METHOD FOR DETECTING MALWARE INFECTED TERMINAL BASED ON COMMERCIAL E-MAIL

摘要

Provided is a method for detecting a malicious code infected terminal based on a commercial e-mail, which comprises the steps of: detecting reception information from a received e-mail; identifying a unique reception end area by comparing a domain and removing relays on a receiving side; checking whether a false received field is appeared or not by using a from-by tracking method; checking domains corresponded to′from′and′by′, respectively, in every received filed in order to recognize the number of sending domains except a final reception domain; detecting a sending Internet protocol (IP) according to the number of recognized domains; determining whether the detected sending IP violates a mail transmission agent (MTA) or not; and classifying a type of the mail received through attacking methods used according to whether the false received field is appeared or not, the number of the recognized domains, and whether the MTA is violated or not. According to the present invention, an e-mail address of a sender/receiver, the sender IP, and a mail reception time in a commercial e-mail file are directly extracted and analyzed. The detection performance of the malicious code infected terminal can be increased by classifying the type of the mail received through the attacking methods used according to whether the false received field is appeared or not, the number of the recognized domains, and whether the MTA is violated or not.