Comet Cursor Hijack

Some site I visited installed (without any action on my part and without asking permission) in my computer a program called Comet Cursor. As soon as I realized it I disinstalled it and it seems no damage has been done.

Questions:

  • WTF is this?
  • How can I prevent this from happening again? It seems to me that if a program can be run without my permission I could just as easily get a virus (assuming Comet cursor didn’t already do it).
  • Why don’t they get these people who do these things and hang them by the balls?

Comet cursor is harmless, but annoying… it is a program that has a selection of on-line cursors for you to choose from.

I’m surprised that it installed on it’s own, that’s a little odd. It’s on a lot of the PC’s here at work…

I posted a similar thread a couple months back. http://boards.straightdope.com/sdmb/showthread.php?threadid=29385 I even sent an e-mail to Comet, they explained there is no way the cursor can end up installed without my consent. Since it has happened several times, I am assuming, either, they are lying, a third party site installed the cursor for some reason or the cursor was bundled as part of some software that went unnoticed by me. For some reason, I haven’t seen the cursor install itself recently on my system. I have no idea why that is.

Gosh I am really messed up today. I posted my reply to the other thread by mistake and not only that but did it twice. Anyway…

I can tell you exactly where I got it. At Opalcat’s http://fathom.org/teemingmillions/people/ I clicked on Alphagene’s profile and it did it.

Opalcat, Are you aware that this is happening?

I reiterate that people that do this kind of thing should be hanged by the balls.

I came home from work one day last week, and found Comet Cursor installed on my PC. My wife can do what she wants to do on the computer, but has no idea how to download/install software. I asked her how it got on the machine, and she said that she recalled a popup notice that something or other needed updating, and she just clicked “Yes”.

I didn’t play with it too much before uninstalling it and deleting its directory, but I have the feeling that it’s used to track surfing habits. Can anyone confirm this?

Yes it is used to track you. It sends info somewhere about what you do.

I disabled javascript and returned to Alphagene’s profile at http://fathom.org/teemingmillions/profiles/alphagene.html and, sure enough, there is a javascript :

<!–THIS IS THE COMETZONE BUTTON - PUT THIS ANYWHERE ON YOUR PAGE–>
<SCRIPT language=javascript> acctnum=‘3’;userid=‘opalcat’; (it continues…)

So it seems cometzone encourages people to do this and some people do it. Since there is a user ID = “OpalCat”, I wonder if there is some reward for every time someone is forced to install from that page.

Whoever did this has little shame and should be impaled. Same goes for the comet cursor people.

BTW, the comet cursor people cannot allege ignorance because this script downloads another script directly from their site:
http//files.cometsystems.com/javascript/cometzone*js*
(I have put all the asterisks to disable the link so no one might click by mistake)

I have put fathom.org on my list of restricted sites so javascripts will not run but…

Question: Is this legal?
Question: How can it be prevented in other sites where I might find it?

A) no, you are not forced to download it, you get a popup asking if you want to. You need to click ‘no’ when that popup shows up. It could be that there is a keystroke that will select ‘yes’ for you, so it could be inadvertantly done that way, I suppose.

B) no, I get nothing for it. The id is so they know which cursor to use (ie, the one I had chosen. It is tied to a username so they know what cursor to show on what site)

C) you must have been looking at the old profiles, because I haven’t created a page with Comet Cursor on it in over a year. About 20% of the old profiles have the code on them. None of the new ones do.
Old profiles: http://fathom.org/teemingmillions/profiles
New profiles: http://fathom.org/teemingmillions/people

D) I don’t/won’t use Comet Cursor anymore, nor have I in quite some time. I tried it for a few months, found it to be annoying, and stopped. Unfortunately, it would be too time consuming to go through each of the old profiles and remove the code, and ultimately a waste of that time, since the old profiles are going bye bye a the end of the month.

E) Yes, CometCursor is spyware. So is Netscape SmartDownload and … I think RealPlayer… and a few others. Avoid them. (unless you don’t care)

F) No, it wasn’t common knowledge that it was spyware when I started using it.

G) I’ve confirmed that you were looking at the OLD profiles and not the new ones, since Alphagene doesn’t even HAVE a new profile.

H) I don’t have balls.

>> no, you are not forced to download it, you get a popup asking if you want to. You need to click ‘no’ when that popup shows up.

Not True. I get a popup that is totally cryptic and misleading. I have captured it in a GIF if anyone wants to see it. It says: “CometZone Error #689-b28: Your CometZone tag is incomplete” and it ONLY has one button that says “OK”. The ONLY way out withouth hitting OK is to hit Ctrl-Alt-Del and terminate the program.

Yes, it is possible I got the two subdirectories mixed up. I had never been to fathom.org and only went there when I read Ed Zotti’s announcement.

You say you did not know it was spyware and when you found out it would be time consuming to remove the code. Well, so what do you think I have been doing for the last hour if not wasting time finding out WTF happened and uninstalling that shit? At the VERY least you could put a warning in the page so tjose who click know what they are getting into.

Comet Cursor is a trojan as it disguises its true function from the user and it installs without asking. That you would find this acceptable is something I do not understand.

Other dopers have complained about this program and not knowing how they got it. I bet many of them got it at your site.

I have put a GIF of the popup here.

In fact, I suspect it does not matter whether you click or not and even before you click it is already downloading.

sigh
That isn’t the popup I was talking about, that is an ERROR DIALOG WINDOW. It means there is a javascript error on the page. In fact, it means that the CometCursor won’t even WORK on that page, nor be prompted to download. Which also means that the chances you got the CC from that page are close to nil. It has nothing to do with anything downloading Onto your computer. Basically, what it means is that I’d edited the page since it was created, and since I used a WYSIWYG editor, it munged the code and I didn’t notice. It does that. Replaces characters with ascii and such. Therefore: javascript error.

HERE is a screenshot of the popup that prompts you for download: http://fathom.org/opalcat/cometcursorpopup.jpg.html

For the record, I don’t have CC installed on my computer. Meaning that if I go to a site with CC I get the popup asking me to download it. I went to Alphagene’s profile in the old profiles, and all I got was the javascript error. NO PLUGIN POPUP AT ALL. Nor did my cursor change. What does that mean? It means that for all intents and purposes, CC is NOT installed on those pages. To get the popup window, I had to go to another site that had CC installed, which then prompted me to download (as every CC-enabled site always does, including mine back when it was working), and I captured the screen.

I disagree that it installs itself. It has always prompted me, and I always say “no” and so it never installs/downloads. Also, since you seemed to think that an error window was some sort of download screen or plugin warning, I would hesitate to put absolute faith in you that you know what you’re talking about. Possibly there is a browser setting to auto-install requested plugins? Regardless, based on the fact that the code isn’t even working on my site, you didn’t get it from my site.

As for this:

I’m afraid I don’t see being prompted for a plugin as being a critical problem. They aren’t “getting into” anything. They have a choice of not installing it. Those pages are old… I haven’t touched them at all in almost a year. Going through 200-300 to see which ones have a broken plugin code on them just doesn’t seem important to me. As I said, at the end of the month the old profiles are getting deleted anyway. If there had been something malicious that autoinstalled (which I believe is illegal and no software/plugin/whatever is designed that way to my knowledge) I certainly would take every step to remove it. However that isn’t the case here.

corrected link:

http://fathom.org/opalcat/cometcursorpopup.jpg

OpalCat, that might be an error message but I can assure you I never saw the window you posted and the page installed the Comet Cursor on my computer without asking further. It seems if you get the error it installs and it has been other people’s experience as well. VERY annoying. I am not blaming you if you did not know this was happening but I have to wonder if the CometCursor people are taking advantage of this to install their f***ing program.

Update: I had emailed Comet Cursor to tell them how annoyed I was. At that time I was quite annoyed and the email was quite harsh. I really thought they were at fault for installing the program without my authorization.

In their favor I have to say they have responded and explained that it should not be possible for it to be installed without my permission and they explained about IE security settings.

The way I understand it is the problem was caused by some bad code by OpalCat which triggered the error message and apparently somehow got around the security settings.

While I still don’t like the program it does not seem it is illegal (although I wish it was) and it does not seem to have been installed deliberately without asking.

At least I have to give them credit for their promt reply and interest. They’ve done better than other firms I’ve written to in the past, many of which never even responded.

Since other people had said they had the same problem I will post the reply here in case it may be useful for others:

As I say, my security settings were not lowered and it seems that due to that glitch somehow they were circumvented. At any rate, it seems the cause of all the mess and my frustration lies in the faulty code by OpalCat. Since this wasn’t deliberate either I guess her responsibility is diminished (though not totally extinguished).

And finally, if, as it seems, the program installed getting around the security protection due to the glitch in the code, then Microsoft would bear som responsibility.

So I guess we have plenty of blame to go around for everybody but not enough to get really upset with anybody.

Oh well, it was a waste of time and a PITA, but it could have been worse. It could have been a virus or something.

[Edited by Lynn Bodoni on 10-11-2000 at 11:23 AM]

My name is Paula and I work at Comet Systems. I apologize in advance for the length of this posting but I would like to thoroughly address each comment that has been raised about our software. Also, I noticed that Sailor has recently posted a partial response that we had previously sent him. My apologies for the repetition; I felt that it would be beneficial to have all of the info in one centralized location.

In Sailor’s first message (which I believe started this particular string), he stated,
“Some site I visited installed (without any action on my part and without asking permission) in my computer a program called Comet Cursor.”
It is actually absolutely impossible to install our software, or any other Active X control without asking the user’s permission, provided you have not altered your computer’s default security settings. If it appeared to do so, it means (at least in all the cases that we have seen to date) that your Internet Explorer security settings are set to some form of “pre-accept”. This, I assure you, is not a “lie” (as was alluded to by Chief Crunch).

Please give me a chance to explain a little more. Normally when you visit a
Website that hosts our technology an installation window (a Verisign box) will
pop up and ask you if you would like to download the software. The installation
window’s default is set to “no” and you have to explicitly click on “yes” for the
software to install. It sounds like many of you never saw this box. If this is the case, you should check your IE security. It is most likely set to “Low”. If it is set to “Low” then you have by default accepted any and all software (not just ours) from any Website you visit. I would recommend that you check these settings so that
you can prevent “surprises” such as this from occurring in the future. Moreover, failure to perform these changes will continue to make your system extremely susceptible to numerous common viruses and problems. Maybe now would also be the time to add that My Comet Cursor IS NOT a virus, as was also indicated by Sailor.
As for your security settings, here are four places where you should check:

  1. In IE, under Tools -> Internet Options,
    Select the Security tab. There will be a slider
    which changes Security level for this zone.
    This should be set to Medium or higher. Low will
    allow downloads without your permission.

And

  1. In IE, under Tools -> Internet Options,
    Select the Security tab. There will be a
    Custom Level button. When you select it
    there will be a number of radio buttons to select.
    The top one (Download Signed Active X Controls)
    should be set to Prompt (not Enable).

And

  1. In IE, under Tools -> Internet Options,
    Select the Security tab. There will be a green check with “Trusted Sites”
    Select that, and then the Sites button.
    In the Websites field you will be able to see all of the sites you
    have selected as “Trusted”. The site from which you installed may be here.

And finally,

  1. In IE, under Tools -> Internet Options,
    Select the Content tab.
    Click the Publishers button in the Certificates area.
    Check to be sure that Comet or the site downloaded from are not located here.
    Secondly, (and this would be in response to Curt C’s and OpalCat’s posting) we DO NOT track our users. There have been a lot of rumors going around saying that Comet Systems tracks its users and that the Comet Cursor is Spyware. This is simply not true.

Some inaccurate information appeared in late 1999 regarding our information practices. Regretfully several organizations picked up the story before contacting us. Once their articles appeared we contacted them, and explained what is really going on. Realizing their mistake many of those publications have since issued retractions or corrections, including the Christian Science Monitor, Industry Standard, ABC News, PC Magazine, ZDNet, Time Digital, and Business Week. I’d like to invite you to read some of the ones that are online:

Read our complete Privacy Policy </help/privacy.shtml>.

Read “Media didn’t give Comet Systems a chance to explain” </press/articles/christsci991209/index.html> in the Christian Science Monitor, 12/9/99.

Read “Privacy Story Moves Like a Comet” <http://www.thestandard.com/article/display/0,1151,8100,00.html> in the Industry Standard, 12/6/99.

Read why the Comet Cursor is not “spyware” <http://www.zdnet.com/anchordesk/stories/story/0,10738,2599169,00.html> according to ZDNet’s Anchor Desk, 7/10/99.

Regarding “Spyware” – As close as we can tell this rumor started on a gentleman named Steve Gibson’s website (GRC | OptOut -- Internet Spyware Detection and Removal  ) We suspect that he read some of the articles that we referred to above, and leapt to conclusions. The Comet Cursor is not “spyware” even by Gibson’s own definition. On his site, Gibson lists seven criteria that would qualify something as being “spyware”. The Comet Cursor meets none of these criteria. In fact, if you look at Gibson’s own compliance chart, you will see that he hasn’t even evaluated the Comet Cursor (check it out at: GRC | OptOut -- Index of Known Spyware   ). We have written him, requesting that he research our software so that he can realize his mistake, but regrettably he has not replied.

Then (to continue the saga :wink: some major news organizations picked up the “spyware” story (privacy and the Internet is such a hot topic that people seem to jump on a story before doing their complete due diligence). Again we contacted these organizations and informed them of their mistake. Bound by journalistic integrity, they did do research and realized that they were in error. Check out ZDnet’s spyware retraction:

July 10, ZDNet Anchor Desk:
http://www.zdnet.com/anchordesk/stories/story/0,10738,2599169,00.html
Again, with all of these rumors flying around, I can sympathize with your confusion. Often times there is so much information (particularly on the Web), that it’s difficult to distinguish fact from fiction. If you have any questions about any of this we would deeply appreciate it if you would contact us. It has been an uphill battle for us to combat these untrue rumors and we are very thankful when people give us a chance to explain what is really going on (thanks to Alfonso and Sailor’s most recent message).

I hope that I have helped to further clarify any and all misunderstandings that have arisen as a result of these messages. If not, please feel free to contact me personally and I will answer any additional questions or concerns that you may have.

Paula
Comet Systems

sailor, you’re saying that due to some sort of java glitch on OpalCat’s page, your IE security was compromised, and something was able to autoinstall without your permission? If such a glitch existed, it would imply the possibility for true web-based viri, and if those existed, we’d surely be hearing about them on the evening news. You say that the box that came up was a CometCursor error… You couldn’t get a CometCursor error unless you first had CometCursor installed. I don’t know how it got installed, but it’s safe to say that it wasn’t from Opal’s page. Has anyone else had access to your computer since the last time you installed IE? It could very well have been installed for months, and you only now noticed it because of the error.

Glad to see this situation has resolved.

For more information on “spyware”, you might want to check out this site: OptOut.

your humble TubaDiva

FWIW, I was not able to get Comet Cursor installed on my machine from Opal’s site without asking, even at Low security. So either it has been fixed, or it’s not happenning with all PC’s, or you got it from somewhere else.

Anthracite, I believe OpalCat mentioned she had corrected the Javascript error.

I have NO doubt where I got it. This is how it happened:

I started the computer and opened IE5 and came to the board. The first message by Ed Zotti caught my eye. I opened it and it directed me to OpalCat’s site. There I clicked on a couple of profiles but when I clicked on Alphagene’s the error message popped up. You can see the message in the GIF file I supplied. I clicked “OK” (since there was no other option) and a few seconds later Comet Cursor has been installed and the icon appears on the system tray and a shortcut on the desktop.

It is evident where I got it from. I never saw the window that OpalCat shows in her graphic. I had no other windows open or programs running. Not knowing what Comet Cursor was and seeing how it was installed without my poermission, I thought it might be some evil stuff so I immediately deleted it and posted my question.

Now I have a better understanding of what it is. As to how it bypassed my security settings I have no idea but I can assure you I got it from OpalCat’s site. Of that I have NO doubt. There is just NO other possibility.

Chronos, I cannot explain it for the simple reason that I do not know enough about the whole technical side. But I can assure you that is how it happened.