My Personal Tale of Malware – Undetectable!

I received an email with the subject, “FedEx Shipment Notification.” The body of the email says that I have a package waiting for me and I should open the attached PDF for more details. The grammar and spelling are fine, often telltale signs of a malicious email. I’m suspicious so I check the email header and it confirms the mail didn’t come from FedEx servers.

I’m curious about the attached PDF so I test it with Microsoft Security Essentials I have running on this PC. MSE shows that it is virus-free. I’m still suspicious so I test the attachment at virustotal.com, a fantastic tool that tests files against 40 or so anti-virus engines running the latest updates. BTW, the bad guys test their latest inventions using this website. Only three out of 41 AV engines show that this file contains malware. Only one of the three was a major AV vendor. That’s scary.

So I wonder about the thousands, perhaps hundreds of thousands of recipients of this mail? I wonder how AOL’s email system didn’t detect this mail as spam. More importantly how would other recipients of this mail have handled it. My suspicion is that a large number thought the mail was legit and opened the attachment. Their PC is owned. Too late!