Malwarebytes wins 2016 Security Blogger Award

Systweak Redux: our response

On July 29, we published a blog titled “PUP Friday: Cleaning up with 5 star awards“, taking a look at a registry cleaner called RegCleanPro made by Systweak. We detect the file in question as a PUP, and covered it as part of our regular PUP Friday series. The makers of Systweak software posted both to our blog comments (with no response to my reply, at time of writing) and also posted a blog on their website titled “How Malwarebytes Got It All Wrong with RegClean Pro“.

Below is a reply to both the comments made to our blog and their own post. The comments from their blog are numbered and in bold, green text, with our responses to each point underneath.

1) “As far as we know, even Windows itself never had a problem with Registry Cleaning software”

OUR RESPONSE: Microsoft categorically does not endorse using registry cleaners, and one would expect a maker of such programs – especially one with a Microsoft Partner Gold Application Status – to be aware of this fact. From the linked KB article [bolded text emphasis my own]:

Microsoft does not support the use of registry cleaners…Microsoft is not responsible for issues caused by using a registry cleaning utility. We strongly recommend that you only change values in the registry that you understand or have been instructed to change by a source you trust, and that you back up the registry before making any changes. Microsoft cannot guarantee that problems resulting from the use of a registry cleaning utility can be solved. Issues caused by these utilities may not be repairable and lost data may not be recoverable.

2) “Malwarebytes Anti-Malware (MBAM) apparently detects ‘RegClean Pro installer as PUP.Optional.RegCleanerPro’. For the uninitiated PUP stands for Potentially Unwanted Programs which basically comprise programs that compromises the privacy of your System. In short, PUPs are malicious programs. RegClean Pro is definitely no such thing.”

OUR RESPONSE: This is incorrect – we did not label RegCleanPro as “malicious”, and their definition of a PUP is also wrong. If a Potentially Unwanted Program was “malicious”, then “potentially” would be superfluous and they would simply be referred to as “Unwanted Programs”.

We have a very long, detailed explanation of the type of behaviour likely to trigger a PUP categorisation. While some – or many – of the various sections may or may not apply to certain registry cleaners available online, with specific regard to registry cleaners as a whole:

Registry Cleaners, Optimizers, Defragmenters.

Microsoft has officially stated that they do not support the use of registry cleaners as shown here: https://support.microsoft.com/en-us/kb/2563254 Many of these are installed as part of “bundlers” or “wrappers” and the end user is left with a program that performs a scan at startup and presents a report in an alarmist fashion, stating that a large number of errors are present in the registry. Our testing has shown that these programs will always find errors in the registry, even on a freshly installed operating system. As such this behavior qualifies for a PUP classification.

3) “Also, RegClean Pro does not show ‘false multiple errors’. Detected errors, if any, are efficiently cleaned by the software”

OUR RESPONSE: With specific regard to testing done for the blog post in question, we ran the program twice on the same PC, in the same session, and it returned a different tally of alleged errors on both occasions.

First scan:

1st scan

System related errors: 11 Core and ActiveX errors: 31 User related errors: 77 Startup and uninstall errors: 8 Total registry errors found: 127

Second scan:

second scan

System related errors: 0 Core and ActiveX errors: 27 User related errors: 77 Startup and uninstall errors: 7 Total registry errors found: 111

Between both scans, the only tally from the first scan which remained constant was “user related errors” at 77. Every other scan value was different.  With no alterations made to the system between tests, one would expect the results to be identical. In this instance, we simply reported what we observed.

4) “…it also reviews a software version which is obsolete and does not even clarify whether the said software was distributed by Systweak itself…The Malwarebytes post cleverly uses an inapt image to show the ‘date of modification’ instead of the ‘Digital Signature’ and other relevant software version details.

We can only speculate that the images are contrived or are from days when Google officially distributed its Toolbar (the toolbar is primarily a repository of web searches.)”

OUR RESPONSE: There is no Google Toolbar in the install.

The screenshots – which are not “contrived” – display Amazon Browser Bar, MyPCBackup, and Advanced System Protector, the latter of which is a Systweak product. It appears that MyPCBackup is so commonly found alongside RegCleanPro in bundles that MyPCBackup mentions this on one of their support pages.

The original source of the file, whether from Systweak themselves, or as part of a bundle from a third party, is easily deduced as we linked to the relevant VirusTotal page in the original blog. The file was uploaded by one of VirusTotal’s contributors on 28 / 07 / 2016.

If a file is in the wild and / or available to download, or third parties unrelated to ourselves have uploaded a file to a public facing resource, we will potentially cover it if we think it to be of interest to our readers. How old a file is may not be a concern depending on if it is being downloaded / installed on PCs, alongside additional non-exhaustive circumstances.

The screenshot displaying basic file information does so because our blog readers tend to find information such as version number / file name / product description / file size useful. Focusing on the fact that “Date modified” is in the screenshot while claiming we “ignored other relevant software details” when the image also contains File description, file type, file version, product name, product version, copyright, size, and language, is a peculiar misrepresentation of the evidence on offer.

One also questions how valuable focusing on a digital signature is in practice. For example, if a file’s signature has expired but the file is still either available to download or being offered as an install, why would this information be useful as a metric for whether or not to research / write about a file? By the same token, if a program is available across various online portals / download sites, it is fair to say it may be researched and analysed regardless of whether or not there is a valid certificate to hand.

Additionally, a valid certificate is not a guarantee that a program is “safe” and not worth covering – digitally signed Malware is not new, and researchers at this year’s Black Hat have found a way to hide Malware inside otherwise legitimate, digitally signed files.

One of our researchers downloaded a tutorial [VirusTotal link] for CCleaner from Tuto4pc(dot)com on the 3rd August which, when tested, offered up a copy of RegCleanPro roughly 50% of the times the bundle was executed. As you can see, at least one of the Signatures for the Tuto file had expired, yet it was in active distribution anyway – and, every so often, it was offering up a version of RegCleanPro.

While anyone interested in cert signing can take a look at the signer information on the RegCleanPro file on VirusTotal, faced with multiple expired and active certificates, it would be remiss to use this as the basis for writing – or not writing – about a piece of software.

Tuto cert

With our responses to the various points raised in their blog, now we move onto the posts in our blog comments. The posts made are in green, with our responses underneath.

5) A comment from “Marc”:

Nice effort Jovi! But Systweak has changed everything since last 2 years and the build you have used is not the latest one downloaded from the website. This is a build that was in place maybe years back. If you want to provide true information to the users, pick the latest one.

I just double checked of what you have mentioned here and what their current app look like!

So you mentioned right! There is a miss out here..but from your side 😉

OUR RESPONSE: The above post was made by someone calling themselves “Marc”, with a Disqus account specifically created to comment on our blog post – it hasn’t been used for anything else. Additionally, it reads as if a third party – perhaps a user of RegCleanPro – is coming to the program’s defence.

For example, note the use of “…and what their current app look like”

We do, of course, perform comment moderation. In the above case, this seems to be an instance of OPSEC failure because someone has listed a Systweak(dot)com email address:

“Marc” is actually named as “Manish” in the email address, and Manish is listed online as the VP of Systweak.com.

6) A comment from “Sarah”:

Has This become a practice of malwarebytes to keep cribbing and Sending false information to the user.

This is not just the first time i have come across a lie from this blog.

I have been using this product personally. whatever you have written makes no sense. Please stop providing misleading information.

OUR RESPONSE: This comment was made from a Gmail address and not a Systweak email account. However, the IP address used has been cited on a “Stop forum spam” website, and lists an email address belonging to someone called “Yogesh” with a Systweak email. According to Linkedin, this individual is listed as the SEO Executive of Systweak.

There is a second email address listed against that IP for forum spam, so we decided to do a little more investigation out of curiosity. The name attached to it posts links across multiple sites pointing to the Systweak blog, mostly in article comments but also (occasionally) a standalone post, such as the one found on Pinterest.

Comments

The named individual is listed as working at Systweak on an Infographic / creative design site.

Profile

Humorously, they endorse Malwarebytes in a comment linking to the Systweak blog.

Use Malwarebytes

Malwarebytes is a very useful antimalware software, I used this for Locky Ransomware Removal and many of my contacts believe in this.

What we have here – from just two IP addresses – appears to be two employees of Systweak posting to our blog comments in a manner which suggests they’re not related to Systweak, and an unrelated individual – tied to one of the poster’s IP addresses – who also states online that they’re affiliated with / work for Systweak in some capacity.

While the latter individual is an obvious promoter of their own product and perfectly upfront about it, the two individuals posting to our blog comments are quite the opposite and are partaking in astroturfing, where people tied to a specific group or company use fake identities to post what appear to be “grassroots” support for the company or group in question.

In Conclusion

1) Microsoft does not endorse the use of registry cleaning software.

2) A PUP is absolutely not a designation for a malicious piece of software, because there is no need for “potentially” where malicious programs are concerned. Our detection of RegCleanPro as a PUP does not mean it is being flagged as “malicious”, despite claims to the contrary in the Systweak blog.

3) We reported on what the software we looked at did in testing, which in this case was to report back with varying numbers in the scan results. No screenshots have been faked, “contrived”, mocked-up or otherwise digitally edited.

4) There are a number of versions of RegCleanerPro in distribution, not all of which are directly downloaded from Systweak’s website. It is up to the vendor of a given piece of software to police their distribution channels and ensure any versions online are the most recent ones. The specific source of the file in question could be deduced from the link in the blog to the VirusTotal page where the file was uploaded on the 28th July.

Despite claims to the contrary, our blog listed multiple pieces of file information, and we maintain that in an age of digitally signed Malware, a signature is no indicator as to how a piece of software will perform, in much the same way that having a Microsoft Gold Partner Status is no indicator of whether or not a company’s software is good or bad.

5) Two comments were posted to the blog questioning the validity of the research, yet by a combination of email / IP addresses used both appear to tie back to individuals listed as the VP and the SEO Executives of Systweak. This is known as Astroturfing. To further cement the relationship between the second IP and Systweak, it is also listed as having been used by a third individual who openly states online to work for Systweak while posting in blog comments / web posts linking back to Systweak software.

We stand by our original blog post and research.

Christopher Boyd

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.