Cloning for Profit

Misleading Applications report false information of the presence of security risks, threats or system issues on a target computer. We see a flood of such applications that fix supposed system anomalies and some of them are marketed through affiliates. Affiliate marketing makes such products a more lucrative business as some of these products are sharing up to 75% of their profits.

My day started with the analysis of an application from registry-doktor.com. I downloaded the application from the site on a clean computer, basically a fresh installation. On completion of the scan, Registry Doktor 2009 flagged a report with hundreds of problems found on my computer. To fix the reported problems user needs to purchase the product!

Most of these problems were related to inconsequential missing file associations, shared DLLs, and Active-X objects. This is common behavior observed with most of the registry fix tools. The “entries” shown weren’t simply fake, but whether or not removing any of these particular issues is necessary or would provide any noticeable performance improvement is debatable.

Looking at the website for registry-doktor.com, I found some interesting claim about a copyright protected Windows Registry Repair Algorithm as:
“Our technology is unique and protected by copyright (WRRA - Windows Registry Repair Algorithm), each scan result represents an unsolved problem, to be even bigger and more serious problems can result, like the hang of the computer not responding programs and system crashes.”

Surprisingly, this exact copyright claim for WRRA appears on sites of many other misleading applications like Error Fix™ for Windows, Registry Cleaner Pro, SmitFraudFix Pro, AntiMalware Pro, Spyware Destroyer, and Adware Pro. Thus, Registry Doktor 2009 appears to be a clone or at least associated with these other potentially unwanted applications.

On further analysis, some FTP credentials were found in one of the binary files leading to an email address, f*********@*******.com. This email address looked familiar and turned out to be the same address associated with the DVDShrink scam. This involved selling DVDShrink freeware using sites like dvdshrink--download.com and officialdvdshrink.com. The same email is also associated with misleading applications such as SpywareSweeper and SpywareBomb.

The fact that the person or group behind Registry Doktor 2009 is also behind many other misleading applications and scams is of no surprise. Constantly changing the look and feel of the programs they are distributing, creating simple clones of the applications and websites, and affiliates signing up and pushing out multiple programs is all par for the course in the misleading application world as they attempt to keep ahead of the blogosphere warning against these applications, true security vendors, and more importantly credit card chargeback.