According to email clients and anti-virus, an EXE disguised as a PDF is not suspicious?!

So seriously, why can't email clients like Outlook, as well as virus scanners, flag EXE files disguised as other things?

For instance, at work we got one the other day that was a fake Microsoft notification.

Subject: Important Changes to Microsoft Services Agreement

It basically asks you to open the attached file to see the details. The attached file is – inside that is “Microsoft Services Agreement.pdf.exe”

I scanned it with the virus scanner (with up-to-date definitions). It doesn't flag it as suspicious.

Not suspicious?! It's a frigging EXE disguised as a PDF. Windows users who have the default “Hide known extensions” on* will see it as a PDF. How is that not suspicious?

*That's a stupid default, too.

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.

One thought on “According to email clients and anti-virus, an EXE disguised as a PDF is not suspicious?!

  1. mike smith

    THe short answer is, they can, and some do. When I’ve legitimately wished to email an exe, it resisted multiple levels of obfuscation. I had a exe file, with exe renamed to _exe_ inside a zip renamed to _zip_ -it still complained I was emailing an exe file, and refused. It had to be using the magic number that represents a zip (50 4B) – then opening that, looking at the contents, and realising that it was a PE format file (executable). I think this was gmail.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>