We come across a plenty of malware reports every day. Sometimes we have to deal with some special cases, where a respected vendor is involved. This time it was the Dell driver download site.
![Download site](//cdn2.hubspot.net/hub/4650993/avast-blog/blog-files/dell00-300x210.png?width=300&height=210&name=dell00-300x210.png)
Download site
The "Download file" link leads to this unexpected screen (our user complained about a false positive):
![What a surprise?!](//cdn2.hubspot.net/hub/4650993/avast-blog/blog-files/dell01-300x164.png?width=300&height=164&name=dell01-300x164.png)
What a surprise?!
Well, being an average user, I'd be somehow confused as well. But I know where to look, when it comes to Sality. First of all - the file is supposed to be signed with a digital certificate (according to PE header), but there's no valid signature (even the Digital signature tab in the file properties dialog does not appear):
![No digital signature](//cdn2.hubspot.net/hub/4650993/avast-blog/blog-files/dell02-274x300.png?width=274&height=300&name=dell02-274x300.png)
No digital signature
On the other hand, what we can easily find in the file is an evident sign of Sality presence:
![Traces of Sality](//cdn2.hubspot.net/hub/4650993/avast-blog/blog-files/dell03-300x274.png?width=300&height=274&name=dell03-300x274.png)
Traces of Sality
The highlighted section has been added by Sality. Fortunately, it has not been filled up with a vital Sality body (it seems to be either wrongly infected or wrongly disinfected), thus the file is not dangerous, but it's definitely something what no one expects at a site with such reputation. Now it is up to Dell, I think that they don't want to distribute this particular file anymore :-).
VT analysis: http://www.virustotal.com/en-gb/file/c1402d0f47dc8a6effbdcdceced1296770730ad4fc17cb37d6d9650d3e2b1a52/analysis/1367238999/