Friday 6 March 2015

Codename Condorul - radu.programmer@gmail.com - Unuro.com

Today I thought I would write about my recent experience on the Envato Marketplace and with my dealings with the user Condorul who also owns Unuro.com ( http://codecanyon.net/user/Condorul ).

The author Condorul who sells software on CodeCanyon offers different types of bots or software which include remote desktop control, remote PC control software, encrypted file binder and a few others. This user also uses the profile picture that is associated with the Anonymous hacking group.

Obviously there is nothing wrong with having this type of profile pic nor is it wrong to sell this type of software, they all have perfectly valid uses and the images are widely used online.

Condorul also sells other software through the CodeCanyon market place which are mainly bots that generate fake traffic to YouTube videos, Google analytics, Websites and so on.

I decided to purchase two of Condorul's software. They were the YouTube fake video views and the Google Analytics fake traffic.

After paying I was able to download and the bots did not need to be installed. I tested the Google Analytics fake traffic bot first and to my surprise it would not run. It started up in task manager but closed right away. I decided to read through the comments ( http://codecanyon.net/item/google-analytics-real-traffic/8911936/comments ) to see if anyone else had this type of issue and to see if it had been answered already. Other users had suffered the same problem and Condorul had recommended each one who was having this type of problem to disable their antivirus software and to try it with no protection. This is when the alarm bells rang! I decided to check the logs of my Kaspersky and Malwarebytes and could see that each time the program tried to run it generated a file in my Windows\System32 folder that flagged as a Trojan.

A Trojan gives malicious users remote control over the infected computer. It enables the author of the Trojan to do anything they wish on the infected computer – including sending, receiving, launching and deleting files, displaying data and rebooting the computer.

Now remember the other files he is selling? Remote PC Software, Encrypted File Binders... The alarm bells again! It would seem that he "binds" remote control software with these "bots" in order to access the infected computer. If his bots dont work he asks the buyer to remove the anti virus software and the run it, this would then give him full access to the computer!

I contacted him about this Trojan and he assured me the files are safe. I then decided to run the YouTube bot and that was the same! I ran both these files through VirusTotal and the Google Analytics file has a 10/55 detection ratio and the YouTube bot has 14/55 detection ratio!

I made a comment on each sales page to notify him and other potential buyers and he deleted both posts! I have now contacted Envato support about him and the malicious files he is selling. Im waiting for a reply from Envato.

I also decided to Google him and see what else I could find. I googled his email address that he has posted in the comments section when somebody wanted some private work doing. The email is: radu.programmer@gmail.com. One of the 1st results on Google for that email is this VirusTotal link (https://www.virustotal.com/uk/file/b9e40989938cbbb3e953318de92639f5ddbff3851a96fc07feed46454f4d9353/analysis/)
Its a virus scan of a file called Gmail Notifier a user has submitted and it has a detection ratio of 6/55. That means this file he made has 6 infections. You can see his email in the file name when it was created:
ExifTool file metadata
SubsystemVersion
5.0
Comments
Gmail Notifier
InitializedDataSize
169984
ImageVersion
0.0
FileVersionNumber
1.0.0.0
Email
radu.programmer@gmail.com






The fact he has removed both my comments warning others about this Trojan infection shows he has something to hide.

As we know its not so easy to hide online, you leave digital footprints everywhere.

https://www.facebook.com/unuro/info?tab=page_info


Radu Dumitrache,
Software Developer
Online portofolio:
http://codecanyon.net/user/Condorul/portfolio

Phone: 0733792576
E-Mail: radu.programmer@gmail.com
Homepage: http://www.unuro.com - Unuro.com

So I just wanted to give people a heads up on Radu Dumitrache from Romania who runs the website Unuro.com. Beware before you deal with him, for me the experience has been very bad and who knows how many computers may have been infected by this guy?