Number 250 - March 2004
The Drive-by Attack!
(My personal experience and internet research)
by Jonathan Gerson, NTPCUG PC News, April 2003
   Internet marketing companies are getting more obnoxious and unethical every day. The marketers have come up with some incredibly unethical, horribly annoying gimmicks.

The Surprise
   A few months ago, I started up my internet browser on my home computer (I have a dial-up connection) and was surprised to find myself looking a page I wasn't expecting. Nooo, it wasn't an adult site, but Xupitor.com. It is more insidious than any adult site. Xupiter.com bills itself as a helpful search engine, similar to Google, yahoo and others, but it does the following:
   
  • Installs an Internet Explorer toolbar containing link buttons to the search engine at Xupiter.com

    •    
  • Runs a task at Windows startup to downloads updates to the software and may launch pop-ups


    •    
  • Periodically resets your home page and search settings to point to Xupiter.com


    •    Adds links pointing to xupiter.com to your bookmarks. When Xupiter.com replaced my homepage, naturally I manually changed the homepage back to what it was, but Xupiter doesn't give up easily. When I restarted the browser or performed other actions, it reverted back to Xupiter. Every time I tried to use the Address, Favorites or Search functions, I was unable to do so, and Xupiter.com reinstalled itself as my homepage again.

       Xupiter consist of a hidden program file, a plugin and a sneaky, very well hidden ini or inf file, and makes changes to your system registry. The plugin allows Xupiter to call home for the updates, and possibly report your search and browser use. (thus it is also spyware ).

    The Installation
       Why, you ask, would I have installed such a program? Well here is that insidious part, I didn't. It was a "Drive-by!" Xupiter can be installed when you visit a web site or click on an advertising link. Applications that install in this manner are also referred to as " drive-by downloads."

       Xupiter is a browser plug-in that gets installed automatically on your computer when you visit certain web sites. There is no comprehensive list of dangerous web sites of which I am aware. A pop up ad can also install Xupiter on your computer.

       Xupiter is downloaded to your computer as an Active-X control. An Active-X control is a small program or "applet" that lives on the Internet. It installs without your permission or knowledge.

    Removal
       OK, how do you get rid of this nasty program? First confirm that you have Xupiter by StartRun msconfig (Note: this utility does not exist if you are using Windows 2000). Look under the startup tab and see if it is running. Unchecking the box will have no effect because Xupiter just reloads itself at boot. Going to Xupiter.com and using their uninstaller is also useless because all the uninstaller does is to disable the tool bar, but leaves the program intact and spyware running. Are they nasty or what?!!

       At the time, I was religiously running Lavasoft's Ad-aware version 5.83, a free program that removes spyware. It didn't see Xupiter. I then heard about and used Spybot 1.1. release 4 Search & Destroy by PepiMK Software, another free program (the programmer does takes contributions ) that removes spyware. It worked. It found all kinds of stuff (in addition to Xupiter) that Ad-aware 5.83 missed Unlike Ad-aware, which doesn't give you any information about what it finds on your PC. Spybot provides you with a clear list of everything it's discovered. Simply mouse-over any item on the list, and you can find out where it came from. what it does, and what Spybot recommends you do--keep it or destroy it. You control what to removes. It also has a spyware update capability like the better anti-virus programs have. Of course both spybot and anti-virus programs are needed to provide good protection.

       Since then. Ad-aware 6.0 came out. When I ran this new Ad-aware version it had a lot of bells and whistles that Spybot had including spyware updating and the choice of what to keep, save or destroy. It found more pieces of Xupiter in my registry that Spybot missed after I thought Spybot had flushed my computer of that! %#@$ program. I now use Ad-aware 6 as my main spyware removal program. I run it every time I finish using the internet.
    Drive-by Download Prevention
       OK, how do I prevent from getting a drive-by download in the first place? Security settings are a matter of personal choice, but on the IE menu bar, under tools internet options under the security tab (with Medium security selected for the Internet zone) under the Custom level button, you should change your activeX settings to:

       ActiveX controls and plug-ins... prompt, prompt, enable or prompt, enable, enable. If you were to set everything for prompt, IE will be asking all the time if you will allow this or that and drive you crazy. Then go down to your java settings and set for "high safety". Those are not the only security settings a user should make "as a matter of choice" but that should keep you from getting the Xupiter curse unless you accept a popup download and then it's your fault. Please note, do not rely on your network firewall if you have one. A co-worker at my office was hit by Xupiter about a month after me and we have a pretty hefty firewall running there.

    What is Hijackware?
       Hijackware (e.g., Xupiter, Gator, Comet Cursor, Bonzi Buddy, Go Hip), places adverts from the software over the adverts on a site, robbing the site creators of revenue and taking away all control over who gets advertised to their customers. For instance, if the webpage had an ad for shoes, the hijackware would replace that ad with another company's ad for shoes or something else. If the webuser clicks on the hijacker ad, instead of the website getting credit (read money) and the webuser being sent to the legitimate webpage, the webuser is sent (read hijacked) to the hijacker's paid sponsor's site. The revenues the original web site would have received is lost and the legitimate advertiser loses a potential customer.

       This latest evolution looks to be capable of actually destroying many web sites. These programs are in wide-spread usage among the internet users.

    What is Spyware?
       Spyware is internet jargon for Advertising Supported software ( adware ). It is a way for shareware authors to make money from a product, other than by selling it to the users. There are several large media companies that offer them to place banner ads in their products in exchange for a portion of the revenue from banner sales. This way, you don't have to pay for the software and the developers are still getting paid If you find the banners annoying, there is usually an option to remove them, by paying the regular licensing fee.

    Why is it called "Spyware" ?
       Most (not all) advertising companies also install additional tracking software on your system, which is continuously "calling home," using your internet connection and reports statistical data to the "mothership". While according to the privacy policies of the companies, there will be no sensitive or identifying data collected from your system and you shall remain anonymous, it still remains the fact, that you have a "live" server sitting on your PC that is sending information about you and your surfing habits to a remote location.

    Is Spyware illegal?
       Even though the name may indicate so, "spyware" is not an illegal type of software in any way. However there are certain issues that a privacy oriented user may object to and therefore prefer not to use the product. This usually involves the tracking and sending of data and statistics via a server installed on the user's PC and the use of your Internet connection in the background.

    What's the hype about?
       While legitimate "adware" companies will disclose the nature of data that is collected and transmitted in their privacy statement, there is almost no way for the user to actually control what data is being sent. The fact is that the technology is, in theory, capable of sending much more than just banner statistics--and this is why many people feel uncomfortable with the idea.

       On the other hand ...Millions of people are using advertising supported "spyware" products and could not care less about the privacy hype..., in fact some "spyware" programs are among the most popular downloads on the Internet. Be aware that some of these " adware" programs will not work if the "spy" portion of the program is removed.

       To quote an old TV Police program: "Let's be careful out there."

       Spyware Search and Destroy. http://security.kolla.de/. This free program detects and removes spyware of different kinds from your computer.
      Number 250 - March 2004