MonaRonaDona - We might be in the AV industry, but at least we aren't STUPID!
Posted by: Jacques Erasmus
I particularly liked the YouTube video they posted with the entry. So.. I decided to take a look at this.
I did a quick search in our database and found around 15 variants of the file they referred to: "RegistryCleaner2008.exe". This is always a good start, getting the sample...
So I did a quick analysis of the sample, and found many things that made me go "hahaha". There is no replacement for human stupidity after all.
The developer of the program left some nice details inside his executable, things like paths on his system. Normally we see things like E:\Blah\Project_for_Russian_Mafia\src\pwnzored.c
But in this case it was nicely put together, "E:\Under Construction\Elance\Registry Cleaner\..." This is nice.. It tells us he is working as a coder for someone that hired him on Elance, as mentioned on the Threatfire blog. This is most likely not surprising. (Yes I know.. Here comes the good stuff)
I decided to dig further...
I found a url in the executable "http://www.bitbytesoft.com" .. Visiting this site shows just an "Under Construction" graphic.. But Wait - let’s see what the Waybackmachine knows.
Hmm interesting.. This will correlate well with this then..
This shows that they made a rather unsuccessful weight loss application.
So is this the end ? NO!
I logged into my Domaintools account to see if they knew more about this domain... I find the following whois details.
Nice.. So as you do, you try and phone the number in from your mobile phone, only to hear "beep beep beep..." No suprise.
Is this the end of the road of this fun 45 minute exercise ? No, one last trick...
Luckily domaintools is like the "know-it-all wise old man", and keeps records of all modifications to whois details. It seems our friends at BitByteSoft changed their whois details on the 3rd of March (Two days ago... I wonder why ?) , and luckily we have a copy of the old details.
Dialing the number listed below yields an answer from a softly spoken man. I asked him if he is Bilal Yousaf, he said yes he is. I asked him about Bitbytesoft, he replied yes he is the owner.
After some intense social engineering, he finally cracked, after passing the buck to everyone except his mother. He told me he accepted the project from a message he received on Elance.
It was also mentioned that they were hiring Ghostwriters to write fake articles endorsing Registry Cleaner at $10 an article. This will explain the reviews here listed on the Viruslist Blog, here.
I guess this is how far this plays out, anyone want to sponsor me a team of bodyguards and a flight ticket to Islamabad ?