secret key generationSecret key generation
Secret key generation
 
AN EFFICIENT SEMANTIC DATA ALIGNMENT BASED FCM TO INFER USER SEARCH GOALS USI...
AN EFFICIENT SEMANTIC DATA ALIGNMENT BASED FCM TO INFER USER SEARCH GOALS USI...AN EFFICIENT SEMANTIC DATA ALIGNMENT BASED FCM TO INFER USER SEARCH GOALS USI...
AN EFFICIENT SEMANTIC DATA ALIGNMENT BASED FCM TO INFER USER SEARCH GOALS USI...
 
IRJET- Security from Threats of Computer System
IRJET- Security from Threats of Computer SystemIRJET- Security from Threats of Computer System
IRJET- Security from Threats of Computer System
 
Application of hardware accelerated extensible network nodes for internet wor...
Application of hardware accelerated extensible network nodes for internet wor...Application of hardware accelerated extensible network nodes for internet wor...
Application of hardware accelerated extensible network nodes for internet wor...
 
Understanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and ApplicationsUnderstanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and Applications
 
07 analysis of scada security models
07 analysis of scada security models07 analysis of scada security models
07 analysis of scada security models
 
Protocols for Wireless Sensor Networks and Its Security
Protocols for Wireless Sensor Networks and Its SecurityProtocols for Wireless Sensor Networks and Its Security
Protocols for Wireless Sensor Networks and Its Security
 
EMERGENCY RESPONSE COMMUNICATIONS AND ASSOCIATED SECURITY CHALLENGES
EMERGENCY RESPONSE COMMUNICATIONS AND ASSOCIATED SECURITY CHALLENGESEMERGENCY RESPONSE COMMUNICATIONS AND ASSOCIATED SECURITY CHALLENGES
EMERGENCY RESPONSE COMMUNICATIONS AND ASSOCIATED SECURITY CHALLENGES
 
Kr3618261830
Kr3618261830Kr3618261830
Kr3618261830
 
Experimental analysis of intrusion detection systems using machine learning a...
Experimental analysis of intrusion detection systems using machine learning a...Experimental analysis of intrusion detection systems using machine learning a...
Experimental analysis of intrusion detection systems using machine learning a...
 
Cybercrimes
CybercrimesCybercrimes
Cybercrimes
 
04.01.26.Handout
04.01.26.Handout04.01.26.Handout
04.01.26.Handout
 
A Cloud-Based Prototype Implementation of a Disease Outbreak Notification System
A Cloud-Based Prototype Implementation of a Disease Outbreak Notification SystemA Cloud-Based Prototype Implementation of a Disease Outbreak Notification System
A Cloud-Based Prototype Implementation of a Disease Outbreak Notification System
 
Ii3415521555
Ii3415521555Ii3415521555
Ii3415521555
 
Utilization of Encryption for Security in SCADA Networks
Utilization of Encryption for Security in SCADA NetworksUtilization of Encryption for Security in SCADA Networks
Utilization of Encryption for Security in SCADA Networks
 
Encryption Security in SCADA Networks
Encryption Security in SCADA NetworksEncryption Security in SCADA Networks
Encryption Security in SCADA Networks
 

More from UltraUploader

01 le 10 regole dell'hacking
01 le 10 regole dell'hacking01 le 10 regole dell'hacking
01 le 10 regole dell'hackingUltraUploader
 
00 the big guide sz (by dr.to-d)
00 the big guide sz (by dr.to-d)00 the big guide sz (by dr.to-d)
00 the big guide sz (by dr.to-d)UltraUploader
 
[E book ita] php manual
[E book ita] php manual[E book ita] php manual
[E book ita] php manual
UltraUploader
 
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...UltraUploader
 
[Ebook ita - database] access 2000 manuale
[Ebook ita - database] access 2000 manuale[Ebook ita - database] access 2000 manuale
[Ebook ita - database] access 2000 manualeUltraUploader
 
(E book) cracking & hacking tutorial 1000 pagine (ita)
(E book) cracking & hacking tutorial 1000 pagine (ita)(E book) cracking & hacking tutorial 1000 pagine (ita)
(E book) cracking & hacking tutorial 1000 pagine (ita)UltraUploader
 
(Ebook ita - inform - access) guida al database access (doc)
(Ebook ita - inform - access) guida al database access (doc)(Ebook ita - inform - access) guida al database access (doc)
(Ebook ita - inform - access) guida al database access (doc)UltraUploader
 
(Ebook computer - ita - pdf) fondamenti di informatica - teoria
(Ebook computer - ita - pdf) fondamenti di informatica - teoria(Ebook computer - ita - pdf) fondamenti di informatica - teoria
(Ebook computer - ita - pdf) fondamenti di informatica - teoriaUltraUploader
 
Botnetsand applications
Botnetsand applicationsBotnetsand applications
Botnetsand applications
UltraUploader
 
Bot software spreads, causes new worries
Bot software spreads, causes new worriesBot software spreads, causes new worries
Bot software spreads, causes new worries
UltraUploader
 
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
UltraUploader
 
Blast off!
Blast off!Blast off!
Blast off!
UltraUploader
 
Bird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassemblyBird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassembly
UltraUploader
 
Biologically inspired defenses against computer viruses
Biologically inspired defenses against computer virusesBiologically inspired defenses against computer viruses
Biologically inspired defenses against computer viruses
UltraUploader
 
Biological versus computer viruses
Biological versus computer virusesBiological versus computer viruses
Biological versus computer viruses
UltraUploader
 
Biological aspects of computer virology
Biological aspects of computer virologyBiological aspects of computer virology
Biological aspects of computer virology
UltraUploader
 
Biological models of security for virus propagation in computer networks
Biological models of security for virus propagation in computer networksBiological models of security for virus propagation in computer networks
Biological models of security for virus propagation in computer networks
UltraUploader
 
Binary obfuscation using signals
Binary obfuscation using signalsBinary obfuscation using signals
Binary obfuscation using signals
UltraUploader
 

More from UltraUploader (20)

1 (1)
1 (1)1 (1)
1 (1)
 
01 intro
01 intro01 intro
01 intro
 
01 le 10 regole dell'hacking
01 le 10 regole dell'hacking01 le 10 regole dell'hacking
01 le 10 regole dell'hacking
 
00 the big guide sz (by dr.to-d)
00 the big guide sz (by dr.to-d)00 the big guide sz (by dr.to-d)
00 the big guide sz (by dr.to-d)
 
[E book ita] php manual
[E book ita] php manual[E book ita] php manual
[E book ita] php manual
 
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
[Ebook ita - security] introduzione alle tecniche di exploit - mori - ifoa ...
 
[Ebook ita - database] access 2000 manuale
[Ebook ita - database] access 2000 manuale[Ebook ita - database] access 2000 manuale
[Ebook ita - database] access 2000 manuale
 
(E book) cracking & hacking tutorial 1000 pagine (ita)
(E book) cracking & hacking tutorial 1000 pagine (ita)(E book) cracking & hacking tutorial 1000 pagine (ita)
(E book) cracking & hacking tutorial 1000 pagine (ita)
 
(Ebook ita - inform - access) guida al database access (doc)
(Ebook ita - inform - access) guida al database access (doc)(Ebook ita - inform - access) guida al database access (doc)
(Ebook ita - inform - access) guida al database access (doc)
 
(Ebook computer - ita - pdf) fondamenti di informatica - teoria
(Ebook computer - ita - pdf) fondamenti di informatica - teoria(Ebook computer - ita - pdf) fondamenti di informatica - teoria
(Ebook computer - ita - pdf) fondamenti di informatica - teoria
 
Botnetsand applications
Botnetsand applicationsBotnetsand applications
Botnetsand applications
 
Bot software spreads, causes new worries
Bot software spreads, causes new worriesBot software spreads, causes new worries
Bot software spreads, causes new worries
 
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...
 
Blast off!
Blast off!Blast off!
Blast off!
 
Bird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassemblyBird binary interpretation using runtime disassembly
Bird binary interpretation using runtime disassembly
 
Biologically inspired defenses against computer viruses
Biologically inspired defenses against computer virusesBiologically inspired defenses against computer viruses
Biologically inspired defenses against computer viruses
 
Biological versus computer viruses
Biological versus computer virusesBiological versus computer viruses
Biological versus computer viruses
 
Biological aspects of computer virology
Biological aspects of computer virologyBiological aspects of computer virology
Biological aspects of computer virology
 
Biological models of security for virus propagation in computer networks
Biological models of security for virus propagation in computer networksBiological models of security for virus propagation in computer networks
Biological models of security for virus propagation in computer networks
 
Binary obfuscation using signals
Binary obfuscation using signalsBinary obfuscation using signals
Binary obfuscation using signals
 

A filter that prevents the spread of mail attachment-type trojan horse computer worms

  • 1. P1: GVH/IBV P2: GDR Journal of Medical Systems [joms] PP405-368574 March 23, 2002 17:39 Style file version Nov. 19th, 1999 Journal of Medical Systems, Vol. 26, No. 3, June 2002 ( C 2002) A Filter That Prevents the Spread of Mail-Attachment-Type Trojan Horse Computer Worms Shinji Kobayashi,1,4 Masamichi Goudge,2 Toshio Makie,1 Eisuke Hanada,1 Mine Harada,3 and Yoshiaki Nose1 The malicious code “W32/Sircam” is spread via e-mail and potentially through the file space shared by local area networks. Such Trojan-horse-type computer worms easily penetrate Internet firewalls and propagate via the “backdoor” to other computers. Once a malicious code, such as “W32/Sircam,” has been executed on a system, it may reveal or delete confidential data, such as clinical records. In order to protect against the leakage of clinical records, we devised a mail filter that successfully prevents the spread of mail containing this malicious code. It is significant that neither access control nor packet filtering is guaranteed to prevent the spread of this mail-attachment-type Trojan horse computer worm. KEY WORDS: Internet; security issue; clinical record; e-mail; computer worm; filter. INTRODUCTION The Internet is a powerful environment for communication and data transac- tion. Biology and medical science has benefited from the Internet, and new findings and clinical investigation are shared worldwide simultaneously by the Pubmed®, publication database.(1) Various medical applications are available on the Internet, including telemedicine,(2) educational programs,(3) and interhospital data relays.(4) On the other hand, unscrupulous individuals often attempt to use the Internet to access and steal confidential information, alter web pages or bank deposits, and spread computer viruses. CERT® reported that the number of Internet incidents has increased rapidly recently (Fig. 1).(5) 1Department of Medical Information Science, Kyushu University Graduate School of Medical Sciences, Fukuoka 812-8582, Japan. 2Kyowakai Medical Corporation, 119-1 Fudokoro, Kanuma, Tochigi 322-0033, Japan. 3Medicine and Biosystemic Science, Internal Medicine, Medicine and Surgery, Kyushu University Graduate School of Medical Sciences, Fukuoka 812-8582, Japan. 4To whom correspondence should be addressed; e-mail:skoba@intmed1.med.kyushu-u.ac.jp. 221 0148-5598/02/0600-0221/0 C 2002 Plenum Publishing Corporation
  • 2. P1: GVH/IBV P2: GDR Journal of Medical Systems [joms] PP405-368574 March 23, 2002 17:39 Style file version Nov. 19th, 1999 222 Kobayashi, Goudge, Makie, Hanada, Harada, and Nose Fig. 1. CERT reported incidents on the Internet. Some network techniques have been developed to protect against such improper access. Packet filtering is a well-known Internet firewall that checks and controls the port of entry and the passage of packets; it allows only a secure port from the In- ternet to the intranet, and does not transmit unsecured packets from the intranet to the Internet. Hospital information systems that contain patients’ clinical records have to be carefully isolated and protected by firewalls. When clinical records are transmitted between institutions, they usually have to be encrypted to prevent unau- thorized access. Virtual private network and virtual LAN technologies are expected solutions to this security issue.(6,7) However, mail-attachment-type Trojan worms, such as “W32/Sircam,” easily get past packet filters and can send unencrypted mail to others,(8) because the worm’s own SMTP (simple mail transfer protocol) engine uses the normal SMTP port, 25, and other mail transfer agents identify the malicious code as normal mail. Once “W32/Sircam” has been executed on a Microsoft Win- dows system, it can distribute or delete files in the “My Documents” folder, such as clinical patient records. To prevent an outbreak of Trojan-horse-type worms, such as “W32/Sircam,” and to protect against leaks of medical information, we devised a filter that is used in the mail transfer agent (MTA), which successfully rejects mail contaminated with
  • 3. P1: GVH/IBV P2: GDR Journal of Medical Systems [joms] PP405-368574 March 23, 2002 17:39 Style file version Nov. 19th, 1999 A Filter Prevents the Spread of Mail-Attachment-Type Computer Worms 223 “W32/Sircam.” This filter system should also be applicable to other malicious codes, such as “W32/Nimda.”(9) METHODS Mail Server Settings Our mail server consists of a Compaq Prolinea 4/33cx, an IBM PC/AT com- patible machine, which has an i486SX/33 MHz CPU, 12 Mbytes RAM, a 340-Mbyte HDD, and an NE-2000-compatible ethernet interface card. The network software was based on FreeBSD 2.2.8-stable as the operating system, and Postfix 20010228pl3 was installed as the mail transfer agent with the PCRE (Perl Compatible Regu- lar Expression) option. The configuration file was changed to enable the new filter (List 1). Filter Setup The filter (List 2) was taken from a Postfix users’ mailing list.(10) First, the filter checks whether mail contains the “W32/Sircam” phrase “Hi! How are you!=3F.” Then, the filter checks whether the mail attachment has a double file extension, such as “vbs.pif.,” enabling it to reject “W32/Sircam” and its variants. As described, the filter should be able to detect specific expressions allowing it to be applied to other malicious mail. We used the “W32/Nimda” phrase to test this. RESULTS The system log (List 3) shows that the MTA rejected “W32/Sircam” and trans- ferred other mail normally. We adopted the filter 1 day after we had received the first mail contaminated with “W32/Sircam,” and the next day, this filter successfully rejected all “W32/Sircam” mail without delaying mail transactions, thereby ending the “W32/Sircam” epidemic (Fig. 2) on our network. DISCUSSION From the beginning, the Internet has been constructed and managed by well- intentioned people, using an open network policy and protocols. It has expanded and grown worldwide into a standard global network. There are many helpful medical applications on the Internet.(2–5) Some malicious individuals seek to attack the vulnerability of the Internet; CERT® has reported a rapid increase in such incidents.(6) Health information sys- tems usually adopt Internet security measures, including restricted access policies, multilevel firewalls, and verbose encryption for site-to-site data transmission.(6,7)
  • 4. P1: GVH/IBV P2: GDR Journal of Medical Systems [joms] PP405-368574 March 23, 2002 17:39 Style file version Nov. 19th, 1999 224 Kobayashi, Goudge, Makie, Hanada, Harada, and Nose List 1. The main.cf (Postfix configuration file) included the following phrase to enable the filter. List 2. body checks. The body of the filter checks for “W32/Sircam” phrases and extensions using PCRE (Perl Compatible Regular Expression) obtained from a Postfix users’ mailing list (http://www.postfix.org/lists/). Lines 1 and 2 check for the “W32/Sircam” phrase. Lines 3 and 4 check for the “W32/Sircam” attachment files. Line 5 checks for the “W32/Nimda” phrase. List 3. This log shows that our mail server, “hitokage,” checked the mail and rejected contam- inated mail. The e-mail address, IP address, and host name are hidden for privacy. Because the novel and malicious code of “W32/Sircam” has the potential to leak confidential clinical patient records, and cannot be easily monitored, we used a filter on the MTA. If we adopted more restrictive checking rules, the MTA might reject normal mail and intrude on the privacy of users. Every user is informed of mail
  • 5. P1: GVH/IBV P2: GDR Journal of Medical Systems [joms] PP405-368574 March 23, 2002 17:39 Style file version Nov. 19th, 1999 A Filter Prevents the Spread of Mail-Attachment-Type Computer Worms 225 Fig. 2. “W32/Sircam” epidemic. “W32/Sircam” reached our mail server on Day 1 and we adopted the filter the next day. The epidemic ended after 4 days. The line shows the total mail the server transferred (on the left axis). The solid bar is the number of contaminated e-mails and the open bar shows the number of e-mails the filter checked and rejected (on the right axis). security policy, but some people do not check any of their mail carefully, so ultimately the mail filter must be used on each computer and operating system. It is very significant that a firewall, site-to-site security model does not guarantee protection against “W32/Sircam,” so we must develop the next generation of security model. REFERENCES 1. Wheeler, D. L., Church, D. M., Lash, A. E., Leipe, D. D., Madden, T. L., Pontius J. U., Schuler, G. D., Schriml, L. M., Tatusova, T. A., Wagner, L., and Rapp, B. A., Database resources of the National Center for Biotechnology Information. Nucleic Acids Res. 28(1):10–14, 2000. 2. Aris, I. B., Wagie, A. A., Mariun, N. B., and Jammal, A. B., An Internet-based blood pressure moni- toring system for patients. J. Telemed. Telecare 7(1):51–53, 2001. 3. Danier, P., Le Beux, P., Delamarre, D., Fresnel, A., Cleret, M., Courtin, C., Seka, L. P., Pouliquen, B., Cleran, L., Riou, C., Burgun, A., Jarno, P., Leduff, F., Lesaux, H., and Duvauferrier, R., A network of web multimedia medical information servers for a medical school and university hospital. Int. J. Med. Inf. 46(1):41–51, 1997. 4. Interhospital network system using the world wide web and the common gateway interface, J. Digit. Imaging 12(2 Suppl. 1):205–207, 1999. 5. CERT® Coordination Center, CERT/CC Statistics 1988–2001 Number of incidents, 2001. Available from: http://www.cert.org/stats/ 6. Bergeron, B., Is it safe? Security speed bumps on the information highway. J. Med. Pract. Manage. 16(6):297–300, 2001. 7. Sakamoto, N., A secure framework on the basis of public key infrastructure for dynamic healthcare information services in wide area distributed environments, Japan J. Med. Inf. 20(2):125–134, 2001. 8. Danyliw, R., Dougherty, C., and Householder, A., CERT® Advisory CA-2001-22 W32/Sircam Malicious Code, 2001. Available from: http://www.cert.org/advisories/CA-2001-22.html 9. Danyliw, R., Dougherty, C., Householder, A., and Ruefle, R., CERT® Advisory CA-2001-26 W32/Nimda Worm, 2001. Available from: http://www.cert.org/advisories/CA-2001-26.html 10. Postfix users mailing list, http://www.postfix.org/lists/