Wednesday, August 17, 2011

A little analysis on that Zugo toolbar

Related names: StartNow, Whitesmoke, Babylon, HyperBar, Zugo, toolbar
Threat: low
Main artifacts: Browser toolbar installed and home page set
Main install vector: Surreptitious install by affiliate with little or no notice to user.
Company behind all this: Zugo Services Ltd of London
How to remove: See this link.


The Zugo toolbar for web browsers, a Zugo Services Ltd product, is an annoying adware product that often gets installed on users computers in a surreptitious manner. The product is included within other software and during install the user may only be given limited information on the toolbar installation or, worse, no information at all. According to GFI Software, Zugo Services Ltd has a large affiliate network with affiliates being payed up to $1.50 per install. There is little oversight of affiliates by Zugo which have every incentive to obtain the largest possible number of installs by whatever means necessary.

Zugo's default toolbar is StartNow though Zugo has also created toolbar products for other companies, including Whitesmoke and Babylon. Once installed, the software will change the user's home page and relay search information to the Zugo infrastructure to allow the placement of targeted advertising. An earlier version of this product was known as the StartNow HyperBar.

An example is provided by the website which hosts a number of free download utilities, all of which install the toolbar. Interestingly resolves to the same IP address as, a host that the toolbar installer contacts suggesting that the adlsoft site was established to drive installs of the toolbar.

Intro paragraph on
Incidentally this site has taken the free download version of Systweak's Advanced System Protector and re-packaged it to include the StartNow Toolbar. with Systweak software for download

Here is the install screen of one of the products, in this case a decompression utility.
Uncompressor install screen
Though the screen does mention that another product will be installed, the language could very easily be missed. Liberal use is made of the “Bing” name rather than the StartNow name. It looks almost as though it was designed to be overlooked.

Interestingly, when you install the software without an Internet connection, a different install screen appears(see below). There is now a reference to the Babylon toolbar which is a different Zugo toolbar product.
Uncompressor install screen showing Babylon toolbar

In contrast, below is an example of best practice in toolbar installation. This is the screen an Adobe installer will give you before installing the Google toolbar. Nice and clear.
Adobe Googler toolbar install

Tracking the install
z-silent starts!
 Once the utility installer is executed two files are downloaded via HTTP on port 80, a tiny token file and an executable named z-silent.exe(why name this silent Zugo folks, a little spooky no?). Z-silent.exe is a Nullsoft NSIS installer for Zugo products signed by Zugo Ltd. The HTTP GET commands are as follows.

HTTP GET sent to

GET /getCountry/ HTTP/1.0
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*

HTTP/1.1 200 OK
Date: Mon, 02 Aug 2011 14:23:12 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Vary: Accept-Encoding
Content-Length: 2
Connection: close
Content-Type: text/plain; charset=UTF-8

HTTP GET sent to

GET /z-silent-2804.exe HTTP/1.0
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*

z-silent is then started with the following command.


z-silent now does a number of things including the following.
  1. Disables proxy use and Internet connection auto configuration scripts.
  2. Calculates a unique user globally unique id(guid) and machine id.
  3. Installs the StartNow toolbar software to Program Files/Startnow Toolbar
  4. Registers StartNow as a Browser Helper Object, Internet Explorer will now run with Toolbar32.dll
  5. Spawns the toolbarupdateservice process
  6. Registers the install with remote infrastructure via HTTP GET.
Most registry and file activity is routine,however, the following keys are deleted. This disables proxy use and auto configuration scripts.

HKCU/Software/Windows/CurrentVersion/Internet Settings/ProxyServer
HKCU/Software/Windows/CurrentVersion/Internet Settings/ProxyOverride
HKCU/Software/Windows/CurrentVersion/Internet Settings/AutoConfigUrl

z-silent and most of the various files it generates in the Temp directory during install are now deleted.

Interestingly registry activity includes a check for the existence of the key shown below. This is the first of three ties between Zugo Services Ltd and the company


The second is that if the properties details tab of z-silent is examined it can be seen that both the File description and Product name fields have the value AfterDownload.

The following Internet traffic is generated during the z-silent install.

HTTP GET sent to

GET /getcountry?
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*

HTTP GET sent to

GET /ztb/update?
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive

Once the toolbar is installed information will be stored in cookies beginning with the following strings.

\Documents and Settings\Owner\Cookies\owner@www.startnow
Searches using the toolbar will send information to the Zugo infrastructure via HTTP GET requests as the following search for “football” shows. This information includes the operating system version, country of install and a globally unique machine id.

HTTP GET sent to

GET /s/?q=football
src=startpage HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive
sp_query_string=src startpage
provider Bing
provider_code Z082
partner_id 249
product_id 628
channel 2_6
toolbar_id 200
toolbar_version 2.0
install_country US
install_date 20110802
user_guid <removed>
machine_id <removed>
browser IE
os win
os_version 5.1-x86-SP3

In contrast this is the information the real Bing toolbar sends back to Bing infrastructure.

GET /search?q=football
QS=n HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, */*
X-SearchRewards: brcv=18.0.2066.0[mi=4ef64220-fc5d-4894-9972-3dfef868b86f,HID=0,IID=781940d98b126d94fc80273927bd9c20,tc=1]
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; BRI/2)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
bIm=147; RMS=F=GgAg
DOB=20110730; MUID=<removed>; _UR=OMW=1

Whitesmoke and Zugo

An example of how using Zugo's services can help a company comes from the public SEC filings of Whitesmoke. Whitesmoke offers a spelling and grammar correction software product and entered into an agreement with Zugo which resulted in significant benefits for Whitesmoke. From the SEC filing we have
the following.

"A significant portion of our revenues arise when end-users download a custom third-party toolbar for use with third-party websites, such as In the United States, Zugo powers and operates this toolbar download process under a letter of intent with us, dated February 25, 2010. Under the binding letter of intent, Zugo agrees to perform at a specified service level to ensure, among other things, 99.9% uptime. Zugo pays us either a portion of the revenues or a per-download amount from toolbar downloads. Our letter of intent with Zugo may be terminated by either party with 24 hours notice. In November 2010 we entered into an amendment to the letter of intent with Zugo which amended certain payment terms."

Whois information and related entities

A whois search of previously revealed that it is held by Zugo Ltd with a Jersey, Channel Island PO Box address. However, this recently changed to an anonymous entry.

Old Whois record
Interestingly when the code signing certificate for z-silent is examed the subject field reveals a slightly different Channel Island address.

CN = Zugo Ltd
O = Zugo Ltd
STREET = PO Box 36
STREET = 1st Floor
STREET = 37 Broad St.
L = St Helier
S = Jersey
PostalCode = JE4 9NU
C = JE

Whois record updated Aug-2011, now anonymous

The domain from which z-silent downloads the GetCountry token is registered to an Omer Kaplan with a Tagore St,Tel Aviv, Israel. This person also founded the company and note that z-silent checks for the existence of an AfterDownload registry key. used to list the same name and Israeli address as in the whois database however this has recently changed to an anonymous entry. According their website, AfterDownload is “the first and largest CPC platform to provide effective display monetization for the entire download funnel.” It is likely that Omer and AfterDownload are acting as an affiliate of Zugo and being payed for each install.

The domain is registered anonymously via Moniker Privacy Services and is hosted at IP address The hosts, and resolve to IP addresses

The domain is registered anonymously via Domains by Proxy but interestingly it is hosted on the same IP address as,
More on Zugo and a possible connection to porn company Inxio Ltd

Zugo Services Ltd is a registered UK company and a search of public UK records reveals that the company's physical address is


The current CEO is Jeronen Seghers(see and a named director is a Mark Simon Hirschfield. Mr Seghers founded StartNow International (now dissolved).

Referral whois information reveals a connection between the IP addresses used by Zugo and the porn company Inxio Ltd. The IP address Zugo sends search query information to is and the referral whois record below shows that the block is registered to Inxio Ltd.

Referral whois record showing block registered to Inxio Ltd

Further the IP addresses etc resolves to e.g is also a member of a block registered to Inxio Ltd as the below record shows.
Referral whois record showing block registered to Inxio Ltd
In addition a simple Google search on the phone number Zugo Ltd supplied for it's whois record reveals that this number is also used as a registration contact for a large number Inxio porn websites(see below).


Jeronen Seghers, CEO Zugo Services Ltd,
Mark Simon Hirschfield, Director Zugo Services Ltd.
Omer Kaplan, Founder of AfterDownload,

IP addresses, hosts and domains

IP address Hosts,,,

Further information


  1. I received Zugo , unbelievably, as a result of a Vuze "required" upgrade.
    I remember when Vuze was a trusted entity. Very sad.