Registry Cleaners: Digital Snake Oil

Registry Cleaners: Digital Snake Oil

Registry Cleaners: Digital Snake Oil

Posted: June 23, 2015 by 
Last updated: October 19, 2016

 

A word on registry cleaners.

One of the most common complaints we see on our forums, and from our users, concerns a particular category of program called “Registry Optimizers” or “Registry Cleaners” or “Registry Defragmenters”. For this post, we will just refer to them as registry cleaners.

 

Who makes this software?

There are many software companies all over the world who make registry cleaners. Not all of them are included in our PUP classification. We will discuss why some get added to our PUP list later in this blog post, but for now, let’s look at what a registry cleaner is exactly in greater depth.

 

What is the registry?

Wikipedia defines it as

…a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems.

Think of it as a place where information about the programs you have installed on your computer is stored. Things like what options are enabled for programs, how they are setup, which user account can use them, and many other settings and preferences.

 

Where is the registry stored on my computer?

The registry is located in multiple places on your computer, and some of these places vary, depending on the version of Windows you are running. They are often referred to as registry hives.

If you really want to know where to find them, a quick Google search will tell you. You will notice that many of these searches give results that include the caveat that you shouldn’t touch the registry with an infinitely long pole.

Bad things happen when you make uninformed changes to the registry.

 

When were registries added to Windows?

Their introduction goes all the way back to Windows 3.1, so yeah… A long time ago.

 

Why would you need to clean it?

This is where we get to the heart of the problem. Many users swear by the performance differences they have experienced before and after running these types of programs.

We believe that this is mostly due to a computer version of the placebo effect. You watch the progress bar. The little lego blocks get stacked neatly. You get a report showing everything that is repaired… It’s all very satisfying.

All this makes what we are about to say very problematic. It might even make some readers angry…

Registry Cleaners are the digital equivalent of snake oil!

Snake oil is an expression that has come to refer any product with questionable or unverifiable quality or benefit.

You should not have to optimize, defragment, organize, streamline, clean, compress, fold, knit, wash, or color code your registry. Ever. Period. Nada. Zilch.

The potential performance enhancements resulting in the use of these programs are at best miniscule and unperceivable.

At worst, they could damage your computer so badly as to require a re-installation of the operating system.

 

Don’t believe us?

How about what Microsoft themselves have to say about registry cleaners?

This is what Microsoft has to say about registry cleaners:

Microsoft does not support the use of registry cleaners. Some programs available for free on the internet might contain spyware, adware, or viruses. If you decide to install a registry cleaning utility, be sure to research the product and only download and install programs from publishers that you trust. For more information, see when to trust a software publisher.

Microsoft is not responsible for issues caused by using a registry cleaning utility. We strongly recommend that you only change values in the registry that you understand or have been instructed to change by a source you trust, and that you back up the registry before making any changes.
Microsoft cannot guarantee that problems resulting from the use of a registry cleaning utility can be solved. Issues caused by these utilities may not be repairable and lost data may not be recoverable.

Before you modify the registry, make sure you back it up, create a restore point, and make sure that you understand how to restore the registry if a problem occurs.

That’s a pretty damning statement.

Does that mean that we will add all these programs to our PUP definitions? No, as we mentioned earlier, not all registry cleaners meet our PUP definition criteria.

We can tell you these programs are snake oil, but we’re not going to try and force you not to use them. We don’t condone forcing stuff onto people, but forcing programs onto users is exactly how a registry cleaner would wind up flagged as a PUP by Malwarebytes Anti-Malware

 

Let’s look at an example of how this happens.

Step 1

A software manufacturer partners with another software company that makes “bundlers” or “wrappers” to distribute their registry cleaner program. Let’s stick with the name bundlers for this example.

Bundlers put a bunch of programs together and offer the user these additional programs during the initial installation process. Sadly, many software companies do this, even some pretty big ones. We are not saying that all bundled software is malicious, only that this practice is rife for abuse.

(Not all PUP’s use a bundler, but the ones that do tend to misbehave…)

Remember, all the bundler wants to achieve is the maximum number of installations. It’s their business model. It’s how they get paid. It is also therefore not surprising that they would bend the rules as far as they can in order to achieve this.

(A side effect of surrendering the distribution of your program to a third-party is that you can then insulate yourself from their bad behavior… Right there we have an ethical quandary.)

 

Step 2

The bundler pre-populates the installation check box for several programs, including their partnered registry cleaner. They then seed the Internet with their bundled installer.

This can be through an affiliate marketing scheme to distribute the bundle, aggressive online adverts, or any number of other ways.

 

Step 3

A user, either seeking one of the other programs that are part of the bundler or deceived into installing it through “dark patterns”, double negatives, and confusing opt-out techniques winds up with the registry cleaner installed. Some of these software manufacturers will go so far as to have two versions of their programs.

  • An official one, available from their website, that reports a low error count, has opt-in partner program installations and looks innocuous.

 

  • An affiliate version, that has opt-out partner programs, a silent install, and an aggressive detection count. That version can only be found on the web during an active affiliate campaign. This is done so the software vendor can claim innocence and blame a rogue affiliate for the aggressive nature of the program.

 

Step 4

The registry cleaner runs as part of it’s installation, and/or configures itself to run at start up, perform a scan, and generate a report showing a large number errors found.

(Hint: Registry cleaners will ALWAYS find errors, even on a freshly installed operating system! The trick is that these software manufacturers are classifying events recorded in the registry as critical errors that require “fixing”.)

This program now runs at every start up, generating the “push for sale” popup, with the results of the scan and the numerous “errors”.

Sometimes the UI is designed to make the window difficult to close.

Sometimes the registry cleaner periodically displays the “push for sale” pop up AGAIN in the same session, despite the user having closed it and declined to purchase the software. They may use bubble notifications in the taskbar.

These types of behaviors are how we rate the aggressiveness of the registry optimizers in determining if a PUP classification is warranted.

 

Step 5

The user clicks on the fix button of the report, and is funneled to a purchase page for the registry cleaner. The user buys the software, alarmed at the numerous registry “errors” reported.

The bundler, affiliates, and the software manufacturer split the profits. The user has paid for a program that is at best useless, and at worst could damage the registry and make the computer unusable.

 

These are the PUP criteria that merit such a program be flagged as a Potentially Unwanted Program:

  • Malicious bundling
  • Pre-populated checkboxes, and the recently added
  • Registry Cleaners, Optimizers, Defragmenters.

 

You can find our complete PUP criteria classification page here.

The changes to our PUP classification took place as a result of listening to our user base.

We have seen the large number of complaints on forums about these programs. We have seen the deceptive methods they use to sneak onto computers in an effort to extract payment for non-existent errors detected by a program of little or no value.

We have revised our Potentially Unwanted Program stance in the past, and now have revised it again to include Registry Cleaners that exhibit these aggressive traits.

Presently our default behavior is to quarantine PUP’s. Unlike the programs that we classify as such, when using Malwarebytes Anti-Malware you decide what to keep or remove, and our free version provides you with full removal capabilities, should you chose the latter.

By pushing the limits of marketing techniques, by playing the numbers games on unwanted installations, by claiming innocence and blaming overzealous affiliates for repeated bad behavior, the purveyors of this digital snake oil will earn a well deserved potentially unwanted program classification.

Our vision statement at Malwarebytes is that “everyone has a fundamental right to a malware free existence,” and we mean to uphold it.

ABOUT THE AUTHOR

https://blog.malwarebytes.com/cybercrime/2015/06/digital-snake-oil/

 

What is cryptocurrency and why do cybercriminals love it?

What is cryptocurrency and why do cybercriminals love it?

Ever pretend you know what your friends are talking about because you want to sound smart and relevant—and then trap yourself in a lie?

“Wow, looks like those hackers were mining for cryptocurrency. You know what cryptocurrency is, right?”

“Oh yeah, totally. Cryptocurrency. Bad stuff. You know. Currency? In the crypt? Bad.”

“Yeah….”

Okay, so the next time someone asks, “What is cryptocurrency, anyway?” instead of awkwardly shrugging, be prepared to dazzle them with your insider knowledge.

What is cryptocurrency, in a nutshell?

In its simplest form, cryptocurrency is digital money. It’s currency that exists in the network only—it has no physical form. Cryptocurrency is not unlike regular currency in that it’s a commodity that allows you to pay for things online. But the way it was created and managed is revolutionary in the field of money. Unlike dollars or euros, cryptocurrency is not backed by the government or banks. There’s no central authority.

If that both excites and scares you, you’re not alone. But this technology train has left the station. Will it be a wreck? Or will it be the kind of disruptive tech that democratizes the exchange of currency for future generations?

Let’s take a closer look at what cryptocurrency is, how it works, and what are the possible pitfalls.

What makes cryptocurrency different from regular money?

If you take away all the techno-babble around cryptocurrency, you can reduce it down to a simple concept. Cryptocurrency is entries in a database that no one can change without fulfilling specific conditions. This may seem obtuse, but it’s actually how you can define all currency. Think of your own bank account and the way transactions are managed—you can only authorize transfers, withdrawals, and deposits under specific conditions. When you do so, the database entries change.

The only major difference, then, between cryptocurrency and “regular” money is how those entries in the database are changed. At a bank, it’s a central figure who does the changing: the bank itself. With cryptocurrency, the entries are managed by a network of computers belonging to no one entity. More on this later.

Outside of centralized vs. decentralized management, the differences between cryptocurrency and regular currency are minor. Unlike the dollar or the yen, cryptocurrency has one global rate—and worth a lot. As of November 2017, one Bitcoin is equal to $6,942.77. Its value has increased exponentially this year, exploding from around $800 in January 2017.

How does cryptocurrency work?

Cryptocurrency aims to be decentralized, secure, and anonymous. Here’s how its technologies work together to try and make that happen.

Remember how we talked about cryptocurrency as entries in a database? That database is called the blockchain. Essentially, it’s a digital ledger that uses encryption to control the creation of money and verify the transfer of funds. This allows for users to make secure payments and store money anonymously, without needing to go through a bank.

Information on the blockchain exists as a shared—and continuously reconciled—database. The blockchain database isn’t stored in a single location, and its records are public and easily verified. No centralized version of this information exists for a cybercriminal to corrupt. Hosted by millions of computers simultaneously, its data is accessible to anyone on the Internet.

So how, exactly, is cryptocurrency created and maintained on the blockchain? Units are generated through a process called mining, which involves harnessing computer power (CPU) to solve complicated math problems. All cryptocurrencies are maintained by a community of miners who are members of the general public that have set up their machines to participate in validating and processing transactions.

And if you’re wondering why a miner would choose to participate, the answer is simple: Manage the transactions, and earn some digital currency yourself. Those that don’t want to mine can purchase cryptocurrency through a broker and store it in a cryptocurrency wallet.

When was cryptocurrency developed?

In the wake of Occupy Wall Street and the economic crash of 2008, Satoshi Nakamoto created Bitcoin, a “peer-to-peer electronic cash system.” Bitcoin was a slap in the face to the “too big to fail” banks because it operated outside of a central authority, with no server and no one entity running the show. Bitcoin pioneers had high hopes of eliminating the middle man in order to cancel interest fees, make transactions transparent, and fight corruption.

While Bitcoin was the first and remains the most popular cryptocurrency, others saw its potential and soon jumped on the bandwagon. Litecoin was developed in 2011, followed by Ripple in 2012. In 2015, Ethereum joined the fray and has become the second most-popular cryptocurrency. According to CoinMarketCap, there are now more than 1,000 cryptocurrencies on the Internet.

different cryptocurrencies

Cryptocurrency’s popularity on the Internet soon bled into other real-world applications. Japan has adopted Bitcoin as an official currency for commerce. Banks in India are using Ripple as an alternative system for transactions. JP Morgan is developing its own blockchain technology in partnership with Quorum, an enterprise version of Ethereum.

However, as with any new and relatively untested technology, the cybercriminals wanted in. And it wasn’t long before Bitcoin and other cryptocurrencies fell victim to their own democratic ideals.

How has cryptocurrency been abused?

As secure as a Bitcoin address is, the application of its technology is often fumbled; usually by unpracticed programmers looking to get in on the action and creating faulty code. Fundamentally, the system is superior to centralized database systems, but poor coding practices among its thousands of practitioners have created a multitude of vulnerabilities. Like vultures to carrion, cybercriminals flocked to exploit. According to Hacked, an estimated 10 to 20 percent of all Bitcoin in existence is held by criminals.

While cryptocurrency was initially hailed as the next big thing in money, a savior for folks who just lost everything in steep recession (but watched as the banks that screwed them over walked away unscathed), a hack in 2011 showed how insecure and easily stolen cryptocurrency could be. Soon, the criminal-minded rushed in, looking to take advantage of the cheap, fast, permission-less, and anonymous nature of cryptocurrency exchange. Over the last nine years, millions of Bitcoin, worth billions of dollars, have been stolen—some events so major that they drove people to suicide.

On a smaller but much more frequent scale, cryptocurrency is used on the black market to buy and sell credit card numbers and bot installs, fund hacktivism or other “extra-legal” activity, and launder money. It’s also the payment method of choice for ransomware authors, whose profits are made possible by collecting money that can’t be traced. Certainly makes getting caught that much more difficult.

ransom note asking for bitcoin

Ransom note asking for Bitcoin

And if that weren’t enough to call cryptocurrency unstable, the process of mining itself is vulnerable and has already attracted some high-profile hacks. Services such as CoinHive allow those that deploy it to mine the CPU of their site visitors—without the visitors’ knowledge or permission. This process, known as cryptojacking, is robbery-lite: Users may see an impact to their computer’s performance or a slight increase in their electric bill, but are otherwise unaffected. Or that is, they were, until cybercriminals figured out how to hack CoinHive.

Future applications

So where does that leave us with cryptocurrency? Surely its popularity is skyrocketing and its value is spiking so hard it could win a gold medal for beach volleyball at the Olympics. But is it a viable, safe alternative to our current currencies? Cryptocurrency could democratize the future of money—or it could end up in technology hell with AskJeeves and portable CD players.

We can see the technological applications for the future that demonstrate the clear advantages of cryptocurrency over our current system. But right now, cryptocurrency is good in theory, bad in practice. Volatile and highly hackable, we’ll have to move to create security measures that can keep up with the development of the tech, otherwise cybercriminals will flood the market so heavily that it never moves beyond the dark web.

If you want to learn even more about cryptocurrency, stay tuned for a deeper dive on blockchain technology and a full report on cryptojacking.

Posted: November 3, 2017 by 
Last updated: November 2, 2017

ABOUT THE AUTHOR


Head of Content, Malwarebytes Labs

Wordsmith. Card-carrying journalist. Lover of meatballs.

What is cryptocurrency and why do cybercriminals love it?

“Please don’t buy this: smart locks”

“Please don’t buy this: smart locks”

We all like buying the latest and greatest tech toy. It’s fun to get new and novel features on a product that used to be boring and predictable; a draw of the original BeBox (amongst many) was a layer of “das blinkenlights” across the front. But sometimes, the latest feature is not always the greatest feature. And sometimes, some things should not be on the Internet at all. For readers concerned with privacy, or who simply do not want to introduce additional hassle into their tech maintenance routine, we introduce the first entry in our series called “Please don’t buy this.”  Today’s feature: smart locks.

The cool new thing

Recently, Amazon announced a new service combining a selection of smart locks, a web-connected security camera, and a network of home service providers that work in concert to allow remote access to your home. Ignoring the question of allowing third-party contractors vetted by an unpublished standard unsupervised access, lets take a look at why smart locks might not be the best purchase.

Amazon’s program actually works with three different existing smart lock products, as seen here.

“Smart lock” is a bit of a catchall term covering a wide variety of technologies, so what are the Amazon locks dependent on, and what security vulnerabilities do those technologies include? It’s a bit of a mystery, as the Amazon sales pages don’t include that information, nor does the “technical specification” page of one of the manufacturers.

What we can surmise is that these locks will require replaceable batteries, and that at least one of the locks affords the user Wi-Fi access. While allowing remote unlocks to your home without any in-person authentication is a pretty transparently bad idea, a number of other smart locks have attempted a more secure approach using Bluetooth low energy, which affords some additional security features that the original protocol does not.

Unfortunately, while the protocol itself has a generally good security profile, implementation and associated companion apps put out by lock manufacturers aren’t quite as good. In tests at last year’s Defcon, 12 out of 16 smart lock models failed under sustained attack. Most of these failures concerned either encryption implementation, or shoddy code in associated apps.

Why it’s less cool than it appears

Setting aside poor security design and implementation, “smart” devices like these tend to come with fuzzy legal boundaries surrounding ownership and maintenance.  Last year, a home automation hub company called Revolv was shut down during acquisition. Rather than simply failing to provide updates, the devices were disabled.

This was an inconvenience for users, but what if it was your front door? Given the current state of mobile OS fragmentation, would it be that much of a surprise if a lock company simply declined to provide security updates? We couldn’t find any information on the means by which the new Amazon compatible locks are updated, how authorized delivery personnel will interact with the locks, and if any third party has access to data communicated by the lock and/or accompanying phone apps.

These are questions that would be concerning for any device. But when that device affords access to your home, considerably more transparency about the device’s underlying technology should be mandatory.

Conclusion

A physical deadbolt has security flaws as well. But deadbolts have a standardized design, commonly accepted standards that they are evaluated against, can be repaired or replaced by anybody, and are unequivocally owned by you. Can a smart lock’s EULA claim the same? Smart locks could achieve acceptable purchase status if they met the following criteria:

  • independent, industry-wide security standards in design
  • independent code auditing
  • no Wi-Fi
  • Conventional implementation of industry standard encryption
  • no third-party data storage
  • right to repair

Until smart locks can meet these standards, we respectfully suggest. . .Please don’t buy this.

Posted: October 26, 2017 by 

ABOUT THE AUTHOR

Breaking things and wrecking up the place since 2005.

Please don’t buy this: smart locks

10 tips for safe online shopping on Cyber Monday

10 tips for safe online shopping on Cyber Monday

Shoppers familiar with the Cyber Monday circus know they’re stepping into the lion’s den. The Internet has always been a lawless place, but it becomes particularly rough during the holiday shopping season.

In preparation for the frenzy, cyber villains have crafted a virtual onslaught of social engineering scams, malspam, and malicious, spoofed websites in order to dupe the droves of people expected to spend nearly $4 billion online this year.

So, bargain hunters, it’s important to know the warning signs. Here’s your guide to safe online shopping on Cyber Monday and beyond.

  1. Go directly to a store’s website instead of using search engines to look for deals. If you happen to find a deal using a search engine, try to verify it by searching for the exact name of the deal in quotes. If it’s a scam, then it’s likely someone will have already put out a warning.
  2. Give pop-ups and other digital ads the stank eye. Many pop-ups could contain fake coupons, redirect you to malicious sites, or expose you to cross-site scripting attacks. If a coupon seems to come out of nowhere with a too-good-to-be-true offer, don’t think twice. Just click that “x” and shut it down.
  3. Watch out for social media scams, especially on Facebook. Cybercriminals are using fake or compromised Facebook accounts in order to post links to amaaaaaazing deals that don’t actually exist. They’re especially prone to dropping links on the walls of open groups dedicated to shopping. “One of the top shopping scams to avoid in the run-up to Cyber Monday is the social media fakeout,” says Chris Boyd, Lead Malware Analyst at Malwarebytes. “During any given holiday period there will be an excess of fake offers, deals, and supposed freebies which tend to have a sting in the tail. If you’re being asked to share something on Facebook in order to get your hands on something too good to be true, you can bet there’s a scam involved.”
  4. Dump Cyber Monday emails with attachments in the virtual garbage. Cyber Monday emails with attachments, especially zip files, are super suspect—it’s possible, in fact likely, that they contain malware. Delete them immediately. Not only that, but you should review any other Cyber Monday-related emails with a hawk eye. If you get an email from a store claiming to have a deal, type the store’s URL directly into your browser instead of clicking on the link. If the site doesn’t verify the deal, you know it’s a fake.
  5. Make sure you’re on a secure connection. Look for the padlock icon to the left of the URL when you go to check out. If it’s there, then that means the information passed between a store’s server and your browser remains private. In addition, the URL should read “https” and not just “http.”
  6. Do not use debit cards to shop online. Want to give cybercriminals direct access to your bank account? Then by all means, use your debit card! Otherwise, play it safe by using credit cards or a PayPal account that’s linked to a credit card. While many banks are cracking down on fraudulent withdrawals, you’ll still have to wait for your money while they investigate the charges.
  7. Avoid using public wifi to shop. All a cybercriminal needs to do to get a public wifi password and wreak havoc is order a coffee. If you’re shopping and entering personal data, best to do it on your secure wifi connection at home.
  8. Watch out for malicious QR codes. Q what now? QR codes are small, pixelated codes meant to be scanned by a smartphone’s camera. They often contain coupons, links to websites, or other product marketing materials. Some hackers have started creating codes that link to a phishing or malware site, printing them on stickers, and placing them on top of the legit QR codes. Best to avoid them.
  9. Don’t fork over extra info. If a site starts asking for out-of-the-ordinary personal data, like Social Security numbers or password security questions, slam on the brakes and get the heck out of Dodge.
  10. Tighten up security before you shop on Cyber Monday. Make sure all software on your computer is up-to-date, including your OS, browser, and other apps. And if you don’t already have it, install a cybersecurity program on your desktop (whether it’s a Mac or PC) that prevents malware infection to insure maximum coverage. In addition, since mobile shopping is set to outpace desktop shopping for the first time this year, it’s a smart idea to download a cybersecurity program for your phone. If you’ve already covered your cybersecurity bases, make sure you run updates on all those programs as well.

Happy, and safe, holiday shopping everyone!

Posted: November 17, 2017 by 

ABOUT THE AUTHOR


Head of Content, Malwarebytes Labs

Wordsmith. Card-carrying journalist. Lover of meatballs.

10 tips for safe online shopping on Cyber Monday

 

A look into the global drive-by cryptocurrency mining phenomenon

A look into the global drive-by cryptocurrency mining phenomenon

A look into the global drive-by cryptocurrency mining phenomenon

An important milestone in the history of cryptomining happened around mid-September when a company called Coinhive launched a service that could mine for a digital currency known as Monero directly within a web browser.

JavaScript-based mining is cross-platform compatible and works on all modern browsers. Indeed, just about anybody visiting a particular website can start mining for digital currency with eventual profits going to the owner’s wallet (in the best case scenario). In itself, browser-based cryptomining is not illegal and could be seen as a viable business model to replace traditional ad banners.

To differentiate browser-based mining from other forms of mining, many started to label these instances as JavaScript miners or browser miners. The simplicity of the Coinhive API integration was one of the reasons for its immediate success, but due to several oversights, the technology was almost instantly abused.

However, many web portals started to run the Coinhive API in non-throttled mode, resulting in cases of cryptojacking—utilizing 100 percent of the victims’ CPU to mine for cryptocurrency with no knowledge or consent given by the user.

We decided to call this new phenomenon drive-by mining, due to the way the code is delivered onto unsuspecting users, very much like drive-by downloads. There’s one important caveat, though: There is no malware infection at the end of the chain.

While the harm may seem minimal, this is not the kind of web experience most people would sign up for. To make matters worse, one does not always know if they are mining for the website owner or for criminal gangs that have found a new monetization tool for the hacked sites they control.

In our full reportA look into the global drive-by cryptocurrency mining phenomenon, we review the events that led to this new technology being abused and explore where users involved in cryptomining against their will are located.

To give you an idea of the scope of drive-by mining, Malwarebytes has been blocking the original Coinhive API and related proxies an average of 8 million times per day, which added up to approximately 248 million blocks in a single month.

With their new mandatory opt-in API, Coinhive hopes to restore some legitimacy to the technology and, more importantly, push it as a legal means for site owners to earn revenues without having to worry about ad blockers or blacklists. This could also benefit users who might not mind trading some CPU resources for an ad-free online experience.

Time will tell how criminals react, but in the meantime, drive-by mining continues unabated.

For more information on this latest trend in the cryptocurrency world, please download our report.

Posted: November 7, 2017 by 
Last updated: November 6, 2017

ABOUT THE AUTHOR


Lead Malware Intelligence Analyst

Security researcher with a focus on exploits, malvertising and fraud.

 

A look into the global drive-by cryptocurrency mining phenomenon

Pin It on Pinterest

Shares
Share This