World's Most Annoying IE Toolbar

nautical9 writes "Following the same devious footsteps of the infamous Bonzi Buddy, Gator, and Comet Cursor "enhancements", Xupiter now has their own self-installing toolbar for IE. There are many claims that if you leave your security preferences at their default level, it will install itself without your express permission. And once on your system, it's gracious enough to reset your homepage to xupiter.com, forward all your searches to their search engine, download and automatically launch applications (like gambling applets), and blocks all attempts to set these back to normal. Removing it isn't trivial either - it automatically checks for updates upon reboot, where it constantly changes the registry settings it uses, making the jobs of spyware removal programs like AdAware or Spybot Search & Destroy much harder. No word yet if it collects and forwards personal data."

Sick the Lawyers on Them

[Anonymous Coward]

Make the lawyers do some good for once. We need a lobbying group for People With Common Sense, and crap like this shouldn't even be legal. If somebody performed a similar act of sabotage with other peice of personal property it'd be illegal. We need to be telling our representatives on C.H. that we're tired of this kind of crap. Sadly, our voice is fairly small. Most people don't know or care.

Question

[Mr_Silver]

From the article:
Xupiter is also being bundled along with at least one peer-to-peer file sharing program

Anyone know which P2P one it is?
(Mainly so I can avoid it.)

If it looks like a duck and quacks like a duck...

[eXtro]

When I first started using IBM compatibles there were forms of software which would install themselves on your system and were written to evade removal as well as modify your system in ways that you may or may not have approved of. Writing these packages was considered bad, and propogating them was even considered illegal. These small applications were called viruses.

If it looks like a duck and quacks like a duck then it's usually pretty safe to say that it's a duck. In this case all of these enhancements sound like viruses to me, or at least a derivitave of a virus. Where viruses had to be cleverly coded in order to be as small as possible and avoid detection by a skilled hacker these new pieces of code are large and increasingly rely on being able to remove software that would remove it.

If you modify my system without me requesting it then you've installed a virus on my system. I should be able to call the FBI computer crimes division and get proceedings underway that result in you getting some nice free government accomodations.

We'll show them...

[quizwedge]

Might be fun to slashdot the site for a while to, uh, "thank" them for their generous "gift"

Also, site said to report any problems to help@xupiter.com. How many requests do you think they'll get about the toolbard? :)

Legal Action?

[ShwAsasin]

Could this be considered malicious? Is there any sort of legal action you could take against the company for installing the software (hacking your machine) without your permission?

It's interesting, if a teenage computer wiz went on someones website and changed the configuration and wrote lets say "riaa is ass" they'd be charged, why is this any different? If I hack (hypothetically) into the Xupiters site and alter it, am I released from any legal liability because they did it to my machine first? Sort of like a cyber self-defence?

A Temporary Fix...

[graphicartist82]

Would be to activate IE's "Disable 3rd Party Extensions" option (In IE6: Tools-> Internet Options-> Advanced -> 12th Option Under the "Browsing" section)..

I was fixing somebody's computer that had this toolbar installed and it would crash IE every time you opened IE (Or tried browsing the web via windows explorer). But once I Disabled 3rd Party Browser Extensions, it worked fine...

Re:No it doesn't :)

[eXtro]

I used Windows for about a year and found that occasionally something would install GatorWare (or however it is spelled). I narrowed down one instance to the software package that came with my RCA Lyra MP3 player but the source of others still eluded me. In the RCA case I had said "No, don't install GatorWare" but I still found myself the recipient of it.

There is some mechanism where this crap gets installed and it might not be via Internet Explorer but personally can't rule it out. When I moved to Mozilla I never had this problem any more.

Self-installing programs are illegal.

[TheRaven64]

In this country (UK) we have something called the 'Computer Missuse Act'. This is a very dull piece of legislation which says (among other things) that using someones computer without their consent is illegal. Any program which runs on your computer without your explicit consent therefore violates this. If you click 'Okay', on the other hand...

Good thing

[Apreche]

I use Phoenix now, so why do I care? Besides, I'm not stupid enough to leave my security at the default level in IE. Which I use when I'm in windows and there's a weird page.

If I had a lawyer, and I was a business, and this thing automatically installed itself on my computer without my permission, obviously it is doing something to get by my security. Which means it's hacking into my computer. Any company with a laywer and a computer can sue these guys and get a nice sum with almost no effort.

monitoring kids

[swestcott]

I recently spent half a day cleaning out several of these programs after hearing complaint from my kids about how slow the PC was when they where doing nothing more than reading e-mail I was distressed to find 15 svchost processes running using close to 100 M of memory I then did a search for files with recent time date stamp I found several odd directories after opening the files I was more disturbed to find a log of all the web sites they had visited how long they where there
I will admit the main fault was mine for setting the OS (windows 2000 in this case) with permissions to install apps (I was sick of logging in to install the flash updates) it turns out the bonsi buddy includes in its ULA the right to install any thing it wants when ever it wants now keep in a minor had agreed to this "contract" I have now reset the permissions on the OS and blocked with my firewall these sites.

This is not true

[TheRealFixer]

My IE settings on one of my boxes was set at default, as they had never been changed. Browsing to some site (either Geocities or Tripod) evidently downloaded it and installed it. There was most definatly NO dialog box, or request to install. Literally, I came back to the machine, started IE, and there was a toolbar that wasn't there before. Freaked me out.

AdAware found it, and tried to removed it, but not everything was deleted, as there were still at least 1 or 2 DLLs that were registered and running, that couldn't be deleted. Couldn't find the processes, either. Had to use regserv to get rid of them. This company is about the lowest of the low in my book.

Re:If it looks like a duck and quacks like a duck.

[demon]

Hm. Sounds suspiciously like a trojan horse to me. Doesn't anyone know the difference anymore?

• A virus attaches itself to other executables, and propagates by having the executable it's attached to run. It can attach to most any executable, or some attach to the boot sector.
• A worm uses networks to attack exploitable services, and propagates that way. It doesn't necessarily require human interaction to spread.
• A trojan horse is a program that's designed to look legitimate, but has some ill intent. It propagates by people running it. It doesn't infect other executables, it depends on people passing it on.

Re:no it won't

[0x0d0a]

It's not much different than if someone downloads a file to the desktop and decides to double-click on it.

I'd argue that it is. First they have to see a (familiar) file-dialog box pop up. They aren't just hitting "OK" in a box -- they know that they are saving a file somewhere. Even novice users are generally pretty familiar with the file open/save dialog boxes. Second, they have to navigate to their desktop. to save the file. Then they have to click "save", switch to Explorer, and then double-click the icon. Again, double-clicking is a fairly familiar action, and people are aware that yes, they are openin something. So we have many steps, including familiar steps that will tend to clue even a novice Windows user, rather than a single "OK".

Ultimately, the user should read any warning message that pops up, whether it's from IE, your anti-virus software, or from your OS.

Windows users are *innundated* by dialog boxes. Every time they delete a file. A whole slew of them when they install software. Four hours ago, my roommate was using a TV-viewing program that brough up a message box telling him that he'd "enabled option foo" each time he clicked a checkbox in the prefs dialog.

In addition, Javascript can bring up message boxes (idiotically enough, this is enabled by default by MS). So most users (*especially* Internet Explorer users) run into a ton of message boxes while browsing. Yes, perhaps they should go through each dialog box and examine it, but that's very time-consuming. If you read through Apple's Human Interface Guidelines, you'll notice that the *vast* majority of rules for menus and modal dialogs are designed around one single goal -- letting the user *not* have to examine each dialog box once they're familiar with it or boxes in similar software. The point is that Windows users are sick and tired of dialog boxes, and *do not read them* in detail. And they shouldn't *have* to be screwed over if they skim or misread a box when simply web browsing. A Javascript should not be able to take malicious, destructive action just because someone clicked "OK" in one of a series of dialogs that a Javascript popped up. To set up IE to operate this was was irresponsible in the extreme by Microsoft.

FUI Dialogs?

[davetrainer]

Healan said some installations probably occurred when people clicked "OK" in a pop-up box without really knowing what they had agreed to, or when they meant to close the pop-up window.

Probably because the popup is a fake user interface dialog. How in God's name does even a novice user inadvertently grant permission for a software install when their original intent was to close the window? Or is it common knowledge these days that the X in the top right corner of a dialog box is synonymous with the OK button.

Bonzi is being sued [slashdot.org] for this, and these scumbags deserve the same.

Re:Wrong

[The Black Dragon]

One day, while surfing around at work, busy closing pop ups from annoying ad companies (yes, I know how to close a pop up, no I didn't click on the pop up) I opened a new browser window and found my normal blank window was replaced with a web page. I use XP at work and my security settings are higher than default. Had I installed something? No. Had I been to a bunch of sites without my permission because of pop up ads? Yes. Was something installed on my system that I hadn't authorized? Yes. I was pretty furious. First, I uninstalled the app using the uninstall program provided by the Xupiter website. Second, I restored my system using the restore tool that ships with XP. I think I've gotten rid of it, but that was 20 minutes of my workday that I needed to use researching things on the web that was taken up by this annoying app that should be illegal. Now, if you notice, I am running XP, not ME, not 2000, not 98, not 95, but XP. I also happen to have had ALL the most recent security patches and all the most recent IE upgrades on the most recent version of IE. Xupiter found some way to break into my system and install their spyware/adware without asking. Clearly, something has got to be done. Since then, I've increased my security settings and am not prompted EVERY time something that isn't pure HTML happens in my browser. It's pretty annoying, especially when using Yahoo to search since every page in Yahoo has Java on it.

There are lot of people out there with this

[jobugeek]

I went looked at our web site stats and Xupiter comes in at number 4 in browsers.

1) IE

2) Netscape

3) Mozilla

4)Xupiter toolbar

Re:Wrong

[filekutter]

I haven't noticed anyone saying whether or not Java was or wasn't enabled when they were infected with this krap...(don't have a lot of time yet to really peruse the forums) I use mozilla anyway, so not worried "much" yet. This is an malicious trojan in my view and more proof of the fact that Windows IS broken.

Re:no it won't

[ceejayoz]

In addition, Javascript can bring up message boxes (idiotically enough, this is enabled by default by MS).

Idiotically enough, this is enabled by default by just about every browser for every OS.

A Javascript should not be able to take malicious, destructive action just because someone clicked "OK" in one of a series of dialogs that a Javascript popped up.

It can't. You're mistaking "Install on Demand" (bad thing) for JavaScript alert()s.

why are they allowed to do this?

[gabe]

a thirteen year old kid writes a virus that emails itself to everyone in your address book. he's found, caught, sentenced and tossed in jail.

a company comes along and writes a piece of "software" that installs itself on your computer without your knowledge, changes your preferences, watches your every move and reports it back to the marketeers, and digs itself into your system so the only way to get it out is to reinstall your entire computer... (oops, by the way, now that you're using Microsoft products, you may just have to buy a new version due to licensing BS) ... and the worst that happens to the company is some negative press (which, as we all know, bad press is better than no press at all).

so, why the hell isn't the FBI busting these peoples' door down and arresting them? what is the damn difference between what they do and what script kiddies do?

Disclaimer: I am aware that I am exaggerating, are you?

Re:Xupiter.com War Story

[Nidhogg]

I had a similar situation to that some months ago except it was a tad worse.

One of my Citrix users in a remote branch managed to install Hotbar (I won't link to this particular piece of scumware) into her Outlook. What's amazing about this is that i have specifically locked them out of installing anything through policies but yet this little jewel managed to get through.

To make things worse I first noticed it when I logged into the box from home and found that I had it. And so did the other 150 users.

Talk about pissed. I punted everyone out of the system until I could manually go through every user's registry settings and nuke the little bastard which was the only way to get rid of it.

Strange practises

[Diabolical]

This is the first paragraph of their EULA:

IMPORTANT -- READ CAREFULLY: THIS END USER LICENSE AGREEMENT ("AGREEMENT") IS AN AGREEMENT BETWEEN Tempo Internet ("Xupiter") AND YOU (also referred to as "USER") FOR THE USE OF THE Xupiter SOFTWARE APPLICATION ("Xupiter Software"). YOU MUST ENTER INTO THIS AGREEMENT IN ORDER TO DOWNLOAD THE SOFTWARE AND USE THE RESULTING SERVICES. Xupiter RESERVES THE RIGHT TO CHANGE OR MODIFY THE TERMS AND CONDITIONS OF THIS LICENSE AND ANY OF THE POLICIES GOVERNING THE SERVICES AT ANY TIME IN ITS SOLE DISCRETION WITHOUT DIRECT NOTICE TO YOU. YOUR CONTINUED USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF ANY SUCH CHANGES. IF YOU DO NOT AGREE TO BE BOUND BY THE TERMS OF THIS AGREEMENT, DO NOT INSTALL THE Xupiter SOFTWARE.

It is pretty clear and i take it that they must be showing this before anyone can "use" their software considering the fact that they say that you *MUST* enter into that agreement.

Isn't there a lawyer here that can explain this to me. Because "self installing" and "entering in an agreement" don't mix up very well i think.

Re:Sympathy

[Peer]

Could we please not all switch to Mozilla. Otherwise it will become commercially intresting to target Mozilla users with this kind of crap.

Re:It's a monster

[Rich0]

My wife was unfortunate enough to "click through" and victimize herself with this thing.

This is my biggest nightmare at home. I have XP Home Edition - so I figured I finally have a solution to this problem - just make everyone else who uses the system a "limited user" - they finally figured out what unix did 20 years ago.

Nope - turns out half the software out there doesn't run without administrator access. And it isn't just lousy shareware junk either - try running MS Flight Simulator 2002 Professional as a "limited user". So now I need an admin account for the kids to play games - I set up the ground rules as being "don't web browse when logged into the games account", but of course there is no way to enforce that. I have Mozilla installed, so that at least is a start, but IE is still out there, and even with mozilla a computer-illeterate user can download a hostile .exe.

My only solution is to backup reasonably often. Still, I don't backup everything - just data - since it would use gobs of media. So if somebody hoses my system I'll be reinstalling everything - and that is quite a bit of junk - hundreds of megabytes of it having been downloaded from the web (redownloading over a 26k modem link isn't fun either).

If MS would at least code their software to not require admin access I'd be happy... Then again, maybe I should find an old PIII somewhere for the kids to play games on - of course it wouldn't have the GeForce III Ti accellerated graphics...

thankgoodness it doesnt happen on the Mac

[jzaw]

funny that .... Mac's and linux are immune to all these WindBlows tricksters - muhahaha

its down to the Mac / Linux user mentality
we simply wont put up with it
so eventually no one continues to try to foist such things on us

case in point . Netbarrier used to overwrite and patch something in the system in OS X
so that once installed you couldnt then ever again use the built in ipfw for your firewalling/routing

they changed their s/w after many many protests from users
but back then they knew that their market for 3rd party Mac OS firewalling was dying
built in ipfw and potentially free "IF-YOU-LIKE-WARE" BrickHouse gui config ....
despite denials from them that it wasnt, it was actually their attempt to tie us into using their s/w grrr

after an hour of trying to fix things ... i finally reformatted and restored from the backup
i know of at least 10 other ppl who have done the same ... we just wont stand for it

vote with your £'s and either buy other platforms or get linux is what i say

sorry i know its not helpful if this thing has already auto installed itself

Re:Pretty easy fix

[cygnusx]

As a lot of other posters in this thread have noted, Mozilla in the hand of lusers is no more invulnerable than IE is. And as for Opera -- well, at least IE *asks* (non-optional dialog) before re-setting my home page. Opera (6 *and* 7) doesn't.

So much for the IE suXors argument.

Re:Basic protections ...

[Hal-9001]

The problem is that it seems that a number of people using IE with the default security settings were never prompted that this thing was trying to install itself on their machines. Admittedly, it's possible these people were prompted and simply don't remember, but if there weren't, then there is a problem with IE's default configuration.

AFAIK, there is no record of any Mozilla extension installing itself without prompting the user first, and since most extensions are downloaded from centralized, trusted sources (basically just mozdev) there really isn't as much of a need to implement digital signatures. For that matter, this thing is apparently signed by Verisign, which means that IE's package signing system may be a security liability instead of a security benefit.

Re:Self-installing programs are illegal.

[runderwo]

In this country (UK) we have something called the 'Computer Missuse Act'. This is a very dull piece of legislation which says (among other things) that using someones computer without their consent is illegal.

Interesting; does this make spamming me on my own system illegal? After all, they are using my computer's memory and processor as a medium to deliver me their advertising message.

Re:Ouch..

[Anonymous Coward]

This is the bit that scares me:

"Xupiter reserves the right to change or modify the terms and conditions of this license and any of the policies governing the services at any time in its sole discretion without direct notice to you. Your continued use of the software constitutes your acceptance of any such changes."

You might suddenly find that you've agreed to let xupiter have all your money.

Re:no it won't

[Anonvmous Coward]

"Let's see, we have the technically illiterate on one hand. These people fall prey *far* more to malicious remote-install links than they are benefitted by deliberately remote-installing software. Not benefit to IE's behavior there."

Blame the dot-bombs for that. My company used to be one of those, and we made a plugin that you had to run a setup to install. Everybody who wanted to use our plugin barfed at that idea. They wanted it to auto-install, or they thought nobody'd ever use it. I'm dead serious.

If that's any indication of the crap other web companies had to go through (Macromedia, for example) then it doesn't surprise me that IE works that way. I wish these people had more faith in the intelligence of their customers.

Re:no it won't

[Blkdeath]

No, if you leave your security preferences at their default level, things like this will not install. That is clearly FUD. Even if you have your security preferences a notch lower, it will still prompt you to confirm installation.

I've seen and removed this toolbar from atleast a hundred machines by now, and even had machines myself on which it's become installed, and yes, it does install without my express permission. It will install as a piggy-back to another application, it will install on launch of another application, and it doesn't inform the user in the slightest.

As for removing it, that's not terribly difficult in and of itself. Disable the toolbar in IE (View -> Toolbars -> Xupiter ... ), kill all running processes except for Explorer and Systray. Run regedit and search for 'Xupiter'. Remove all entries dedicated to the program, and the entries dedicated to the default homepage, search engine, etc. I merely change to http://www.msn.com/ and http://www.google.com/ respectively.

For the record - I've personally witnessed software being installed on a Windows machine in real time (Win2kSP3, IE6SP1, all patches applied), with no permission dialogs appearing, letalone agreed to. (I've been in this business far too long to blindly hit "Ok"). I got a full-screen movie attempting to download (wasn't going to happen over the 56k modem) with no 'quit' option available (I had to resort to the task manager; Alt-F4, Alt-Tab, Alt-Esc, Ctrl-Esc were not responding), several icons on my desktop, and shortcuts to applications in my startup folder. I don't know if there was any further damage, or whether I prevented further damage by disconnecting from the Internet before the payload could download, but it was enough to unsettle me and send me screaming back to Mozilla.

It not only can happen, it does happen, and it is most certainly not FUD. There is documentation of scripts/applets being downloaded and running from the "trusted" local zone which allows them pretty wide range of freedom over your system.

Just because most Microsoft bashing is zealotry doesn't make it all false.

Re:no it won't

[MillionthMonkey]

And all you had to do was go to
http://www.xupiter.com/uninstall.html
To uninstall It. ;)

And give Xupiter explicit permission to install and run an ActiveX "uninstaller" on your machine? You'd have to be crazy. Just delete the Xupiter crap from Program Files, do a registry edit, delete the Xupiter keys, and be sure to also delete the registry entries for ActiveX controls whose CLSID numbers are referenced by them.

My wife got hit by this. Just like everyone else, she has no idea how she got it since she never clicks OK or Yes on anything without calling me over first. I think what happened is that a popup came up with a fake system close box and a suppressed title bar. This is what happens when you visit free home pages and you're using IE.

Re:Wrong

[Blkdeath]

Even if they copy everything off of your hard drive and send it to their own servers, according to most Slashdotters, that is only copyright infringement (not theft), provided they don't delete anything.

This is why argument by analogy is so maligned here on Slashdot.

The analogy you refer to is most likely the distribution (rights?) of RIAA and/or MPAA sanctioned materials, including music files and movies, correct?

In order to download these, I do not need to violate any individual's privacy. Instead, I download (voluntarily) any number of freely available P2P applications and initiate transfers from people who have willingly configured their software packages to allow me access to a 'shared' portion of their own systems. These people populate this folder with files they have copied, downloaded, or created themselves. The source materials for these transfers were made available to the public by the aforementioned entities, so nobody had to violate their computer systems or physical locations to obtain the source.

There is no subterfuge involved, nor is there any involuntary transfer of otherwise private materials. (Vis, the files, e-mail, and information stored therein on my home PC(s)).

(Note that I am stating no position, pro or con, on the topic of P2P applications or their content, merely discussing your analogy. I don't want to open any further cans of worms).

They are not threatening you, taking your money and/or valuables,
...
IANAL, but if you sue them you might be able to pick up a keen $5000 fine. That figure doesn't include legal expenses, of course.

IANAL either, but I do believe there is legal footing for such a case. The users' computers are made to operate in a mannar in which they were not prepared, or willing to have it operate. Everything from the homepage being changed to software that alters the overall behaviour of the system to software of unknown quantity that opens potential security holes in the system.

The other factor to consider is the costs associated with repairing the system which are quantifiable. For example, if I have to visit a company and purge six office workstations of this software, the company is looking at not only a lost afternoon's work, but also a bill from me for $60/hour for anywhere up to six full hours. That's assuming that a) there are only six infected machines, b) the software is not in any way self-replicating, b) the software is readily removed from the systems, and does not ressurect itself. The other thing I would have to do while on the premeses is update all Windows installations (Windows Update) and all virus software and definitions as preventitive measure, thereby bringing the potential time per workstation up to the full hour mark, if not greater (dial-up would require either a long download, or a return to a broadband connection and CD burner to download the updates manually).

Long story short, since there are quantifiable costs, lost productivity, and damages that can be attributed to software of this type, I do believe suit could be brought against the makers. Based on the installation methods, I do believe fraud charges could also be lain.

Bzzt, Wrong, Try Again

[crisco]

WinXP, IE6, SP1, Baseline Security Advisor showing no issues.

http://security.greymagic.com/misc/globalDgArg/ [greymagic.com] - I can display arbitrary files from my hard drive in the javascript dialog. Other exploits don't seem to work.

http://sec.greymagic.com/adv/gm012-ie/vobjcache.as p [greymagic.com] - Clipboard exploit works, others fail.

These are two near the top of the list that work, while they aren't remote code exploits they illustrate continuing security problems.

What I'd like to see in a browser is...

[exp(pi*sqrt(163))]

An easy to use interactive log of what global state changes there have been. If a plugin has installed itself it should appear in the log. I should be able to click on the relevant line in the log and then uncheck a box to indicate I want it removed. As it is, if a state change happens, even one that I might have done myself, it can be hard to find the relevant menu options (not to mention DLLs snuck into directories) to undo it.

Re:Ouch..

[Kaz Riprock]

From the TOS:

17. Acknowledgment of Agreement.
I acknowledge and understand that downloading and using the Xupiter Licensed Software constitutes an acceptance of the terms and conditions of this End User License Agreement. I am over the age of 13, no one under the age of 13 can download this software. I further acknowledge and understand that refusing to accept these terms and conditions constitutes a rejection of the Xupiter Licensed Software.

So, if I'm under 13 and it auto-installs on my machine, who do I get to sue?

Palladium

[bgins]

At the risk of being (unfairly) pegged as flamebait:

I think one of the stated purposes of Palladium aka Microsoft Trusted Computing is to give control such as whether something like this is installed back to the end user.

Re:For a while now

[Istealmymusic]

WTF would a filename suffix affect a browser? User agents are supposed to and generally do respect the Content-Type HTTP header; not guess the content based on four arbitrary characters at the end of the pathname. (Okay, IE doesn't do what it should.) Besides, the common usage of ASP is for Active Server Pages. Any specific cases you have to report? (For your information, newer versions of Mozilla have mouse gestures you may adapt to. In particular I'm using Galeon and its pretty cool; you can configure gestures to be enabled when depressing the middle button or the right button, while not sacrificing the right-button context menu.)

Re:no it won't

[SnprBoB86]

Which is why I arguee that all prompts that include potentially dangerous actions contain a safety.

For example:
When you want to cut a peice of wood with a saw, most modern saws require the pressing of two buttons at the same time. This prevents you from accidentally starting the blade.

Why not take the same concept to computers?

Turn the "OK" button into a "Close" button. Force users to check a box labled "Yes, I would like to install this software". After checking the box the "Close" turns into a "Continue" button.

Voila, unmeasurably more potential dissasters are advoided.

-SniperBoB-

Re:Prevention tactic

[Anonymous Coward]

The locked file behavior was necessary for back-compat, and indeed you can not delete an open file through the explorer in NT. You can use 3rd party tools however, so it's possible.