Web Nexus Promoting Orbitz's Away.com
How Spyware-Driven Forced Visits Inflate Web Site Traffic Counts - Ben Edelman

This page gives a screenshot and packet log showing how Web Nexus spyware displayed Orbitz's Away.com site in testing of April 29, 2007. Additional discussion.



On a PC with Web Nexus spyware installed (without my consent), I browsed the web. I received the full-screen popup shown below.

The popup covered the Start Menu, Taskbar, and System Tray -- preventing me from easily switching to another program. The popup also appeared substantially unlabeled -- with a small Web Nexus caption at ad bottom, but with the caption's letters more than half off-screen.

Notice also the Verizon ad at page top. Additional discussion.


Packet Log

The packet log below shows the series of redirects that caused this pop-up to appear. Traffic flowed from Web Nexus (yellow) directly to Away.com (green). Although Web Nexus selected an ad specifically about DC hotels, I had done nothing whatsoever to indicate any interest in DC, hotels, or even travel in general.

The packet log also includes explicit instructionas to the height and width of the pop-up: height=608, width=808 (blue). When viewed on a PC with a 800x600 pixel screen, the bottom of this pop-up wil inevitably appear off-screen, exactly as shown above. This and other Web Nexus ads consistently appear in this same layout on multiple of my test PCs -- suggesting that Web Nexus intends its pop-ups' labeling to be substantially unreadable.

GET /cp.php?loc=295&cid=9951709&u=bmV0ZmxpeC5jb20v&en=&pt=3&app_src=installer&app_run=unknown&crc=EDD26B3DE9E88A2B&cc=US&dp=YnA9NDc7c3A9MTk7Y3BjPTk1ODU7Y3ByPTQ5O25icj0xNztmaD0xOQ==&lp=0 HTTP/1.1
Accept: text/*, application/*, */*
QoolShown-Popups: 9928,9977,7409,9992,9894,9887
QoolShown-Popups-nt: 8046,10091,10085,9603,7938
User-Agent: z_v5.2.7
Host: stech.web-nexus.net
Cache-Control: no-cache

HTTP/1.1 200 OK
Date: Sun, 29 Apr 2007 22:40:10 GMT
Server: Apache
Accept-Ranges: bytes
X-Powered-By: PHP/4.3.2
Pragma: no-cache
Cache-Control: private
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain; charset=UTF-8




GET /sp.php/9905/28779/295/9951709/527/ HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ZangoToolbar 4.8.3)
Host: stech.web-nexus.net
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Sun, 29 Apr 2007 22:40:12 GMT
Server: Apache
Accept-Ranges: bytes
X-Powered-By: PHP/4.3.2
Pragma: no-cache
Cache-Control: private
Location: http://travel.away.com/District-of-Columbia/travel-sc-hotels-1963-District-of-Columbia.html?utm_source=WC&utm_medium=ppv&utm_content=DC&utm_campaign=WC%2BHotels%2BK
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8