LOP.com, C2 Media Limited, their hijacking, and the fix

Today (25 Feb 2003), while perusing the web, I happened upon a website that infected my system. It hijacked my browser (IE 6.0), adding an advertisement bar and also adding an advertisement bar that aligned itself with the Windows XP taskbar. Nothing I did cured my system or browser. I ran AdAware 6.0 and also Spybot-Search and Destroy with no luck. Those programs would remove the offending objects but upon reboot the system would revert back to its infected status.

I used some of the skills I used at work (I'm a network intrusion analyst at Northrop Grumman) to find who hosts Lop.com. Well, C2 Media Limited hosts Lop.com but they are the same entity. I used 'whois' in an xterm window on my linux box and it outputed the data I needed. I got the webmaster's email and sent the letter below:


I am sure you are aware of your own attempts at generating traffic to your
pages, so I'm sure you know why I'm complaining.  Your page or someone linked
to your pages has hijacked my browser, setting its homepage to your site and
making the browser create an advertising bar.  This is unacceptable.  I
cannot clean your unorthodox traffic generator from my system and I never
approved of this.

Seeing as you host your own pages, I'm sending this as a notification that
legal action may follow in regards to your company's actions.

--
R. Sinclair
http://www.unixfool.com

About an hour later, I got a response, shown below:


Dear Sir or Madam,

In the terms and conditions of any of our software products it is clearly
stated that we grant you a free license to use the software and by
installing the software on your computer you agree to use our search
services in your web browser.  Any and all changes made to your system are
clearly stated in the terms and conditions and are fully uninstallable via
the 'Help' then 'uninstall' option on any of our software applications.

There are several methods available to you should you wish to uninstall any
of our software products you had previously chosen to install:

- You can goto your start menu / control panel'  and choose the 'Add /
Remove Programs' option then select 'Lop.com' or 'LOP SEARCH' from the menu
to run the uninstaller.

- You can also locate the globe type icon in the bottom right hand corner
of your screen ,right click on it, then choose menu. From the main menu you
will see a help botton on the top right hand corner. Click the help button
then choose 'uninstall'.

- Additionally a separate uninstall program may be downloaded here


In order for the complete changes of the uninstall to take effect you must
reboot your computer.

Please let us know if we can be of any further assistance,


Lop.com Customer Service

Before I tried their solution, I wanted to make sure they understood my first message, as the first thing they did in their email was spout out their licensing agreement, so I sent them another email:


Bottom line:

I didn't install the software...YOU did.  I was never asked permission, not
even once.  I didn't even go to your pages, yet the software was installed
without my permission.

I say again, you may be seeing legal action regarding this.  It all depends on
how much trouble I have to endure to clean up your mess from my computers.
As I didn't install this software and your software installed itself then
hijacked my system's browsers, I'm exempt from your software licensing and
can follow up on whatever legal action is necessary to stop this from
happening again.

Ron Sinclair

I then tried their fix and it seems to work. I urgently want people to see this page, as there's no real solution on the web using google.com, unless I wasn't using the correct search words. This page will serve as a solution to the Lop.com infection problem. It's really simple. I hadn't thought to look to see if an actual program had been installed because I hadn't installed it.

It's very eye-opening and spooky how an entity can install software onto your computer (this was an actual program that was installed, not malicious code) through a web browser. It not only happens to IE browsers but also Netscape and Mozilla browsers, but only Windows browser versions seem exploitable...not to say that Linux or other OSs browsers aren't exploitable.

Well, I hope this helps someone. I'm glad I dug into C2 Media Limited the way I did, otherwise I'd still be working on fixing their hijacking.