Malwarebytes wins 2016 Security Blogger Award

Why Malwarebytes detects PC Pitstop as Potentially Unwanted

At Malwarebytes, we take great pride in the fact that we’re protecting customers – not just from malware – but from a growing and worrisome threat known as PUPs, or Potentially Unwanted Programs. We recently strengthened our PUP detection criteria due to PUP vendors becoming more aggressive while at the same time using more polished scare tactics to push users into purchasing their products. One company that we started investigating was PC Pitstop. With transparency being important to us at Malwarebytes, the intent of this blog is to make the facts public.

PC Pitstop makes several products including PC Matic, PC Magnum, Optimize, Driver Alert, and Disk MD. As of a few weeks ago, we detect these products as PUP.Optional: the first part representing a Potentially Unwanted Program and the second your optionality, meaning we believe it is unwanted by the majority of users and yet we want it to be clear that it is your discretion as a user to remove it.

PC Pitstop triggered several of our PUP criteria, which I’ve included below.

Some programs offer to clean or modify your computer’s registry. In basic terms, your Windows registry contains information and settings for programs and hardware installed on users operating systems.

According to Microsoft, registry cleaners are not necessary. In fact, Microsoft itself does not recommend the use of registry cleaners. Products that use registry cleaning and optimization as a feature to drive sales are considered Potentially Unwanted by Malwarebytes.

PC Pitstop’s Optimize & PC Matic products uses registry cleaning as one of its main features. They will show registry issues, even on a brand new computer. It states there are fourteen registry files which “may cause improper operation of some applications.” Based on standards from Microsoft, we believe this to be an aggressive tactic to drive sales.

picture1

Figure 1: PC Pitstop’s Optimize showing problems on a brand new machine and prompting users to “Buy Now!” in order to “fix the problems identified.”

picture2

Figure 2: PC Matic registry cleaning recommendations.

Another one of our PUP detection criteria is flagging temporary files created by the operating system or Internet browser as high risk issues or urgent fixes for a non-savvy user. Temporary files are normal artifacts of the operating system and browser and are in no way indications of a problem with the computer or an issue that is urgent. These detections are normally accompanied by a red dot or risk slider.

PC Pitsop’s PC Matic shows temporary files as urgent issues to the user, even on a brand new computer.

scan-results

Figure 3: PC Pitstop’s PC Matic showing temporary files, default Operating System settings and disk fragmentation as “issues with your PC” on a brand new machine and prompting users to buy in order to “Fix All.”

Browser cookies are an integral part of how browsers work. For example, when you buy something online, the shopping cart is more likely than not driven by browser cookies. Flagging browser cookies as an issue that requires immediate attention is an aggressive tactic used by many Potentially Unwanted Programs.

During investigation of PC Pitstop products, we were prompted many times (after displaying the aforementioned issues!) to buy the software. There is no working trial and the cost of the product was up to $150. High prices without the ability to trial the software contribute to our criteria around Potentially Unwanted Programs.

One of the most shocking behaviors of PC Matic was the prompt to remove necessary applications such as Google Chrome’s updater, Java’s updater, and more. Removing these components actually puts the machine at risk as both mentioned are patching critical vulnerabilities.

Figures 4 & 5: PC Matic prompts to remove necessary components that keep applications up to date.

picture6

Figure 6: PC Matic showing the Google Chrome Media Router plugin as “Bad”. This plugin ships by default with the standard installation of Google Chrome.

picture7

Figure 7: PC Matic disabling the Google Update services, leaving the machine potentially vulnerable and out of date.

As shown above in figure 2, PC Matic identifies disk fragmentation on a brand new computer and prompts the user to purchase the product. We have found that during installation of PC Matic, one of the first actions it performs is silently disabling the Windows Defragmentation Service. The problem is that Windows Defragmentation Service is no longer just a defragmenter is more of a weekly low-level cleanup of the hard drive for things the operating system tosses around. Microsoft highly suggests leaving this alone for Windows 8 and above. In fact, Microsoft says that stopping this service can do more harm than good.

Once the built-in Windows Defragmentation Service is disabled, PC Matic promotes its “SSD Optimization” feature that shows the Scheduled Defragmentation service as disabled.

picture8

Figure 8: PC Matic disabling the Windows Defragmentation Service

picture9

Figure 9: PC Matic’s “SSD Optimization” consists of disabling the Microsoft defragment service which Microsoft advises against.

There are other changes made to the machine running PC Matic fixes that could be potentially dangerous, such as silently adding an administrative user.

picture10

Figure 10: PC Matic silently adding an administrative user account to the machine.

On top of all of the behaviors listed above, Malwarebytes has found a series of critical vulnerabilities in PC Pitstop’s products that can allow any attacker to take control of your machine. We advise all PC Pitstop users to immediately uninstall any and all PC Pitstop products from their computers until the vulnerability is resolved. We have sent details of the vulnerabilities found to PC Pitstop so they can address them immediately.

We use our best judgment and a list of criteria we’ve seen abused in the past to determine whether software should be flagged as Potentially Unwanted for our users. No company and no software is perfect, Malwarebytes included. We hope PC Pitstop takes action to remediate the issues listed above, at which point we will immediately stop flagging their products for potential removal. We are humbled that our users trust us to keep them safe and we will aggressively defend our stance against the detection of PC Pitstop’s products until that time.

UPDATE:

We are excited to announce that Malwarebytes is no longer detecting PC Pitstop’s product, PC Matic, as potentially unwanted software. PC Pitstop has not only stopped using scare tactics against potential customers, they have gone as far as removing registry cleaning from their product by default.

ABOUT THE AUTHOR

Marcin Kleczynski

CEO and Co-Founder of Malwarebytes

Likes long walks on the beach and hates fish.