Slashdot Mirror

← Back to Stories (view on slashdot.org)

World's Most Annoying IE Toolbar

Posted by michael on from the someone-will-surpass-it-soon dept.

nautical9 writes "Following the same devious footsteps of the infamous Bonzi Buddy, Gator, and Comet Cursor "enhancements", Xupiter now has their own self-installing toolbar for IE. There are many claims that if you leave your security preferences at their default level, it will install itself without your express permission. And once on your system, it's gracious enough to reset your homepage to xupiter.com, forward all your searches to their search engine, download and automatically launch applications (like gambling applets), and blocks all attempts to set these back to normal. Removing it isn't trivial either - it automatically checks for updates upon reboot, where it constantly changes the registry settings it uses, making the jobs of spyware removal programs like AdAware or Spybot Search & Destroy much harder. No word yet if it collects and forwards personal data."

9 of 817 comments (clear)

  1. no it won't by rnd() · · Score: 5, Informative

    No, if you leave your security preferences at their default level, things like this will not install. That is clearly FUD. Even if you have your security preferences a notch lower, it will still prompt you to confirm installation.

    People get into the habbit of clicking "OK" whenever something pops up. Next thing they know, they have Gator and all sorts of junk installed.

    --

    Amazing magic tricks

  2. No it doesn't :) by Fnagaton · · Score: 5, Informative

    I've got default security settings and while it certainly displayed a few popups nothing else got installed. If however the user clicks 'OK' to things being installed without checking what they really do first then you get what you expect. :) Rule of thumb: Never install anything while browsing when it pops up and says "Hi install me for extra wizzy things!!!".

    --
    Martin Piper
    Owner - ReplicaNet and RNLobby
    1. Re:No it doesn't :) by Col.+Panic · · Score: 5, Informative

      If you are running IE, click Tools, Internet Options, select the Content tab, click Publishers and make sure nothing is in the list. If you have anything there, that company can automatically install apps via your browser without asking.

  3. Complete uninstall? by dachshund · · Score: 5, Informative
    Xupiter has been around for a while. And it's NOT hard to get rid off: http://www.xupiter.com/uninstall That's it. Way to overreact guys.

    I don't know about this week's version of the uninstaller, but previous versions were nice enough to leave behind big chunks of the program. Still running. Sort of the way a tick will leave its head behind if you yank it out with tweezers.

    This is a pretty common and ugly tactic among spyware developers.

  4. It's a monster by rudog · · Score: 5, Informative

    My wife was unfortunate enough to "click through" and victimize herself with this thing. I happened to notice 20-30 different sessions being generated every few minutes through our firewall and started tcpdump to find out what was happening.

    After finding that it did indeed have my wife's credit card number/home address/phone number I asked her what she used it for; She said that she didn't know where it came from but that it was causing her laptop to crash about every ten minutes ever since it added itself to her IE toolbar.

    I then spent about 3.5 hours hacking the WinME registry trying to peel this thing out of her laptop because it's 'uninstall' doesn't!

  5. Wrong by Tuxinatorium · · Score: 5, Informative

    In earlier versions of IE for windows (like the ones that come bundled with windows 98 or ME and maybe 2000) there is a very well-known security flaw that allows malicious code on a website to make the computer download and execute arbitrary files without confirmation from the user. Most people are too stupid to download the updates to fix that vulnerability, so they should blame themselves. But that's how spamware trojans like Xupiter often spread.

    And anyway, isn't that the digital equivalent of mugging and rape? I mean they either install the thing on your computer without permission and it totally fucks with everythig, or they trick you into installing it by outright lying about it and not telling you what a piece of shit spamware/spyware TROJAN HORSE it is. Couldn't they easily be sued for fraud and/or hacking people's computers?

    --
    Repeal the DMCA!
  6. McAfee's Xupiter Removal Instructions by Wolfier · · Score: 5, Informative

    They treat it as a virus.
    I followed this on friend's computer and it works.

    http://vil.nai.com/vil/content/v_99904.htm

  7. Basic protections ... by tjwhaynes · · Score: 5, Informative

    Hate to break it to you, but Mozilla does do automated installs from web pages. Just head on over to MozDev [mozdev.org] and see for yourself. Many projects, such as OptiMoz and Spellchecker, have automated install links right on the page.

    Which only work if a) you actually have software installation enabled in your preferences, b) have write access to the location where mozilla is installed and c) will prompt you BEFORE it installs the software, giving the web server and the package being installed.

    Automated installs are extremely useful - it's all a question of finding that balance between ease of use and ease of abuse.

    Cheers,

    Toby Haynes

    --
    Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.
  8. Going after Xupiter by Animats · · Score: 5, Informative
    Let's see what we can find.

    Xupiter claims to be based in Hungary. But it may not be.

    First, Xupiter appears to be the same thing as Browserwise. The content of the two sites match, and you can download their malware from either site.

    Whois for Browserwise yields:

    • BROWSERWISE.COM

    • Administrative Contact: Inc., Browserwise, admin@browserwise.com
      Browserwise, Inc
      15445 Ventura Blvd
      Sherman Oaks, California 91413
      United States
      (818)229-5631
      Technical Contact: Inc., Browserwise, admin@browserwise.com
      Browserwise, Inc
      15445 Ventura Blvd
      Sherman Oaks, California 90413
      United States
      (818)229-5631
      Domain servers in listed order:
      NS1.CANDIDHOSTING.COM
      NS2.CANDIDHOSTING.COM

    A traceroute on Xupiter isn't particularly helpful, but a traceroute on Browserwise leads to "amateurpornhouse.com", hosted on the same server. The server is thus virtual hosted by name, but if you try it by IP address, you get Browserwise, so Browserwise is the main user of that server. "amateurpornouse" is thus either affiliated with Browserwise, or buys hosting from them.

    Whois for "amateurpornhouse.com" yields:

    • Registrant:

    • SC Enterprises
      P.O. Box 91114
      Henderson, NV 89009
      US
      (702) 224-7750

      Domain Name: AMATEURPORNHOUSE.COM

      Administrative Contact:
      Phucksum, Jeff webmaster@sexycouple.com
      P.O. Box 91114
      Henderson, NV 89009
      US
      (702) 224-7750

    So we check Sexycouple's legal page, and find:

    • Custodian of records for SC Enterprises: All records required to be maintained by 18 USC 2257 are kept by the custodian of records, Barry Levinson, 2810 South Rainbow Blvd. Las Vegas NV. 89146.
    (Presumably this is not the well-known film director Barry Levinson.)

    Looking up "SC Enterprises" in Las Vegas, we get

    • SC Enterprises

    • 134 Spinnaker Dr
      Henderson, NV 89015-5639
      Phone: (702) 558-8908

    Also, DNS for Browserwise is provided by CandidHosting.com, next to the police station in Tampa, FL. They have to know who's behind this, so that's where to start with legal process.

    That should be enough to get the lawyers started.