Google Maps fix for RegistratorViewer (Windows)

[DeLorean]

yeah I'm aware of what you're saying, aside from what it does now there was always polling back to Russia going on, perhaps there was intentional backend processes all along, only when things start breaking do people go looking, with the massive user base this program has that could have been quite lucrative, keep in mind the old saying, 'if the service is free, you're the product' it was after all quite a lot of product for zero upfront cost to the end users

Yep... I totally agree with you.
It's a shame as it was the only software I could find that could successfully demux the GPS data from the MOV files on my G90 camera.

 

[DT MI]

Whatever is happening is definitely dynamic in nature, indicating it's being driven from outside the local system. Until today the only symptoms I've seen were the intrusion warning from Norton Security I've previously posted. Starting this morning when launching RV Norton also began warning about 'high outbound network activity' - something I've never seen previously.

I have no choice be to remove all versions of RV from my system(s) until, and if, the issue is resolved which at this point I feel is highly unlikely.

Now to start a full blown deep scan of my system to see if anything may have been installed. Be back when it's done.

 

[Yooshaw]

Sad to see it come to this - I haven't used RV in about a month - think I'll uninstall at this point and not chance it. Thanks @DeLorean for your hard work finding this.

 

[DeLorean]

Whatever is happening is definitely dynamic in nature, indicating it's being driven from outside the local system. Until today the only symptoms I've seen were the intrusion warning from Norton Security I've previously posted. Starting this morning when launching RV Norton also began warning about 'high outbound network activity' - something I've never seen previously.

I have no choice be to remove all versions of RV from my system(s) until, and if, the issue is resolved which at this point I feel is highly unlikely.

Now to start a full blown deep scan of my system to see if anything may have been installed. Be back when it's done.

I can't see any simple way around this as the "code" that is causing the issue appears to be enveloped so as to avoid prying.
It appears RV is intentionally pulling the information from the offending site which is spawning more script activity.
Interestingly the RV program itself is also capable of spawning more IP numbers after it's initial connections have been made... it's all clever stuff!

 

[DeLorean]

Blocking all the initial IP numbers it contacts should halt the process, but I've yet to try this.

 

[DT MI]

Blocking all the initial IP numbers it contacts should halt the process, but I've yet to try this.

That's likely true but the issue would be in identifying them all - although I'm sure over time that could be done.

On a related subject, I've completed deep scans of both systems I had RV installed on and nothing showed as being out of order.

 

[jokiin]

I can't see any simple way around this as the "code" that is causing the issue appears to be enveloped so as to avoid prying.
It appears RV is intentionally pulling the information from the offending site which is spawning more script activity.
Interestingly the RV program itself is also capable of spawning more IP numbers after it's initial connections have been made... it's all clever stuff!

will wait and see if @flip9 has any luck or comes to same dead ends

 

[DeLorean]

will wait and see if @flip9 has any luck or comes to same dead ends

Unfortunately I just don't have the time to do any more playing around with RV for the moment... the wife has told me this several times
With the right expertise I'm sure a solution can be found

 

[DeLorean]

That's likely true but the issue would be in identifying them all - although I'm sure over time that could be done.
On a related subject, I've completed deep scans of both systems I had RV installed on and nothing showed as being out of order.

On my test systems (which have been hammered over the last few days) I've also carried out comprehensive virus, malware and spyware scan and all came up clear
It appears it's just eating up bandwidth with the number of background connections RV is making to these servers but the scripts are currently just adverts etc and contain no hostile components for the moment.

 

[Ralph2]

Sadly I will be uninstalling my copies as well.

As I understand it, from the previous comments.. the program is designed to phone home and do an automatic update. As the home site was abandoned.. some rat took it over and created a custom update.. that has hijacked our systems. Now.. some smart coder needs to trick RV to to to a known site and accept an update that prevents further updates.. or, simply go to a null site..

 

[DeLorean]

Sadly I will be uninstalling my copies as well.

As I understand it, from the previous comments.. the program is designed to phone home and do an automatic update. As the home site was abandoned.. some rat took it over and created a custom update.. that has hijacked our systems. Now.. some smart coder needs to trick RV to to to a known site and accept an update that prevents further updates.. or, simply go to a null site..

Just to update you. I'm running a version where I've removed all references to Registration Viewer and Datakam inclusing any other suspicious URL’s and IP addresses the problem still persists.
All I've allowed is "visible" code that references map server which of course are needed for RV to function.
It's not a dodgy update that's been hosted and downloaded from www.registrationviewer.com or any other site related to the software.... it's caused by RV contacting advertising servers elsewhere.
It would appear that this ability of RV has always been there, but the offending code has been enveloped with encryption to stop its detection.
The encryption makes identifying the offending code extremely difficult... even impossible.
As no one appears to have access to the original source code it's like a needle in a haystack.
I've found that RV has a completely separate engine running in the background that's linking to these advertising servers.
Once the connection is made to one of several initial servers whatever code is uploaded allows them supply the background routine the ability to contact additional servers.
So whatever data it's been relying on in the past to instruct RV where to contact has been radically changed recently.
I think the developer of RV was profiting from hits that RV made to these servers but it didn't actually display the adverts to the user, so both user and advertiser were being used.
I've seen RV sometimes making 25+ connections in the background so that's why many users have seen their bandwidth being hammered.
As there are millions of people using this software all over the world sometimes these servers are too busy to service an individual, so sometimes you may see very little background activity and at other times your system may be overwhelmed.
Hopefully some real pros that know their stuff and have the required resources will be able to identify the issues and disable it.
I'll keep plugging away at it, but I have lots of other commitments which limit the amount of time I can spend on the problem.

 

[DT MI]

...I've found that RV has a completely separate engine running in the background that's linking to these advertising servers...

We all may have been unwitting participants in a 'botnet' for all we know.

 

[Ralph2]

I guess we were all taken in.. too bad, it was the best viewer out there.

 

[DeLorean]

We all may have been unwitting participants in a 'botnet' for all we know.

It's entirely possible. I’m currently monitoring and analysing the data RV transmits and receives over the internet. Hopefully I can glean some useful info from this but it will take time to trawl through and eliminate all the background chatter.

 

[DT MI]

It's entirely possible. I’m currently monitoring and analysing the data RV transmits and receives over the internet. Hopefully I can glean some useful info from this but it will take time to trawl through and eliminate all the background chatter.

I'd be really interested in what you eventually find.

 

[flip9]

Im back from the easter break. Geez a bit of paranoia here.

I have analyzed the network traffic coming out of RV. As far as i can see there is no rogue code sending personal data back to the motherland nor are you part of a botnet.

Upon startup RV will try to send many requests to connect to:

- update.registratorviewer.com (Update check)
- registratorviewer.com (Externally hosted RV scripts, images, etc)

And like i said when it connects to the expired RV domain, it will get forwarded to a string of ad pages and the clusterboof of ad connections begins.

All ads/ad connections stopped when i simply blocked the following through the HOSTS file:

127.0.0.1 update.registratorviewer.com
127.0.0.1 www.update.registratorviewer.com
127.0.0.1 registratorviewer.com
127.0.0.1 www.registratorviewer.com
127.0.0.1 googleadapis.l.google.com

I suggest not using RV until you have blocked these from connecting. With all these workarounds, RV is really on its last legs. I cannot change the code to fix this as its much deeper than what i can access.

As for the expired domain causing all of this, it has fallen in the hands of a domain registrar called DYNADOT. They are just parking the domain and monetizing it for ads. Nothing out of the blue, it gets snapped up when a domain with high traffic expires.

 

[DT MI]

...I suggest not using RV until you have blocked these from connecting. With all these workarounds, RV is really on its last legs....

Thanks for the assurances and work you've done researching.

Made the changes to HOSTS and Norton Security has quit complaining about RV so all appears to be good.

 

[DeLorean]

Im back from the easter break. Geez a bit of paranoia here.

I have analyzed the network traffic coming out of RV. As far as i can see there is no rogue code sending info back to the motherland nor are you part of a botnet.

Upon startup RV will try to send many requests to connect to:

- update.registratorviewer.com (Update check)
- registratorviewer.com (Externally hosted RV scripts, images, etc)

And like i said when it connects to the expired RV domain, it will get forwarded to a string of ad pages and the clusterboof of ad connections begins.

All ads/ad connections stopped when i simply blocked the following through the HOSTS file:

127.0.0.1 update.registratorviewer.com
127.0.0.1 www.update.registratorviewer.com
127.0.0.1 registratorviewer.com
127.0.0.1 www.registratorviewer.com
127.0.0.1 googleadapis.l.google.com

I suggest not using RV until you have blocked these from connecting. With all these workarounds, RV is really on its last legs. I cannot change the code to fix this as its much deeper than what i can access.

As for the expired domain causing all of this, it has fallen in the hands of a domain registrar called DYNADOT. They are just parking the domain and monetizing it for ads. Nothing out of the blue, it gets snapped up when a domain with high traffic expires.

After having another brief poke around this evening I totally agree with flip9... thanks for releasing an easy workaround for users of RV.
I've been blocking IP access using my firewall rather than using the hosts file, but the results are the same.
I've personally not blocked googleadapis.l.google.com, but doing so should reduce Google placed ads and analytics etc so probably not a bad thing.
It just shows how a piece of software can fall foul to something so basic and why Microsoft has been crudely restricted program access to IE e.g. ActiveX etc.
Flip9 explanation of why this is happening is probably more elegant than I’d have put it
I was hoping to release a modded version of RV rather than any workarounds, but I'm still running into problems and side effects caused by the mods... I may never crack the problem but hopefully flip9 has more of a coding background than me and will find the solution.
RV’s days are unfortunately numbered and this is just another nail in its coffin.
RV does not contain any botnets but could potentially be used to carry out Denial-of-service attacks.
I’ve recently wondered how much access Andrey Vokin (who created the Mac version) had to the source code of RV, or if he just coded a duplicated app completely from scratch?
As RV is the only software that can extract and parse the GPS data from my dash cam I’ll have to carry on using it until my camera give up the ghost.

 

[jokiin]

I’ve recently wondered how much access Andrey Vokin (who created the Mac version) had to the source code of RV, or if he just coded a duplicated app completely from scratch?

I would guess not a lot as the guys that were the main sponsor of RV (Datakam) had to go and do their own player and it's nothing like RV and not really that good, I had spoken with them not long after Vadim passed and they were intending to continue his work but it never happened

 

[Daniel15]

I'm annoyed that I didn't try picking up the domain before it expired. I would have kept an eye on domain auction sites if I knew it was expiring, to prevent scammers from getting it.

Seems like it's owned by some domain management company now:

Registrant Name: Nanci Nette
Registrant Organization: Name Management Group
Registrant Street: 1619 N. LA BREA AVE.
Registrant Street: #221
Registrant City: LOS ANGELES
Registrant State/Province: California
Registrant Postal Code: 90028
Registrant Country: US
Registrant Phone: +1.2249355722
Registrant Fax: +1.2249355722
Registrant Email: domains@namemanagementgroup.com

There's around 21,000 domains with that same contact info and apparently people don't have much luck recovering domains from them:

https://www.reddit.com/r/web_design/comments/4iwzvx

https://www.reddit.com/r/KerbalSpaceProgram/comments/4quvoj/_/d4w42lw

https://fliesonly.blogspot.com/2014/04/shessoflyoutdoornewscom-domain-name-was.html
https://www.namepros.com/threads/name-management-group.844615/1

I haven't had much luck getting domains back in the past. It's basically impossible unless you have a trademark on the name in question (in which case you can file a complaint via WIPO).

Probably the best thing to do is to modify the executable to remove all references to the old domain. @DeLorean what tools have you been using to disassemble the executable?