Slashdot Mirror
World's Most Annoying IE Toolbar
nautical9 writes "Following the same devious footsteps of the infamous Bonzi Buddy, Gator, and Comet Cursor "enhancements", Xupiter now has their own self-installing toolbar for IE. There are many claims that if you leave your security preferences at their default level, it will install itself without your express permission. And once on your system, it's gracious enough to reset your homepage to xupiter.com, forward all your searches to their search engine, download and automatically launch applications (like gambling applets), and blocks all attempts to set these back to normal. Removing it isn't trivial either - it automatically checks for updates upon reboot, where it constantly changes the registry settings it uses, making the jobs of spyware removal programs like AdAware or Spybot Search & Destroy much harder. No word yet if it collects and forwards personal data."
No, if you leave your security preferences at their default level, things like this will not install. That is clearly FUD. Even if you have your security preferences a notch lower, it will still prompt you to confirm installation.
People get into the habbit of clicking "OK" whenever something pops up. Next thing they know, they have Gator and all sorts of junk installed.
Amazing magic tricks
I've got default security settings and while it certainly displayed a few popups nothing else got installed. If however the user clicks 'OK' to things being installed without checking what they really do first then you get what you expect. :)
Rule of thumb: Never install anything while browsing when it pops up and says "Hi install me for extra wizzy things!!!".
Martin Piper
Owner - ReplicaNet and RNLobby
Here's an alternative way to use the Security Zones of Internet Explorer to protect you from crap like this.
First, set the "Trusted Sites" zone to the "MEDIUM" level.
THIS MAKES YOUR TRUSTED SITES ZONE THE SAME AS THE NORMAL INTERNET ZONE.
(People seem to flame this idea as a security risk without understanding that last bit)
Then, modify the "Internet Zone" and disable Active Scripting.
Finally, add all your favourite sites to the "Trusted Sites" zone.
You can now enjoy the full functionality of JavaScript etc. on your frequently visited sites including the usual protection of the Internet Zone.
Any site not in the Trusted Sites list cannot use JavasSript and so prevents pop-ups and other nasties such as self installing spy-ware.
I did get this toolbar without clicking yes to anything. I wasn't on xupiter's website. I was browsing and after i was done i closed explorer. When i opened it back up late there was the tool bar. I still dont know where i got it. It took me a while to figure out who it belonged to and how to rid myself of it. I flamed away afterwards.
-Foxxz
On my Windows 98 SE box, I now browse with Phoenix almost all the time. I've discovered, though, that some browser downloads Internet Explorer asks me about, Phoenix installs automatically. (Phoenix seems a little too promiscuous about accepting Java, and doesn't remove .class files when it flushes the cache. Check the %WINDIR%/.jpi_cache/ directory structure.)
It's the kind of thing you might expect from a 0.5 release; unfortunately, it's not the kind of thing you should only expect from Microsoft.
Stupid job ads, weird spam, occasional insight at
Time to recheck my security settings. ..bruce..
Bruce F. Webster (brucefwebster.com)
*duh* I DIDN'T install it. It happily installed itself, and no, I didn't just mindlessly click through everything that popped up on my screen. It hijacked IE, and I couldn't kill it until I installed Spybot.
www.robot-invasion.com smart-assed political news, humor, and commentary
RTFA: many people find the uninstaller doesn't work. And do you really trust that the uninstaller will remove any spyware they may leave behind? I mean, such a company must have incredibly high moral standards. They wouldn't do anything like leave behind spyware like Kazaa...
I don't know about this week's version of the uninstaller, but previous versions were nice enough to leave behind big chunks of the program. Still running. Sort of the way a tick will leave its head behind if you yank it out with tweezers.
This is a pretty common and ugly tactic among spyware developers.
My wife was unfortunate enough to "click through" and victimize herself with this thing. I happened to notice 20-30 different sessions being generated every few minutes through our firewall and started tcpdump to find out what was happening.
After finding that it did indeed have my wife's credit card number/home address/phone number I asked her what she used it for; She said that she didn't know where it came from but that it was causing her laptop to crash about every ten minutes ever since it added itself to her IE toolbar.
I then spent about 3.5 hours hacking the WinME registry trying to peel this thing out of her laptop because it's 'uninstall' doesn't!
In earlier versions of IE for windows (like the ones that come bundled with windows 98 or ME and maybe 2000) there is a very well-known security flaw that allows malicious code on a website to make the computer download and execute arbitrary files without confirmation from the user. Most people are too stupid to download the updates to fix that vulnerability, so they should blame themselves. But that's how spamware trojans like Xupiter often spread.
And anyway, isn't that the digital equivalent of mugging and rape? I mean they either install the thing on your computer without permission and it totally fucks with everythig, or they trick you into installing it by outright lying about it and not telling you what a piece of shit spamware/spyware TROJAN HORSE it is. Couldn't they easily be sued for fraud and/or hacking people's computers?
Repeal the DMCA!
La la la la exploit, la la la la description of exploit, la la la la list of many other unpatched IE holes, some are over a year old. This one in particular is over 4 months old.
> Anyone know which P2P one it is?
Grokster.
I don't believe it's in the current distribution, but there's an awful lot of other unsolicited commercial software in it. Grokster and iMesh are competing for the 'most offensively spyware-laden app' prize.
At any given time there are a dozen or so security holes in Internet Explorer. Right now there are 19 security holes in the latest version of Internet Explorer, with all patches and service packs applied.
Wow. After my 15th or so run-in with Xupiter last week, I considered submitting this story to /. myself. Bah.
Anyhow, the best page for information and removals which I've found to date is at http://www.allentech.net/parasite/Xupiter.html
The removal info has worked every time, with the exception that on WinME it is usually possible to just drag the Xupiter folder into the Recycle Bin and delete it directly after a reboot.
Even aside from that, why the hell does IE do installations directly from a web page? That's beyond idiotic
So I guess you dislike mozilla too?
Hint: Google for xpinstall or go to mozdev and install a browser expansion - directroly from the web page.
So that's what this Xupiter thing is! I was visiting my family this weekend, and my sister asked me to fix her Win98 computer. IE was crashing every time she started it. I found this set of program files under this "Xupiter" directory and a bunch of load-on-startup registry items referencing them. Most of the files in this directory were locked by some running process, of course. Apparently, this Xupiter was not only self-installing but also Win98-unfriendly. And there was no uninstall program.
Restarted at DOS prompt to delete all the files. Regedit to remove every registry entry containing "Xupiter". After that, everything worked just fine, and I cranked up the security settings before I left.
Good judgment comes from experience.
Experience comes from bad judgment.
They treat it as a virus.
I followed this on friend's computer and it works.
http://vil.nai.com/vil/content/v_99904.htm
Hate to break it to you, but Mozilla does do automated installs from web pages. Just head on over to MozDev [mozdev.org] and see for yourself. Many projects, such as OptiMoz and Spellchecker, have automated install links right on the page.
Which only work if a) you actually have software installation enabled in your preferences, b) have write access to the location where mozilla is installed and c) will prompt you BEFORE it installs the software, giving the web server and the package being installed.
Automated installs are extremely useful - it's all a question of finding that balance between ease of use and ease of abuse.
Cheers,
Toby Haynes
Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.
...can be had here: http://www.doxdesk.com/parasite/Xupiter.html
If I really wanted to be evil I could write a self installing applet to default IE to the goatse.cx page everytime it opened upon a vistor visiting my site with an earlier browser.
You don't need an applet. Someone on slashdot has already done this. See this slashdot post, which, if you click the link in the posting, takes your browser on a carefully crafted roller coaster of 302 Object Moved across several different servers, eventually leading you to either the correct (advertised) New York Times article, or to goatse.cx if you are using IE. See my four replies under the post that explain how this was done. Note that the first of my replies was moderated as Troll because I was warning people about a goatse link.
The price of freedom is eternal litigation.
Terms
- The Xupiter software will report back to our servers what applications may be running on your system and will resolve these conflicts whenever possible
- Xupiter has included an auto update
... upgrades may include installation of third party applications
- To further enhance your media viewing experience, Xupiter reserves the right to run advertisements and promotions
- . Our software license requires that users browser start page be set to Xupiter.com
Privacy PolicySo yeah, basically the program will pop-up-ad slam you, give away your personal info, install crap software on your PC, and has the ability to change it's "terms" to allow it to do more behind your back.
to their credit, Xupiter's search engine returns the best quality squirrel porn I've ever seen. If you're going to make a comment like that, at least include a link!!
Xupiter claims to be based in Hungary. But it may not be.
First, Xupiter appears to be the same thing as Browserwise. The content of the two sites match, and you can download their malware from either site.
Whois for Browserwise yields:
Administrative Contact: Inc., Browserwise, admin@browserwise.com
Browserwise, Inc
15445 Ventura Blvd
Sherman Oaks, California 91413
United States
(818)229-5631
Technical Contact: Inc., Browserwise, admin@browserwise.com
Browserwise, Inc
15445 Ventura Blvd
Sherman Oaks, California 90413
United States
(818)229-5631
Domain servers in listed order:
NS1.CANDIDHOSTING.COM
NS2.CANDIDHOSTING.COM
A traceroute on Xupiter isn't particularly helpful, but a traceroute on Browserwise leads to "amateurpornhouse.com", hosted on the same server. The server is thus virtual hosted by name, but if you try it by IP address, you get Browserwise, so Browserwise is the main user of that server. "amateurpornouse" is thus either affiliated with Browserwise, or buys hosting from them.
Whois for "amateurpornhouse.com" yields:
SC Enterprises
P.O. Box 91114
Henderson, NV 89009
US
(702) 224-7750
Domain Name: AMATEURPORNHOUSE.COM
Administrative Contact:
Phucksum, Jeff webmaster@sexycouple.com
P.O. Box 91114
Henderson, NV 89009
US
(702) 224-7750
So we check Sexycouple's legal page, and find:
- Custodian of records for SC Enterprises: All records required to be maintained by 18 USC 2257 are kept by the custodian of records, Barry Levinson, 2810 South Rainbow Blvd. Las Vegas NV. 89146.
(Presumably this is not the well-known film director Barry Levinson.)Looking up "SC Enterprises" in Las Vegas, we get
134 Spinnaker Dr
Henderson, NV 89015-5639
Phone: (702) 558-8908
Also, DNS for Browserwise is provided by CandidHosting.com, next to the police station in Tampa, FL. They have to know who's behind this, so that's where to start with legal process.
That should be enough to get the lawyers started.
1. Use Mozilla.
2.Pull down Edit.
3.Select preferences.
4.Select advanced.
5.Select Scripts&plugins.
6. there are check boxes under "allow scripts to," uncheck them.
How ya like dat?
host xupiter.com
xupiter.com has address 63.236.32.50
mail is handled by mx1.xupiter.com
host mx1.xupiter.com
mx1.xupiter.com has address 63.236.50.196
whois -h whois.arin.net 63.236.32.50
Qwest Communications NET-QWEST-BLKS2 (NET-63-236-0-0-1)
63.236.0.0 - 63.239.255.255
Qwest Cybercenters QWEST-CYBERCENTER (NET-63-236-0-0-2)
63.236.0.0 - 63.236.127.255
Internext Media, Inc. QWEST-JSV-INTERNEXT1 (NET-63-236-32-0-1)
63.236.32.0 - 63.236.32.63
whois -h whois.arin.net 63.236.50.196
Qwest Communications NET-QWEST-BLKS2 (NET-63-236-0-0-1)
63.236.0.0 - 63.239.255.255
Qwest Cybercenters QWEST-CYBERCENTER (NET-63-236-0-0-2)
63.236.0.0 - 63.236.127.255
Snapshot Productions LLC. QWEST-JSV-SNPSHTPR (NET-63-236-50-192-1)
63.236.50.192 - 63.236.50.223
so I added 63.236.32.0 - 63.236.32.63 and 63.236.50.192 - 63.236.50.223
to my firewall block list, and they shalt never trouble me henceforth.
Done! Next!
Browserwise.com seems to be a totally different company, even the top level where the IP range is purchased from is different. Browserwise.com is hosted at the top level by Level 3 Communcations, while xupiter.com is hosted at the top level by Quest. I looked at both web sites (with Lynx! it's safe... ^_^) and the content does NOT seem to "match" to me.
Sorry but I think you just got carried away in your search and these two companies are not the same, or even related in anyway.