Friday, September 03, 2010

Help! What Is "Rippers 0"?



A number of bloggers have started asking about a browser called "Rippers 0."  It seems to be a browser employed by the United States military but nobody knows just what it is or why it's being used.

I came across it today thanks to a hit from the (US) Navy Network Information Center at Norfolk, Virginia.  A Google search showed that Rippers 0 is also employed by another periodic visitor to this blog, the US Army Information Systems Command.  Some claim it's a site-hacking software/browser.

Has anyone else encountered Rippers 0?

48 comments:

  1. Found this "Ripper is a tool for downloading a website and storing it for offline use. It can be used to copy and steal a website, it can also be used for offline browsing of a website with no ill-intent whatsoever."

    http://fiddaman.blogspot.com/2010/05/hey-addleshaw-goddard-gsk-lawyers-are.html

    I've never heard of it, but I know some people I can ask.

    ReplyDelete
  2. I've seen references suggesting it can be used to hack a website, steal it or copy it entirely. I've discovered three other Rippers 0 users - the US State Department, Goldman Sachs and a Chinese military intelligence outfit.

    Apparently somebody is writing code to block Rippers 0. If you find anything else I'd appreciate you passing it on.

    ReplyDelete
  3. My sources come up blank. They suggest putting in a redirect to black hole. Don't think you can do that with blogger as that requires header modification in your HTML. <-- don't quote me on that as I'm not that up on my web scripting.

    ReplyDelete
  4. Thanks Catelli, much appreciated. This thing seems relatively new and no one really knows much about it, including how to ward it off. While it gives the IP address and the browser "Ripper 0" identification, it seems to block other information including the visitor's operating system.

    My computer fluency is pretty much limited to turning the thing on and typing but I have noticed some strange things lately that made me wonder whether I had a bot. Norton AV didn't come up with anything. Maybe I'll see if Symantec has any info on this thing.

    Thanks again.

    ReplyDelete
  5. I doubt it has anything to do with your computer. If it did, the IP should match your own (use this http://www.whatsmyip.org/ to find your external public IP)

    Is there an IP associated with it? That can give some clues as to the organization/geography.

    Plug the IP into here: http://www.dnsstuff.com/

    May or may not ease your mind.

    ReplyDelete
  6. MoS,

    Looks like it may be a web caching\employee monitoring tool used by large corps and gov't. I've found it used not only by your USG hits, but by Goldman Sachs, large Law Firms and Sony Ericson.

    I'm in IT security and I've never heard of it as a browsers (and there are lots of odd ones out there)

    See:

    http://forum.statcounter.com/vb/showthread.php?t=38816

    and

    http://www.google.bg/support/forum/p/Webmasters/thread?tid=2b0f61e3a557372f&hl=en

    Also, using a Firefox plug in, anyone can change their User-Agent header to anything, so it is only moderately reliable as a indicator.

    ReplyDelete
  7. Hi Mike. Good to hear from you again and thanks for the information.

    Going through my blog data I found the latest entry wasn't the only Rippers 0 visit.

    I expect it won't be long before a complete account of Rippers 0 emerges.

    Cheers

    ReplyDelete
  8. And just to prove my point, both this post and the last one were made with my Firefox 3.6.8 Browser on Windows...

    What does your Stats counter say this one was made with? Which version of IE?

    ReplyDelete
  9. Did you post your comment from Kanata? If that was you, it came from Firefox 3.6, WinVista. Some visitor from Ottawa showed up through an i-Phone.

    ReplyDelete
  10. Rippers 0 OS:unknown Resolution:unknown Jacksonville,
    North Carolina,
    United States Navy Network Information Center (nnic) (138.162.128.55) what the hell do these guys want with me?

    ReplyDelete
  11. Well Anon, if you figure it out be sure to let me know. The latest Rippers 0 hit I received came from a Canadian bank, the Bank of Nova Scotia, via their branch in Mexico City. Go figure.

    ReplyDelete
  12. Update - the hits just keep on comin' None today but got 2 Rippes 0 hits yesterday, both U.S. Navy intelligence. Damn but if it's intelligence they're after this blog is a bloody poor place to look for it.

    ReplyDelete
  13. Hello!
    I think maybe a program like this has been used...
    Never tried it myself, so i don't no about how you can manage the configuration...

    ReplyDelete
  14. I try again...now with the link!! :-))

    http://www.tensons.com/products/websiterippercopier/

    ReplyDelete
  15. Just got a Ripper 0 hit from United States Navy Network Information Center (nnic), San Diego, California. I did some searching on Google to find out more and ended up here. From what I've read I'll grant that the Ripper 0 is likely harmless (web caching, mobile phones, etc), but I did find it odd to see that you have a left leaning blog... I happen to have a blog of similar orientation (focusing on politics and art, mostly), and now I'm curious if anyone knows if these Rippers are hitting a wide range of things or just blogs of a certain stripe...

    ReplyDelete
  16. Well Hec, I don't want to spread paranoia but I've had a number of "Rippers" visits from US Naval and US Army intelligence and other similar organizations. I also get a routine smattering of attention from their Canadian equivalents.

    ReplyDelete
  17. We're likely fairly far apart ideologically, Hectocotylus, I'm from the other end of the political spectrum, as is my blog (I'm basing this on the limited information I see from a quick visit, mind you). I got a Rippers 0 hit from homeland security the other day, and have seen it used by a few other companies as well.

    I don't think they're focusing on blogs of similar stripe. Come on by and see what I mean...

    ReplyDelete
  18. i write a decorating blog, and i was visited by rippers 0 so i don't think they are tracking political blogs (though i am fairly prolifically politically active elsewhere).

    i was visited twice on wednesday morning 2 hours apart- one said from miami-dade county servers and the other from from a company that went out of business several years ago, national-city.com. the visit from a long defunct company seems unusual, so heck, maybe it is intelligence gathering! looking for decorating tips?

    something is up with this, but what?

    ReplyDelete
  19. All I can tell you M21 is that I still get repeated visits from US Army & US Navy intelligence outfits using Rippers. I've stopped monitoring it but I did notice a Rippers0 hit earlier this week from the US State Department.

    ReplyDelete
  20. You piqued my curiosity M21 so I just took a peak at my stats. Three Rippers hits. One from some metropolitan borough council in Birmingham, England. The other two were from Lockheed Martin in Texas. I suppose those had something to do with my ongoing critiques of their flying boondoggle, the F-35 Joint Strike Fighter.

    ReplyDelete
  21. The page viewers are users (not some secretive organisations)of internet services at the location they are at. When they load a webpage, instead of the usual direct loading, the page is cached and checked for malicious codes first, before being loaded at the viewer's screen. The Ripper most probably is some new kind of implementation of cache server antivirus. Trackers would need sometime to correctly identify them. Website rippers will rip chunks or the whole of your website. If it doesn't, most probably is just some innocent users visiting your website.

    ReplyDelete
  22. Hi Bear and thanks. The only thing is that, when I bother to check and find a Rippers hit, I follow it up and quite often find it's either US Navy or US Army intelligence. About half the Rippers hits are corporations but the other half has included the FBI and the CIA. Why, I can't begin to imagine. There's nothing remotely subversive or conspiratorial in what I write.

    ReplyDelete
  23. I got visited at my wood pen making website today by a Ripper O and the origin IP was eBay!

    ReplyDelete
  24. I got a ripper 0 hit from the IRS. They have visited my site twice without a ripper in the last 2 weeks. I think its a site download, thats my personal opinion.

    ReplyDelete
  25. I had a visit from US Department of Homeland Security with this browser and JS turned off.

    My site is hardly a hot bed of anarchy... if I find out more will let you know...

    ReplyDelete
  26. I got my first Rippers 0 hit today from someone in Cummings, Georgia, HCA Hospital Corporation of America. A minute after that hit, the same IP address visited my blog again, only this time it was listed as using the browser IE. 7.0. I've received about 3 other hits from this same IP address in the last month, but this was the first time the browser was identified as Rippers 0.

    ReplyDelete
  27. I had a ripper 0 visit my site and stayed nearly two hours! what is my site about? Nuns veils and habits !!!!!!

    ReplyDelete
  28. Kinda strange, I just went to my statcounter stats and have found this ripper being used by a Atlanta, Georgia, United States
    The Coca-cola Company (161.162.87.81 - 161.162.87.84) I have never seen this before but I am somehow sure it will not be the last time I see this browser snooping around my sites.... looks like an X-file...

    ReplyDelete
  29. Today I make a change of my website layout, little tweak to make more adsenseable and right after that some Ripper Browser visit my site. DAMN, I don't know what will happen next

    have you ever got bad experience after that shit browser explore your site?

    ReplyDelete
  30. I had ripper 0 visit my site today. It was listed as Hewlett Packard.(US based ip). It shows that they came to my site without any referring link.......the x-files continue!

    ReplyDelete
  31. On May 12th 2011 I got a ribber O visit reported by statcounter as follows:

    "Canberra, Australian Capital Territory, Australia
    Australian Department Of Defence (203.10.224.93) [Label IP Address]"

    Then on May 16th Google visited my site and discovered malisious software had been uploaded to my site as follows:

    "Site is listed as suspicious - visiting this web site may harm your computer.

    Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.

    What happened when Google visited this site?

    Of the 9 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-05-16, and the last time suspicious content was found on this site was on 2011-05-16.

    Malicious software is hosted on 1 domain(s), including imgaaa.net/.

    This site was hosted on 1 network(s) including AS26496 (PAH).

    Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, resortinterviews.com did not appear to function as an intermediary for the infection of any sites.

    Has this site hosted malware?

    No, this site has not hosted malicious software over the past 90 days."

    The site is www.resortinterviews.com

    It is not a political site however I have been doing a lot of work to support Wikileaks over the last six months including many donations and polital pressure on the Australian government via letters and emails.

    My site has a too simple password so I guess I'm paying the price.

    ReplyDelete
  32. Number one on Google Search. Not bad.

    ReplyDelete
  33. This comment has been removed by a blog administrator.

    ReplyDelete
  34. RIPPERS, who are you????

    ReplyDelete
  35. It's curious that this post has been up since September 2010 and no one has been able to come up with specific information on Rippers 0. All we find is background on users - mainly defence and intelligence agencies - but nothing about the origin of this supposed browser. Of late most of the hits I've noticed come from Lockheed Martin and USN intelligence.

    ReplyDelete
  36. @moundofsound:

    Yep, information about Rippers0 is non existent. A colleague of mine has it 'following' him... whenever he visits one of my sites (from his private home connection), my stat counters show his IP address twice - one saying explorer, then straight underneath an entry for Rippers0.

    P.

    ReplyDelete
  37. Sorry I can't contribute to an answer, just another blogger reporting weird activity.

    I just had a visit from a ripper from Lockheed Martin on my website. I discovered it by clicking on the js blocked stat, something I rarely do, so no idea how long these rippers have been on my site.

    My website is about self-reliance with a bit of prepper stuff. Maybe not too subversive, but when you are not quite in the sytem doing what good citizens are supposed to do, you may be of interest to them.

    If you are saying or doing anything outside your blog, it may still lead back to it. I tweeted back in March about Lockheed running the UK census, together with a link to a campaign against their involvement. It is quite feasable, even likely, that they scour the web for their name, then follow links. There is, of course, a link back to my website. After all, survailance is one of their games.

    ReplyDelete
  38. Hello Judy. I visited your intriguing web site. I'm a fairly outspoken critic of their F-35 Joint Strike Fighter programme which, I suppose, they may find objectionable. The connection to the UK census is interesting if that is what motivated their Rippers visit.

    Good luck, and thanks for your input.

    ReplyDelete
  39. i had 33 hits today from the department of homeland security, no referring link, with rippers being listed as the browser. WHAAAAT. i write a fashion and music blog! i post photos of my outfits! why on earth would my blog be placed under surveillance?!

    ReplyDelete
  40. Hi Meagan. Wow, you win the cigar - hands down. I took a minute to look through your blog and I cannot begin to imagine what DHS would find of interest unless they're secretly into fashion and music.

    ReplyDelete
  41. I got a Ripper hit on my website followed by an IE hit from Navy Network System. I wonder if it has to do with the fact that I have used the Tors network to mask my IP on several art forums. Last week Tors routed through the Chaos Computer Club in Germany. If it's the Feds, they probably think I am doing something a lot more fishy than I really am.

    ReplyDelete
  42. Rippers 0 from NNIC hit my blog 20 times yesterday. Total hits from Rippers0 and IE7.0 combined was 47. There was an initial tickle (2 hits) on Nov 2 at 3 p.m., and then a 30-minute session (the 47 hits) on Nov 3 starting around 7:10 a.m.

    They appeared to be mostly interested in what I had to say about DraftSight, a free CAD package (no, I'm not shilling here, I promise), but they took copies of everything.

    I don't think this is Naval Intelligence, more like their IT servers.

    ReplyDelete
  43. Do not be alarmed. Rippers 0 is an employee web-monitoring utility used by large corporations and governments to monitor employees' internet activity. The employee is only checking out your website while our spiders follow links on the page to see any potential risk before they click on it.

    Thanks for mentioning our services and have a great day.

    ReplyDelete
  44. Rippers is used by the government and various large corporations. The software downloads a copy of the web page and then displays that copy to the terminal user. Sort of like thin client network. This way the user doesn't get viruses and malicious code from the web site. No body is tracking you, it's just one of the ways the government keeps themselves from getting hacked/malware/viruses. You can simulate the same by visiting http://www.archive.org/web/web.php and typing in a web page that you frequent. Go back a few years and the webpage you will see is a cached page, not the actual web page.

    ReplyDelete
  45. This comment has been removed by a blog administrator.

    ReplyDelete
  46. Interesting stuff. What caught my attention is the visitor came to my main site for my SEO services - www.htbwmedia.com from the us department of Homeland Security. I know I have ALOT of search engine optimized niche specific content on various subjects out there, but none of which, to my knowledge, is any sort of threat to us national security. I'm thinking they are simply scouring the Web for little tidbits of information. I need to do some cross-referencing across all of my SEO Optimized sites making reference to www.htbwmedia.com and my SEO services. Not that I think SEO is on the target of Homeland but it would be interesting to see if I could find the original keyword search query that directed the search engine to my simple SEO services website in the first place. Yes, I guess I did use alot of keywords in my comment, but at least my content is legitimate and relevant to the content. So did any other readers notice any interesting visitor ip addresses using ripper?

    ReplyDelete