OFFICIAL SECURITY BLOG
Tech News News Favorites Adware Medic Tech Guides About Us
Mac Malware GuideAdware Removal GuideMac Performance Guide

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Avast detects RSS feed as WireLurker

Published November 7th, 2014 at 1:58 PM EST , modified November 7th, 2014 at 6:26 PM EST

It’s not easy running a site like The Safe Mac. You get threatened with lawsuits [1], attacked by the bad guys [1, 2] and misidentified as malicious by security companies [1]. Headaches galore! And now, Avast is saying that this site’s RSS feed is the WireLurker malware.

Avast false positiveAvast has a long history of false positives, such as the mistaken identification of a Mac OS X system file as a “decompression bomb,” which has been repeated sporadically for years. This pattern of behavior has now applied itself to this site, unfortunately, causing some Avast users to become suspicious of The Safe Mac.

So why is this happening? First, you must understand that an RSS feed (aka “news feed”) is really nothing more than an XML file with a specific format. (XML is the file format that HTML is based on.) When you open the RSS feed for The Safe Mac, you are actually downloading this XML file and viewing its contents in an RSS reader program.

After being alerted to the problem, I discovered that Avast is identifying this XML file as a copy of the WireLurker malware. Knowing full well that this was not the case, I set out to discover what it was about this file that was tripping up Avast. By trimming out parts of the XML file and re-scanning it with Avast, I was eventually able to settle on the cause.

It turns out that Avast will identify any file with contents like the following as WireLurker:

/usr/bin/globalupdate/usr/local/machook/

To most people, this probably makes no sense at all. Why should such an innocent little bit of text be confused for malware? That’s an excellent question, and one that I’m not sure has a good answer, because after running a search for that text on the almost 250 MB of sample files I have for this malware, I don’t find it one single time. I do find 81 separate instances of either “/usr/bin/globalupdate” or “/usr/local/machook”, but not fused together into one single string.

So why is Avast detecting this as malicious? Interestingly, my article on WireLurker also contains this string, which was excerpted from a WireLurker detection script created by Palo Alto Networks (the discoverers of WireLurker). I believe this particular line must have been a typo, and was supposed to be two different lines, based on what I see in the malware samples.

The only possible explanation is that Avast has chosen to pull this text out of the Palo Alto script, typo included, and use it in their signatures. I’ve reported the issue to Avast, but have yet to hear anything back.

If you are using Avast, or know someone who is using Avast, I strongly recommend removing it. These kinds of ongoing problems with false positives, coupled with the fact that Avast included adware not long ago and can only be downloaded from the untrustworthy Download.com, mean that you really shouldn’t be trusting the safety of your data to this product.

Updates

Friday, November 7, 2014 @ 3:50 pm EST: I have updated my description of what Avast is detecting. It’s actually worse than I originally realized… it looks like Avast is detecting based on a typo! [facepalm]

Friday, November 7, 2014 @ 6:15 pm EST: Claud Xiao has confirmed, this was a typo in the detection script.

As I’ve been thinking further and running more tests, I’ve become amazingly disgusted by Avast. From looking at my samples of the malware, there is literally no way that Avast could have come up with this string through analysis of the malware. They could only have come up with it by copying it directly from the script.

Worse, there’s absolutely no logic to doing that. Not a single one of the other paths listed in that script are detected in the same way by Avast. The only reason to be looking for these paths as strings within a file would be to check for some of the LaunchAgent or LaunchDaemon .plist files that are installed by the malware. However, not a single one of the .plist files in my set of WireLurker samples are actually detected by Avast!

I’m completely baffled by all this, and cannot find any logical excuse for Avast’s behavior in this case. This is extremely irresponsible on their part, and an enormous disservice to their customers!

Tags: ,

16 Comments

  • Jay says:
    November 7, 2014 at 2:05 pm

    Better start a mailing list or something, might be the only way to reach your readers soon if this continues 😉

  • Ofelia says:
    November 7, 2014 at 2:07 pm

    Yeesh! Although, you’ve forgotten to bring up the less threatening, but equally annoying, “We’ll give you a free MacKeeper license if you start saying nice stuff about us!” ridiculousness. Worth a mention, since others (myself included) have been given the same proposition.

  • Fox says:
    November 7, 2014 at 2:08 pm

    Headaches indeed, Thomas. At least THIS one is not directed at YOUR feed exclusively.

    Avast has gone from a trusted AV in its early Windows days to a cheap adware installer, beside its sloppy “detection” rules. Your site (and Adware Medic) is one of the shining stars of the Mac universe. Keep up the good work, and THANK YOU!

  • Patrick says:
    November 7, 2014 at 8:55 pm

    Well, I don’t use Avast for the Mac side but I do have it on the Window side and haven’t had too many issues with it on the Windows side. However, I remember 2 or 3 years ago the did a definition update and screwed up. It was now showing a lot of system and non-system files as being infected with a virus. I was up to 1 am pulling my hair out trying to figure how I could have so many infected files. I had not done anything that I could think of to cause this. I decided to shut the system down and check it the next day with fresh brain. By that time they had already sent out an emergency update and email to everyone letting them know what happened and to rescan the files with the new defs to verify they are safe.

    That was the first and only time that I have had that to happen. Of course now that I have my mac, I don’t use the Windows side that much and thus I don’t use avast much except when scanning a client’s pc for viruses although recently I have just been using Malwarebyte Anti-malware program, SuperAnt-spyware and Hitman pro to scan the PCs and clean them.

    I would certainly not use Avast on the mac side.

  • Peter Kalnai says:
    November 7, 2014 at 11:54 pm

    Dear Thomas,
    your assumption about the detection signature is not correct. I did it personally and I apologise Avast for doing a wrong decision. It was based on series of malicious files from the WireLurker archive but I omitted the relevant context.
    Please don’t use this argument to generalize how bad the product is, it’s not fair. And it’s fixed already.
    Thank you in advance.

    Kind regards
    Peter Kalnai, Malware Analyst, Avast
    @pkalnai (Twitter)

    • Thomas says:
      November 8, 2014 at 7:59 am

      Perhaps you could explain how this was based on malicious files from WireLurker? In my WireLurker samples, I see a file /usr/bin/globalupdate, and I see a file /usr/local/machook, but nowhere in my 240 MB of samples do I find any matches at all for “/usr/bin/globalupdate/usr/local/machook” as one single unbroken string. Avast detects (detected?) it only as a single unbroken string; inserting a space between those two paths resulted in Avast no longer detecting the file as malicious.

      I’m very curious as to how this could have happened WITHOUT having copied the typo directly from the Palo Alto script and then looking for it in the wrong context? You have a chance to explain here… what file(s), exactly, is this signature designed to match?

  • Manfred says:
    November 8, 2014 at 1:16 am

    Hi Thomas,
    considering all this, will you still be reviewing Avast in your next round of antivirus testing?

  • Jim says:
    November 8, 2014 at 1:33 am

    This latest false positive comes as no surprise to me, I have previously installed avast for mac and each time it has been a constant source of technical problems.

    When avast was first released it insisted on scanning my Time Machine back ups on an external hard drive. I had been very careful to ensure that I had put in place exclusions to prevent those back ups being scanned, but those exclusions had NO effect. I of course reported this to avast technical support and it honestly took them well over 12 months to fix this issue.

    avast then started blocking updates from the App Store and I got error messages etc. when scan secured internet connections was enabled in the Web Shield.

    No help at all was provided by their technical support and I had to find out for myself the necessary server addresses to be excluded from the Web Shield.

    avast simply had not put those exclusions in as part of the default avast configuration, this was quite a serious and very bad oversite on their part. The most recent release of their mac antivirus has had these exclusions added after a very long period of time.

    Once again more problems have arisen with avast, the latest release version was blocking my Mac Game Center from connecting with the game center servers and I got numerous messages about problems with internet connections etc. After spend a long time with Apples technical support they identified avast as the most likely source of this problem, I then ran the uninstaller included in the avast mac antivirus and rebooted my Mac.

    But alas, alas even their uninstaller had NOT done a proper job of removing all the avast components and the problem with Game Center persisted. The guys at Apples Technical Support went over my Mac with a fine tooth comb and simply could not understand what changes avast had made that were causing this problem.

    I finally had to perform a full Time Machine restore of my Mac back to a point in time when avast was not installed. Fortunately my Mac is now once again functioning normally.

    I quite strongly recommend avoid avast for mac like the plague, it has been a source of never ending technical problems for me and has a poor reputation for false positives.

    It is now installing adware that nobody wants and everyone is complaining about on their forums.

    To put icing on the cake the avast technical support is almost non existant and they also take extremely long periods of time to finally fix technical issues.

  • Jani Verdonkschot says:
    November 8, 2014 at 6:15 am

    Simply, use ESET!

    • Jim says:
      November 8, 2014 at 11:02 am

      Hi Jani,

      After finally getting rid of avast for Mac once and for all I have now paid for the Intego VirusBarrier.

      Intego has always been a top performer when Mac antivirus products have been carefully reviewed by this site and other independent reviewers such as Security Spread(http://securityspread.com).

      It also is much lighter on my Mac memory etc, avast for Mac always used a lot more memory and caused a hellish nightmare of ongoing technical issues.

      To date Intego VirusBarrier has performed perfectly and I have found it to be an very easy to use antivirus.

      They clearly state on their website it has been designed by experts who focus only upon products for the Mac, it has NOT been developed by a company who has developed Windows antivirus products.

      It is simply quite superior to avast in every way imaginable. My paid subscription for it has been worth every penny.

      Hell will freeze over before avast gets installed on my Mac again!!!

This post is more than 90 days old and has been locked. No further comments are allowed.