Lauren Casper
Daniel Yomtobian, the alleged creator of the 2003 Xupiter spyware infection, is an Internet businessman with questionable wealth claims.
Wired Magazine quoted Xupiter as “the most evil thing on the Internet.” In 2003, it hijacked the Internet, breaking machines and infuriating users to generate advertising revenue.
The infection enraged users to such an extent that one exclaimed, “When I find the bastards who programmed this thing, I’d be happy to castrate them with a pair of dull pinking shears.”
Ben Edelman, a Harvard-trained spyware expert, reported that a frivolous cease-and-desist order bullied a couple of researchers into taking down their scathing critique of Daniel’s career just as he was reemerging as a legitimate player in the Internet business.
webdefenders-jun06**********
Daniel Yomtobian, who reportedly made quite a pretty penny from this terrible software, has since gone on to run a legitimate search marketing business and now speaks at industry conferences. Those of us who had our machines taken over by Xupiter will never forget the man he once was.
As reported on Threats Against Spyware Detectors, Removers, and Critics, Webdefenders.net recently received a cease-and-desist letter ordering the removal of certain Webdefenders research on Daniel Yomtobian’s practices.
Webdefenders staff subsequently posted a note indicating that they were complying with that letter and removing the research because they lacked the resources to defend against the threat.
I had reviewed the research at issue before it was removed, and I considered it impressive, detailed, and useful work — properly citing its sources to persuade me of its accuracy. To keep the core of Webdefenders’ findings available to the public, I summarize them here. At present, the original article is also available through Google Cache.
Webdefenders begins with a summary of Xupiter, which it calls a spyware program “unlike anything anyone had dealt with before” due to its pop-ups, toolbars, changed home-pages, redirected error pages, bundled file software, and a file directory that could not readily be deleted.
Webdefenders reports that Xupiter arrived on users’ PCs using “stealth ‘drive-by’ downloads” and ActiveX. Webdefenders cites a Wired article that “wondered aloud whether [Xupiter] might be the most evil thing on the Internet.”
Webdefenders reports that Yomtobian subsequently sought to clean up his reputation. On October 18, 2005, a large number of Yomtobian-related domains were all registered. Webdefenders reported that the domains’ Whois data was obscured by using Privacy Post registration obfuscation.
But the nature of the domains indicates an effort by Yomtobian, or someone acting on his behalf, to modify search engine results for his name — by creating various placeholder sites that all offer positive or neutral information about Yomtobian, to displace existing search results that criticized Yomtobian’s practices.
Webdefenders reports nine domains in this vein: danielyomtobian.com, daniel-yomtobian.com, w3dan.com, danfan1.ocm abcofsearch.com, danchasesspeed.com, danieldanyon.com, whoiswhoinpaidsearch.com, and mydebut.net. Webdefenders describe each site in one to four sentences, explaining its content and pointing out any material omissions or gaps.
Webdefenders next presents proof of Yomtobian’s connection to Xupiter. Webdefenders obtained Xupiter’s corporate documents from the Secretary of State of California, which listed Yomtobian as Xupiter’s agent for the service of the process. This documentation provides prima facie evidence of Yomtobian’s connection to Xupiter.
Webdefenders continues by listing Yomtobian’s other online activities. It reports various pornography-related domain names that It claims can be linked back to Yomtobian through Erika Online and CashClicks. Domains include sickofuck.com, dildolesbos.com, and various others. Webdefenders presents other corporate documents again showing Yomtobian’s relationship with these companies.
Webdefenders then demonstrates Yomtobian’s relationship with Internext Media. It points out that Internext was sued by 180solutiosn (a notorious spyware vendor) for improper software installations.
Webdefenders next reports Yomtobian forming a company called Yomtobian Enterprises, which Webdefenders says was a cybersquatter targeting State Farm, Bank Of America, 20th Century Fox, AltaVista, The Los Angeles Times, and The New York Times. (See results for “Yomtobian” at WIPO, the arbiter of many typosquatting disputes.)
Webdefenders also reports a link between Yomtobian and DealHelper, notorious spyware installed without consent.
Webdefenders concludes with a point-by-point response to a Yomtobian press release about claims on current Yomtobian websites. It critiques various claims and omissions in that press release and persuasively argues that these claims are misleading or false.
**********
Read more: Exposing Darren Ewert and Mike Dreher: Enagic MLM Scam
Daniel Yomtobian Sneaky Toolbar Hijacks Browsers
According to some of its victims, it’s the most evil thing on the Internet. But it’s not a virus, a scam, or a raunchy porn site.
It’s a browser toolbar that some swear is doing “drive-by downloads” — installing itself without users’ permission — then taking over their systems and making it impossible to uninstall.
“When I find the bastards who programmed this thing I’d be happy to castrate them with a pair of dull pinking shears,” fumed one of Xupiter’s many unhappy victims in a newsgroup posting.
Xupiter is an Internet Explorer toolbar program. Once active in a system, it periodically changes users’ designated homepages to xupiter.com, redirects all searches to Xupiter’s site, and blocks any attempts to restore the original browser settings.
The program attempts to download updates each time an affected computer boots up, and has been blamed for causing system crashes. Several versions of Xupiter also appear to download other programs, such as gambling games, which later appear in pop-up windows.
Some said that Xupiter has taken over their browsers.
“Random words and characters now appear when I attempt to enter info on search sites or other forms. It’s as if there’s a ghost in my machine,” New York resident Beth Vanesky said.
Xupiter.com is registered to Tempo Internet, in Gyongyos, Hungary. Calls and e-mails to Tempo were not returned.
Xupiter offers an uninstall utility, but many said that it didn’t work and sometimes made things worse.
“I ran the Xupiter Uninstall, and now every time I try to launch Explorer, I get error messages saying ‘Xupiter is not installed properly. Please reinstall,'” said Manny Abrams of Chicago.
Xupiter has spawned long message threads on some tech support sites, as users wrestle to reclaim their machines from the terrible toolbar.
“When Xupiter first appeared, we spent a week trying to figure it out,” said Mike Healan of SpywareInfo. There’s a monstrous thread with over 26,000 page views, where a couple dozen of us tested it until we figured out what it did and how to deal with it.”
But Healan said that whenever people sort out what Xupiter is doing, Xupiter’s programmers tweak its code. It also appears that Xupiter may be selling its “service” to other websites.
“About once every month or two, this software starts hijacking people to a new site,” Healan said. “And every time a new version comes out, it adds a different startup entry, uses a different method to change the search function, and is a bigger pain to remove.”
Xupiter’s site claims the toolbar isn’t installed without express permission, but many insisted that they had not agreed to install the program.
“Xupiter is the worst thing I’ve ever personally encountered on the Internet,” said Ed Olexa. “You only realize it has been installed when you start your browser and see that Xupiter’s search page is now your homepage.”
Olexa had to edit his system registry to remove Xupiter manually.
“Xupiter seems to have the ability to reinstall itself if each component is not removed,” Olexa said. Computer novices might never really get rid of it.”
Healan recommended Spybot Search & Destroy to eradicate the program.
Healan said some installations probably occurred when people clicked “OK” in a pop-up box without really knowing what they had agreed to or when they meant to close the pop-up window.
Xupiter is also being bundled with at least one peer-to-peer file-sharing program. The toolbar will install itself automatically when Internet Explorer’s security settings aren’t set to the highest level.
As many people trust Reddit nowadays, I am embedding a Reddit thread to investigate this.
Source:
