Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

The Great TidBITS Malware False Alarm of 2009

On December 8th I woke up, went through my usual morning routine, grabbed my coffee, and sat down at my Mac to start the work day. As it was a Tuesday, I scanned my email for TidBITS #1006 and was slightly surprised that it wasn't in my Inbox. Since I had recently added another spam filter, I assumed the issue had been blocked, so I planned on pulling it out of quarantine later.

But the mystery deepened when a reader sent me an email message saying that his copy of the issue had been flagged as containing malicious software. Since I had been engaged in an intense Twitter debate a few days earlier claiming that Mac-based malware was rarely encountered by the average user, I immediately went into panic mode and started investigating.

I checked my frontline spam and virus filter (Google's Postini service), and the TidBITS issue wasn't flagged for anything there. However, when I checked my second filter, a special appliance on my network, I found the issue had been flagged as containing malware.

According to my anti-spam appliance, TidBITS #1006 contained "Email.Faketube", and when I reported this to Adam and the other TidBITS staffers, it came out that we were all receiving sporadic reports of this particular issue triggering a similar alert for readers.

I quickly searched on the Internet for details about Email.Faketube and found that it's a link that pretends to be from YouTube, but in fact redirects a browser to a Web site that attempts to download a Trojan horse (for Windows, not Mac OS X).

When I viewed the raw text of the TidBITS issue, I discovered that there was indeed a YouTube link in it, pointing at the trailer for the World of Goo game (see "TidBITS Gift Guide 2009," 7 December 2009).

By checking the link manually using one of the systems I have for security research of risky sites, it became clear immediately that the link was fine and did not redirect users to malware. Not that I expected it would; we check all links that go into TidBITS articles, so a link would have to change between the time we checked and when the issue was published for something untoward to happen. But then why the false alarm?

TidBITS Contributing Editor Mark Anbinder noticed that the string "www" appears at the end of the YouTube-generated link. The YouTube engine probably generates its links randomly, and the virus filters triggered upon seeing the "www" at the end of the YouTube link, thinking it was indicative of an attempt to redirect users. Attackers use a variety of techniques to mangle Internet addresses, one of which is adding characters to the end of a seemingly legitimate address to cause the redirection.

As a result, it's clear that I, and our readers who saw the alert, are all running a malware filter with a badly written rule set. It's likely that the rule is "flag any message containing a YouTube link with "www" after the 'watch?' portion of the address." Unfortunately, that's not necessarily indicative of malware and is thus a poor choice for a malware signature. (If nothing else, there's no requirement to redirect to a page whose domain includes "www" - such a filter is guaranteed to fail on any other domain.)

So the good news is that TidBITS #1006 wasn't infected in any way, and our apologies for any worry the false alarm may have caused. The bad news is that I now have to wonder about the quality of the company providing my email filter rules.


Backblaze is unlimited, unthrottled backup for Macs at $5/month.
Web access to files means your data is always available. Restore
by Mail allows you to recover files via a hard drive or USB.
Start your 15-day trial today! <>

Comments about The Great TidBITS Malware False Alarm of 2009
(Comments are closed.)

Glenn Fleishman  2009-12-10 13:07
I remember reading the computer scientist and entrepreneur Nathaniel Borenstein's Programming as If People Mattered a few years ago. (He invented MIME, among other things.)

In it, he described how at one company he was working an alphabetic + numeric hash random key generator was occasionally producing words that were or looked like swearwords. He said that in a meeting they discussed creating a filter of naughty words and other techniques.

An intern piped up and said, "drop the vowels and go base 30," meaning that with 0 to 10 and the 20 letters omitting vowels they would still have a huge number of combinations to draw from without creating any precise obscenities. FCK or SHT doesn't have the same valence without vowels.

Maybe YouTube needs a www filter, though!
Dan Neal  2009-12-14 20:22
Just which company did you get the defective appliance from? Inquiring minds and all...
Pattern matching on URLs is difficult at best, and this difficulty breeds laziness. The fact is, most people write a regex and their testing is simply, 'does it match what I want it to match'; very rarely will someone test against a large corpus of data to see if it misfires on something else. Even more rarely does someone really examine the complete rule's logic bit by bit to see what potential pitfalls there are.
And believe me, I've been bitten myself by 'shortcutting' pattern matching. :/
Adam Engst  An apple icon for a TidBITS Staffer 2009-12-15 07:36
Yeah, it's easy to see how this happened, but assuming that "www" means a redirection is just lazy.
Hank Roberts  2012-09-09 08:13
Problem's still happening, by the way. Found it mentioned in ClamXAV forum from December 2010: -----
"... ClamXav is not responsible for any signatures since that's all done by the cross-platform clamav community. Since it's a Windows Trojan, it is very much a legitimate issue as far as clamav is concerned. I'll poke around on the clamav site to see if I find any evidence that it was reported to them. The issue would seem to be that the text string they are looking for is common to other video download situations that don't involve malware, thus producing a false positive alert. If the TidBITS folks didn't report this to clamav (or whatever they were using) as a false positive, then it's not surprising that nothing has been done about it.

I filed a bug report with them on a similar situation involving a PUA false alarm and they have never taken action on it. Admittedly PUA (Potentially Unwanted Applications) are far less serious than are Trojans."