Fake Google Chrome update

[TheOwner]

Chrome need to be updated. I was redircted to this phishing site after i visited \www.mywot.com\ (safe site by self). Automaticaly start downloading some dangerous file, but chrome detected it and ask me if i want accept ithis file, because is dangerous. So i declined this. Even if i download this file and don't run it, i am stil safe? It cannot be executed by self? Anyway, is there any reason why Avast don't detect this phishing site? And also don't detected this dangerous file which start downloads? I don't  have any screenshot or link, I was too scared so i closed browser immediately. Thank you

[TheOwner]

Mywot site scan, it is this? Look screenshot.

[Pondus]

are you able to copy the redirect URL and scan it at?   www.virustotal.com

Post link to scan result here

[TheOwner]

I am not sure if this link is connected with this redirect or not, but you can chcek by self. Copied from Quttera. htXXps://lh6.googleusercontent.com/pvrwwt3pafvbu-88w-tfp80xutpd7xlmzm_ffpsdwxu87qdf7gjy-a62-u_e_l-69tlbo-gq=s26-h26-e365

[Pondus]

https://www.virustotal.com/en/url/6e8c336fb00ebf3008d6f047609ab7e3541b633c730bf1538051253994a0ec61/analysis/1492613134/

Web site category by Websense ThreatSeeker > search engines and portals

[TheOwner]

Thank you, but i still don't understand this automatic redirect from this site to phishing site and no detection from Avast. I cannot tell you if this URL is from this phishing site or not.

[Pondus]

urlQuery > http://urlquery.net/report.php?id=1492612528937
404 error > click picture at top right to see

[TheOwner]

That phis site looks different, so it was another URL. There is no way search it again. It looks like standard google chrome download page but with very strange url.

[Pondus]

This one is listed at PhishTank ... but not the exact same

Code: [Select]

https://lh6.googleusercontent.com/-kXknkrcXcpE/VOn4DqJWHCI/AAAAAAAAAK4/trPZRy5aLJM/s284/GUARDIAO-ITAU-30-HORAS.png"
PhishTank > http://www.phishtank.com/phish_detail.php?phish_id=4599499

[TheOwner]

Yes phishing, the same Quttera, maybe is some truth about it. A reproted this URL to Avast, let's  see what they analize.

[TrueIndian]

Be careful of sites claiming to update your chrome.This is the most common way to spread Locky ransomware.

Also I would like to add that most of these locky distributing websites are .top not .com or anything else.   

[TheOwner]

I know that it is fake.... but is here any danger if i just delete downloaded file? Or it can be executed without my action? Locky is known, is already in virus database i think.

[Pondus]

Locky is known, is already in virus database i think.

Yes / No / Maybe

Malware is not static, they update / change and release new versions to avoid detection, just like car manufacturers do to make you buy the new latest edition,  face lift / new engine / new gadgets   

[TrueIndian]

Locky is usually well detected by avast cloud and evo-gen but it is a must to be on the lookout for something like this.

Even if it bypasses avast the behaviour shield can identify it and alert the user. 

[TheOwner]

Is there any way how block page redirecting? I hate if i enter on some safe site and i am immediately redirected to some malware site.