Michal Krejdl

29 April 2013

High profile site scares users

Go to comments Leave a comment

We come across a plenty of malware reports every day. Sometimes we have to deal with some special cases, where a respected vendor is involved. This time it was the Dell driver download site.

Download site Download site

The "Download file" link leads to this unexpected screen (our user complained about a false positive):

What a surprise?! What a surprise?!

Well, being an average user, I'd be somehow confused as well. But I know where to look, when it comes to Sality. First of all - the file is supposed to be signed with a digital certificate (according to PE header), but there's no valid signature (even the Digital signature tab in the file properties dialog does not appear):

No digital signature No digital signature

On the other hand, what we can easily find in the file is an evident sign of Sality presence:

Traces of Sality Traces of Sality

The highlighted section has been added by Sality. Fortunately, it has not been filled up with a vital Sality body (it seems to be either wrongly infected or wrongly disinfected), thus the file is not dangerous, but it's definitely something what no one expects at a site with such reputation. Now it is up to Dell, I think that they don't want to distribute this particular file anymore :-).

VT analysis: http://www.virustotal.com/en-gb/file/c1402d0f47dc8a6effbdcdceced1296770730ad4fc17cb37d6d9650d3e2b1a52/analysis/1367238999/

Virus Lab, Analyses, dell, sality