Slashdot Mirror
World's Most Annoying IE Toolbar
nautical9 writes "Following the same devious footsteps of the infamous Bonzi Buddy, Gator, and Comet Cursor "enhancements", Xupiter now has their own self-installing toolbar for IE. There are many claims that if you leave your security preferences at their default level, it will install itself without your express permission. And once on your system, it's gracious enough to reset your homepage to xupiter.com, forward all your searches to their search engine, download and automatically launch applications (like gambling applets), and blocks all attempts to set these back to normal. Removing it isn't trivial either - it automatically checks for updates upon reboot, where it constantly changes the registry settings it uses, making the jobs of spyware removal programs like AdAware or Spybot Search & Destroy much harder. No word yet if it collects and forwards personal data."
No, if you leave your security preferences at their default level, things like this will not install. That is clearly FUD. Even if you have your security preferences a notch lower, it will still prompt you to confirm installation.
People get into the habbit of clicking "OK" whenever something pops up. Next thing they know, they have Gator and all sorts of junk installed.
Amazing magic tricks
Xupiter has been around for a while. And it's NOT hard to get rid off: http://www.xupiter.com/uninstall That's it. Way to overreact guys.
I've got default security settings and while it certainly displayed a few popups nothing else got installed. If however the user clicks 'OK' to things being installed without checking what they really do first then you get what you expect. :)
Rule of thumb: Never install anything while browsing when it pops up and says "Hi install me for extra wizzy things!!!".
Martin Piper
Owner - ReplicaNet and RNLobby
Yes, this is a tricky bugger to remove, unless you find the uninstall. Not documented, but thanks to some nice folks in the forum, here it is:
http://www.xupiter.com/uninstall/
Where's my lobbyist? Right here.
... it's having your ActiveX security at default permissions, which in itself is a boneheaded move by Microsoft.
Basically, default permissions say that any "signed" ActiveX control is OK to install without a prompt. So Xupiter just goes ahead and installs it.
People need to read up and learn how to use the (fairly powerful) security settings in IE6, and Microsoft needs to be chastized again for making default security too trusting.
But it's NOT a bug.
Here's an alternative way to use the Security Zones of Internet Explorer to protect you from crap like this.
First, set the "Trusted Sites" zone to the "MEDIUM" level.
THIS MAKES YOUR TRUSTED SITES ZONE THE SAME AS THE NORMAL INTERNET ZONE.
(People seem to flame this idea as a security risk without understanding that last bit)
Then, modify the "Internet Zone" and disable Active Scripting.
Finally, add all your favourite sites to the "Trusted Sites" zone.
You can now enjoy the full functionality of JavaScript etc. on your frequently visited sites including the usual protection of the Internet Zone.
Any site not in the Trusted Sites list cannot use JavasSript and so prevents pop-ups and other nasties such as self installing spy-ware.
I did get this toolbar without clicking yes to anything. I wasn't on xupiter's website. I was browsing and after i was done i closed explorer. When i opened it back up late there was the tool bar. I still dont know where i got it. It took me a while to figure out who it belonged to and how to rid myself of it. I flamed away afterwards.
-Foxxz
On my Windows 98 SE box, I now browse with Phoenix almost all the time. I've discovered, though, that some browser downloads Internet Explorer asks me about, Phoenix installs automatically. (Phoenix seems a little too promiscuous about accepting Java, and doesn't remove .class files when it flushes the cache. Check the %WINDIR%/.jpi_cache/ directory structure.)
It's the kind of thing you might expect from a 0.5 release; unfortunately, it's not the kind of thing you should only expect from Microsoft.
Stupid job ads, weird spam, occasional insight at
Not always there is many things that people can install on your computer through IE using bugs in active x controls and java script.
Time to recheck my security settings. ..bruce..
Bruce F. Webster (brucefwebster.com)
*duh* I DIDN'T install it. It happily installed itself, and no, I didn't just mindlessly click through everything that popped up on my screen. It hijacked IE, and I couldn't kill it until I installed Spybot.
www.robot-invasion.com smart-assed political news, humor, and commentary
I don't know about this week's version of the uninstaller, but previous versions were nice enough to leave behind big chunks of the program. Still running. Sort of the way a tick will leave its head behind if you yank it out with tweezers.
This is a pretty common and ugly tactic among spyware developers.
My wife was unfortunate enough to "click through" and victimize herself with this thing. I happened to notice 20-30 different sessions being generated every few minutes through our firewall and started tcpdump to find out what was happening.
After finding that it did indeed have my wife's credit card number/home address/phone number I asked her what she used it for; She said that she didn't know where it came from but that it was causing her laptop to crash about every ten minutes ever since it added itself to her IE toolbar.
I then spent about 3.5 hours hacking the WinME registry trying to peel this thing out of her laptop because it's 'uninstall' doesn't!
In earlier versions of IE for windows (like the ones that come bundled with windows 98 or ME and maybe 2000) there is a very well-known security flaw that allows malicious code on a website to make the computer download and execute arbitrary files without confirmation from the user. Most people are too stupid to download the updates to fix that vulnerability, so they should blame themselves. But that's how spamware trojans like Xupiter often spread.
And anyway, isn't that the digital equivalent of mugging and rape? I mean they either install the thing on your computer without permission and it totally fucks with everythig, or they trick you into installing it by outright lying about it and not telling you what a piece of shit spamware/spyware TROJAN HORSE it is. Couldn't they easily be sued for fraud and/or hacking people's computers?
Repeal the DMCA!
La la la la exploit, la la la la description of exploit, la la la la list of many other unpatched IE holes, some are over a year old. This one in particular is over 4 months old.
http://www.xupiter.com/privacy.html
Read just the first couple paragraphs to find out what they admit to collecting:
Your time zone
Sites you visit and for how long
How you enter and exit sites
Response rate to ads
Applications on your computer (to resolve SW conflicts...right).
License terms can be found at http://www.xupiter.com/terms.html. Frankly, I am scared to read them.
peptidbond
peptidbond I was crazy once....
HOW DOES Xupiter WORK?
We provide you with advertisements that match your interests to make your Internet experience more satisfying. We determine your interests by collecting information about what sites you visit on the Web. For example if you visit a travel Web site, we may present an advertisement that promotes the sale of airline tickets. These special offers and advertisements may be displayed using various browser enhancements and pop-up windows on Web sites you visit.
Standard Web log information and computer settings such as your IP addresses, browser type and versions, screen resolution, time zone selected and the version numbers of some of the software installed on your computer.
Information about Web sites you visit -- this information includes the Web sites address (URL), the amount of time spent at a Web site, and how you entered and exited a particular Web site.
By using the Xupiter software application we are able to create a profile that is used to select and deliver special offers and advertisements that we think might be of interest to you. This profile is stored on Xupiter servers and contains the following information:
Your Xupiter ID which is a numeric identifier that is generated by the Xupiter software application.
A historical record of content and advertisements delivered by Xupiter, and the response rate associated with the content and advertisements that was delivered to you through the Xupiter software application.
I think that qualifies as close enough to collecting personal information...
> Anyone know which P2P one it is?
Grokster.
I don't believe it's in the current distribution, but there's an awful lot of other unsolicited commercial software in it. Grokster and iMesh are competing for the 'most offensively spyware-laden app' prize.
At any given time there are a dozen or so security holes in Internet Explorer. Right now there are 19 security holes in the latest version of Internet Explorer, with all patches and service packs applied.
Wow. After my 15th or so run-in with Xupiter last week, I considered submitting this story to /. myself. Bah.
Anyhow, the best page for information and removals which I've found to date is at http://www.allentech.net/parasite/Xupiter.html
The removal info has worked every time, with the exception that on WinME it is usually possible to just drag the Xupiter folder into the Recycle Bin and delete it directly after a reboot.
Even aside from that, why the hell does IE do installations directly from a web page? That's beyond idiotic
So I guess you dislike mozilla too?
Hint: Google for xpinstall or go to mozdev and install a browser expansion - directroly from the web page.
Of course, even for those of us who *do* use different browsers, there are still programs which use IE as a browser automatically.
Check out this part of their license agreement:
(a) This Agreement constitutes the entire agreement between the parties concerning the subject matter hereof;(b) This Agreement and any dispute arising out of it shall be governed by the laws of Hungary; (c) Unless otherwise agreed in writing, all disputes relating to this Agreement (excepting any dispute relating to intellectual property rights) shall be subject to final and binding arbitration in the country of Hungary; (d) This Agreement shall not be governed by the United Nations Convention on Contracts for the International Sale of Goods; (e) If any provision in this Agreement should be held illegal or unenforceable by a court having jurisdiction, such provision shall be modified to the extent necessary to render it enforceable without losing its intent or severed from this Agreement if no such modification is possible, and other provisions of this Agreement shall remain in full force and effect; (f) A waiver by either party of any term or condition of this Agreement or any breach thereof, in any one instance, shall not waive such term or condition or any subsequent breach thereof; (g) The provisions of this Agreement that require or contemplate performance after the expiration or termination of this Agreement shall be enforceable notwithstanding said expiration or termination; (h) you may not assign or otherwise transfer by operation of law or otherwise this Agreement or any rights or obligations herein. (i) This Agreement shall be binding upon and shall inure to the benefit of the parties, their successors, and assigns; (j) Neither party shall be in default or be liable for any delay, failure in performance (excepting the obligation to pay), or interruption of service resulting directly or indirectly from any cause beyond its reasonable control.
Isn't that bloody well lovely?
Blog Prophyts - Right On, Man
So that's what this Xupiter thing is! I was visiting my family this weekend, and my sister asked me to fix her Win98 computer. IE was crashing every time she started it. I found this set of program files under this "Xupiter" directory and a bunch of load-on-startup registry items referencing them. Most of the files in this directory were locked by some running process, of course. Apparently, this Xupiter was not only self-installing but also Win98-unfriendly. And there was no uninstall program.
Restarted at DOS prompt to delete all the files. Regedit to remove every registry entry containing "Xupiter". After that, everything worked just fine, and I cranked up the security settings before I left.
Good judgment comes from experience.
Experience comes from bad judgment.
They treat it as a virus.
I followed this on friend's computer and it works.
http://vil.nai.com/vil/content/v_99904.htm
Hate to break it to you, but Mozilla does do automated installs from web pages. Just head on over to MozDev [mozdev.org] and see for yourself. Many projects, such as OptiMoz and Spellchecker, have automated install links right on the page.
Which only work if a) you actually have software installation enabled in your preferences, b) have write access to the location where mozilla is installed and c) will prompt you BEFORE it installs the software, giving the web server and the package being installed.
Automated installs are extremely useful - it's all a question of finding that balance between ease of use and ease of abuse.
Cheers,
Toby Haynes
Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.
IE Toolbars are simple self-registering COM objects. That means that they are controlled by registry entries. If one gets installed, its a simple matter of deleting the associated registry entries to keep it from loading. IE looks in the following key for toolbars which it should load:
e t Explorer
HKEY_LOCAL_MACHINE
Software
Microsoft
Intern
Toolbar
{Your Band Object's CLSID GUID}
Find its CLSID and remove it. Also remove the object's COM registry entry by removing the following key:
HKEY_CLASSES_ROOT
CLSID
{Your Band Object's CLSID GUID}
Be careful though - the menu, address, links, radio, etc... toolbars are also controlled this way. Make sure you're deleting the right entries!
Unless there's some other program running in the background that re-establishes these keys, there isn't any way that IE can load the toolbar if these entries are not present.
Kelly
lexteq.com (we've done a few toolbars ourselves)
It's not a civil offence (like libel or breach of contract), it's a crime (like breaking & entering or theft). So you don't get sued by the victim if you break it; instead, you get prosecuted by the British government, and they certainly didn't agree to follow Hungarian law.
Besides,
(e) If any provision in this Agreement should be held illegal or unenforceable by a court having jurisdiction, such provision shall be modified to the extent necessary to render it enforceable without losing its intent or severed from this Agreement if no such modification is possible
and that's even if clickwrap licenses are binding in the UK (it hasn't been tested, but the prevailing opinion seems to be that it's unlikely).
nytimes.com gets around the mozilla blocking of new windows, somehow. I've never seen another site that does.
Scary license indeed... 5. Software Conflicts. Conflicts may occur with other software applications that may already be installed on your computer. The Xupiter software will report back to our servers what applications may be running on your system and will resolve these conflicts whenever possible. This will make our software more reliable and provide you with products and services that are compatible with your current system settings. Specially love that 'will report back to our servers what applications may be running on your system'. You still think they don't collect data?
The article says that it is claimed that the user doesn't actually need to approve installation, in which case it's a virus. They then hedge to say that maybe you have to click "OK" on trickily-worded pop-up; if so, it's a trojan.
That's OK, I listened to a radio show about Slammer on the way in today. Their 'computer experts' explained that a virus is a program that destroys files on your hard drive, whereas a worm is one that replicates itself. They get paid pretty well for these appearances.
God, I need an iPod.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
...can be had here: http://www.doxdesk.com/parasite/Xupiter.html
You can to to their FAQ page which has a link to their uninstaller
'Course, it requires you to download and run another application from the same slimy people that gave you the spyware anyway. And yes, it IS spyware-Read their privacy policy-they freely admit it.
I cannot vouch for how well their uninstaller works because I was never infected (I use a Mac).
As an aside, I was just talking to my friend yesterday on the phone and he mumbled something like, "Xupiter? what the hell is this? This isn't my home page." (He uses a Gateway).
Veritas patesco per quaestio questio. Truth is revealed through questions.
The bastard site in question: http://www.free-game-zone.com/ I just happened to stumble upon the site randomly. It appears to be a spam site with little to no content, but they still annoy me.
Click Here to uninstall the application.
why they cant put an entry in add/remove control is beyond me... oh, I forgot, this is a sypware/trojan/worm/virus, it dosnt like to be uninstalled.
or try k-meleon (which, unlike mozilla/phoenix, is native to the OS)
kmeleon.sourceforge.net
from the EULA: " 5. Software Conflicts. Conflicts may occur with other software applications that may already be installed on your computer. The Xupiter software will report back to our servers what applications may be running on your system and will resolve these conflicts whenever possible. This will make our software more reliable and provide you with products and services that are compatible with your current system settings. "
If I really wanted to be evil I could write a self installing applet to default IE to the goatse.cx page everytime it opened upon a vistor visiting my site with an earlier browser.
You don't need an applet. Someone on slashdot has already done this. See this slashdot post, which, if you click the link in the posting, takes your browser on a carefully crafted roller coaster of 302 Object Moved across several different servers, eventually leading you to either the correct (advertised) New York Times article, or to goatse.cx if you are using IE. See my four replies under the post that explain how this was done. Note that the first of my replies was moderated as Troll because I was warning people about a goatse link.
The price of freedom is eternal litigation.
Terms
- The Xupiter software will report back to our servers what applications may be running on your system and will resolve these conflicts whenever possible
- Xupiter has included an auto update
... upgrades may include installation of third party applications
- To further enhance your media viewing experience, Xupiter reserves the right to run advertisements and promotions
- . Our software license requires that users browser start page be set to Xupiter.com
Privacy PolicySo yeah, basically the program will pop-up-ad slam you, give away your personal info, install crap software on your PC, and has the ability to change it's "terms" to allow it to do more behind your back.
How to remove Xupiter.
I like the fact that the Xupiter site can be used to find anti-Xupiter pages.
"Live Free or Die." Don't like it? Then keep out of the USA
to their credit, Xupiter's search engine returns the best quality squirrel porn I've ever seen. If you're going to make a comment like that, at least include a link!!
Xupiter claims to be based in Hungary. But it may not be.
First, Xupiter appears to be the same thing as Browserwise. The content of the two sites match, and you can download their malware from either site.
Whois for Browserwise yields:
Administrative Contact: Inc., Browserwise, admin@browserwise.com
Browserwise, Inc
15445 Ventura Blvd
Sherman Oaks, California 91413
United States
(818)229-5631
Technical Contact: Inc., Browserwise, admin@browserwise.com
Browserwise, Inc
15445 Ventura Blvd
Sherman Oaks, California 90413
United States
(818)229-5631
Domain servers in listed order:
NS1.CANDIDHOSTING.COM
NS2.CANDIDHOSTING.COM
A traceroute on Xupiter isn't particularly helpful, but a traceroute on Browserwise leads to "amateurpornhouse.com", hosted on the same server. The server is thus virtual hosted by name, but if you try it by IP address, you get Browserwise, so Browserwise is the main user of that server. "amateurpornouse" is thus either affiliated with Browserwise, or buys hosting from them.
Whois for "amateurpornhouse.com" yields:
SC Enterprises
P.O. Box 91114
Henderson, NV 89009
US
(702) 224-7750
Domain Name: AMATEURPORNHOUSE.COM
Administrative Contact:
Phucksum, Jeff webmaster@sexycouple.com
P.O. Box 91114
Henderson, NV 89009
US
(702) 224-7750
So we check Sexycouple's legal page, and find:
- Custodian of records for SC Enterprises: All records required to be maintained by 18 USC 2257 are kept by the custodian of records, Barry Levinson, 2810 South Rainbow Blvd. Las Vegas NV. 89146.
(Presumably this is not the well-known film director Barry Levinson.)Looking up "SC Enterprises" in Las Vegas, we get
134 Spinnaker Dr
Henderson, NV 89015-5639
Phone: (702) 558-8908
Also, DNS for Browserwise is provided by CandidHosting.com, next to the police station in Tampa, FL. They have to know who's behind this, so that's where to start with legal process.
That should be enough to get the lawyers started.
1. Use Mozilla.
2.Pull down Edit.
3.Select preferences.
4.Select advanced.
5.Select Scripts&plugins.
6. there are check boxes under "allow scripts to," uncheck them.
How ya like dat?
host xupiter.com
xupiter.com has address 63.236.32.50
mail is handled by mx1.xupiter.com
host mx1.xupiter.com
mx1.xupiter.com has address 63.236.50.196
whois -h whois.arin.net 63.236.32.50
Qwest Communications NET-QWEST-BLKS2 (NET-63-236-0-0-1)
63.236.0.0 - 63.239.255.255
Qwest Cybercenters QWEST-CYBERCENTER (NET-63-236-0-0-2)
63.236.0.0 - 63.236.127.255
Internext Media, Inc. QWEST-JSV-INTERNEXT1 (NET-63-236-32-0-1)
63.236.32.0 - 63.236.32.63
whois -h whois.arin.net 63.236.50.196
Qwest Communications NET-QWEST-BLKS2 (NET-63-236-0-0-1)
63.236.0.0 - 63.239.255.255
Qwest Cybercenters QWEST-CYBERCENTER (NET-63-236-0-0-2)
63.236.0.0 - 63.236.127.255
Snapshot Productions LLC. QWEST-JSV-SNPSHTPR (NET-63-236-50-192-1)
63.236.50.192 - 63.236.50.223
so I added 63.236.32.0 - 63.236.32.63 and 63.236.50.192 - 63.236.50.223
to my firewall block list, and they shalt never trouble me henceforth.
Done! Next!
Uhm, getright asks if you want to install gator. Just click the No button instead of blindly hitting enter. Getright is a good program and it actually warns you about the advertising and gator during the install. Grrrr. Time to reinstall windows again huh? Makes me regret not advancing my plan of Worldwide fucktard cleansing sooner than I have.
Browserwise.com seems to be a totally different company, even the top level where the IP range is purchased from is different. Browserwise.com is hosted at the top level by Level 3 Communcations, while xupiter.com is hosted at the top level by Quest. I looked at both web sites (with Lynx! it's safe... ^_^) and the content does NOT seem to "match" to me.
Sorry but I think you just got carried away in your search and these two companies are not the same, or even related in anyway.
I was infected with the toolbar last week, and had to do a little stalking to cool down...
Xupiter.com's netblock is registered to:
CustName: Internext Media, Inc.
Address: 15445 Ventura Blvd., Suite 318 Sherman Oaks CA 91403
Country: US
RegDate: 2002-05-09
Updated: 2002-05-09
NetRange: 63.236.32.0 - 63.236.32.63
Some other interesting things registered there are:
WHOIS whois.dotster.com cashclicks.com:
Registrant:
Erika Online Inc.
15445 Ventura Blvd Suite 318
Sherman Oaks, ca 91403
United States
WHOIS whois.dotster.com nudelink.com:
Registrant:
Universal Net
15445 Ventura Blvd Suite 318
sherman oaks, ca 91403
United States
Registrar: DOTSTER
Domain Name: ABCSEARCH.COM
Registrant:
Internext Media Corp.
P.O. Box 260542
encino, ca 91426
United States
ABCSEARCH.COM is run by a gentleman by the name of Daniel Yomtobian. Do a search and you'll be amazed by the number of lawsuits against the guy for domain squatting.
Sounds like a contender to me.
I am rather suprised I don't see many people using proxies to deal with the "wild wild web" of spyware and malicious javascript/java/flash.
I have found a good combination is Proxomitron and JD5000 filterset. Both can be found here
http://home.satx.rr.com/jd5000/
It works with all browsers that support proxies (EG IE, Moz, Opera, Netscape) and best of all beside's ad blocking it does some rather cool features.
First filter I find handy is
Convert - Flash to Links.
Visit a site that has flash crap on it and it will say Flash removed/disabled. Next to it will be a option to turn on flash for the selected website only. This website URL will go into a blockfile named Allow - Flash.txt
Disable - Applet, Object, and Embed.
Now this is really damn handy as it will disable java applets, embedded crap and activeX objects, IE How Xupiter manages to get through.
If I need a site that has been verified by me that absolutely needs java or activex I can add it to the Allow - ActiveX blockfile.
THIS is basically how Proxomitron and JD5000 work's. It has a lot of features for security/ad blocking and more. Has also the usual filters to disable javascript or tame it down entirely, prevent nasty IE exploit's, etcetra.
To give everyone a idea at what exactly the filters the latest JD5000 update has, below are two pictures showing *ALL* the filters. First is the web page filters, second is the Browser Header filters. Filters that are in black are what I have turned on for day to day use.
Proxomitron's JD500 Web Filters (Jan 13th Release)
Proxomitron's JD500 Browser Header Filters (Jan 13th Release)
If configured right, Proxomitron+JD5000 can secure any browser a lot more, especially IE from all the nasties that rely on Activex to try and get through to your machine.
You must master your joystick like a fisherman masters bait! - Gimpy