High profile site scares users
We come across a plenty of malware reports every day. Sometimes we have to deal with some special cases, where a respected vendor is involved. This time it was the Dell driver download site.
The “Download file” link leads to this unexpected screen (our user complained about a false positive):
Well, being an average user, I’d be somehow confused as well. But I know where to look, when it comes to Sality. First of all – the file is supposed to be signed with a digital certificate (according to PE header), but there’s no valid signature (even the Digital signature tab in the file properties dialog does not appear):
On the other hand, what we can easily find in the file is an evident sign of Sality presence:
The highlighted section has been added by Sality. Fortunately, it has not been filled up with a vital Sality body (it seems to be either wrongly infected or wrongly disinfected), thus the file is not dangerous, but it’s definitely something what no one expects at a site with such reputation. Now it is up to Dell, I think that they don’t want to distribute this particular file anymore :-).