Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus


April 29th, 2013

High profile site scares users

We come across a plenty of malware reports every day. Sometimes we have to deal with some special cases, where a respected vendor is involved. This time it was the Dell driver download site.

Download site

Download site

The “Download file” link leads to this unexpected screen (our user complained about a false positive):

What a surprise?!

What a surprise?!

Well, being an average user, I’d be somehow confused as well. But I know where to look, when it comes to Sality. First of all – the file is supposed to be signed with a digital certificate (according to PE header), but there’s no valid signature (even the Digital signature tab in the file properties dialog does not appear):

No digital signature

No digital signature

On the other hand, what we can easily find in the file is an evident sign of Sality presence:

Traces of Sality

Traces of Sality

The highlighted section has been added by Sality. Fortunately, it has not been filled up with a vital Sality body (it seems to be either wrongly infected or wrongly disinfected), thus the file is not dangerous, but it’s definitely something what no one expects at a site with such reputation. Now it is up to Dell, I think that they don’t want to distribute this particular file anymore :-).

VT analysis: http://www.virustotal.com/en-gb/file/c1402d0f47dc8a6effbdcdceced1296770730ad4fc17cb37d6d9650d3e2b1a52/analysis/1367238999/

Categories: analyses, Virus Lab Tags: ,
  • http://direct2dell.com LionelatDell

    Thanks for the blog post. Even though as you mention, the 2407WFP driver file is not dangerous, we take any potential security concerns seriously.

    We continue to look into this. Thanks again.
    LionelatDell

  • http://www.avast.com Michal Krejdl

    @LionelatDell
    Hello and thanks for the response. You’ll probably agree that such file should not be distributed by Dell even though it is not dangerous (because it was unintentionally modified by Sality, which is a serious threat). Everything what you release should have a valid digital signature. It’s a question of trust (as a part of the UAC dialog e.g.)