MJ is opening and reading registry keys every 3 seconds

[VanguardLH]

In trying to find out why magicjack.exe is unloading several times per day (see my other post), I decided to watch the magicjack.exe process using ProcMon from SysInternals. What I noticed is a periodic 3-second repeat of magicjack.exe reading network registry entries.

Every 3 seconds, there are around 133 events from the magicjack.exe process. 132 of them are to open a registry key, do multiple queries on it on several data values, and then close the registry key. The last entry seems to be checking if the program path can be found (I moved it from under my %userprofile% to C:\mjusbsp).

Sure seems like a lot of repetitive registry activity when I'm not even using the MagicJack.

[az2008]

What I noticed is a periodic 3-second repeat of magicjack.exe reading network registry entries.

Every 3 seconds, there are around 133 events from the magicjack.exe process.

Mine does that too. The interesting thing is that, watching the Task Manager, MJ stays at 0% CPU. It only bumps up to 2-3% when it closes, creates, opens G:/ (after doing a hundred or so registry reads.).

Mark

[VanguardLH]

I use Comodo Firewall Pro which includes a HIPS (host intrustion protection system) called Defense+. This lets me decide what programs can load and what they can do. When I start MagicJack, I get prompted to allow several behaviors, a couple of which I deny.

magicjack.exe wants to take control of one of the svchost.exe instances. I deny that. MagicJack runs without this control. It also wants to control explorer.exe (the desktop GUI) which I deny that. And it wants to modify a registry entry for a Windows Firewall policy, probably to add itself as an exception. I deny that, too, since I consider that to be malware behavior because the user should always be in control over whether or not an application gets Internet access. While MagicJack is a VOIP service and needs Internet access, it will be me that decides to give that access, not the program.

There are a lot of undefined behaviors of this product. Obviously no one at their chat line is going to know anything about its real operation and I doubt any representative of YMax is going to reveal just exactly how their product works. It obviously goes beyond just providing a VOIP service.

[az2008]

It obviously goes beyond just providing a VOIP service.

What are you suggesting? What could it be doing?

It seems to me like, if it were functioning as spyware we would have heard about that by now. Someone would have detected it. MJ has plenty of enemies (competitors who are threatened by MJ's low price). I've seen people make overt claims that it's spyware (and the lack of an uninstall is evidence of how they want to keep it on your computer).

But, really, with the companies opposed to MJ, someone would have picked up on these infrequent allegations and analyzed it by now.

I have no idea why it does the things you said it does. But, I'd chalk it up to off-shore software development instead of a brilliant mind up to no good.

Mark

[VanguardLH]

What I was implying is that perhaps they are "borrowing" techniques of malware. MsgTag is an example of a legit service that borrowed the web beacon trick of spammers in HTML-formatted e-mails to tell when someone opened their spam (MsgTag uses the web beacon to let the sender know if the recipient opened the sender's e-mail - but it's easily thwarted). A program doesn't need to be malware (i.e., with deliberate intent to cause harm) to be a misbehaved or corruptive program. magicjack.exe is performing actions that are suspect.

That the magicjack.exe process wants to take control of a svchost.exe process and modify the firewall policy (which is only effective if you use the Windows Firewall instead of a 3rd party firewall) go beyond what a "nice" program would do where the user makes the decisions regarding connectivity and trying to usurp control. So far, I've denied magicjack.exe any control over svchost.exe and modifying the firewall policy. I also denied it access to the service control manager. MagicJack doesn't run as a service nor should it even be trying to stop, start, or delete services.

Some of the covert activity may be YMax trying to make their product configuration-free; i.e., users don't have to figure out to define an exception to the Windows Firewall to let the magicjack.exe process get unfettered connections. I don't know why they think they need to control or delve into any svchost.exe instance or why they think they need access to services. It's not like they actually divulge much of anything on how their product works. If you knew some of the specifics of their softpone, replacing it with a different softphone would be easy. You don't even need their dongle if you use a headset to your computer instead of using a phone attached to the dongle. These forums are full of posts for info that YMax won't reveal and probably never will.

By the way, you mentioned that you don't see any CPU usage spikes when magicjack.exe goes querying around 130+ data values in the registry. That's probably because the default update interval for Task Manager is 3 seconds so anything really short-lived won't show as a blip on the radar for CPU consumption. The shortest you can set the update interval is 1 second. That is still far longer than the less than 9 ms that it takes for magicjack.exe to go opening and querying data values in the memory copy of the registry.