Yourenhancement, Adtegrity, Right Media Exchange, and AdOn Network (MyGeek) Promoting Broadcaster.com
How Spyware-Driven Forced Visits Inflate Web Site Traffic Counts - Ben Edelman

This page gives a screenshot and packet log showing how Yourenhancement spyware displayed the Grindtv site in testing of April 29, 2007. Additional discussion.

 

Screenshot

On a PC with Yourenhancement spyware installed (without my consent), I browsed the web. I received the popup shown below

 

Packet Log

The Yourenhancement pop-up is unlabeled, without any indication of what spyware caused it to appear. But the packets copied below show the sequence of traffic that led to this display. Traffic started at the 63.123.224.168 ad server (yellow), using a distinctive "/mbop" URL form associated with Yourenhancement spyware. (In addition, this IP address falls within the same Class C (/24) address range as the Yourenhancement.com web server, further confirming the link.) Traffic then flowed to Adtegrity (green), to the Right Media Exchange (blue), to AdOn Network (MyGeek) (cpvfeed.com) (purple) and finally to Broadcaster.com (red).

The packet log also indicates forced visits to other sites (other than GrindTV). Grey highlighting marks six 1x1 pixel IFRAMEs -- further inflating of the traffic count of other partner sites including Vindie.com and Yourstashbox.com.

The packet log also includes an explicit admission that the display of Broadcaster.com was untargeted. Notice the comment tag describing trafic as "ROS" -- meaning "run of site" advertising, i.e. advertising to be shown without regard for specific context or targeting.

GET /mbop/display.php3?aid=18&uid=... HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ZangoToolbar 4.8.3)
Host: 63.123.224.168
Connection: Keep-Alive
Cookie: ...

HTTP/1.1 200 OK
Date: Sun, 29 Apr 2007 20:23:39 GMT
Server: Apache/2.0.54 (Unix) PHP/5.0.5
X-Powered-By: PHP/5.0.5
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sun, 29 Apr 2007 20:23:39 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 1975
Keep-Alive: timeout=1, max=20
Connection: Keep-Alive
Content-Type: text/html

::update user set LastAd='2007-4-29 16:23', LastAdDate=CurDate() where uid=...

<!-- BEGIN STANDARD TAG - popup or popunder - Seed Corn 2: SeedCorn2 - ROS - DO NOT MODIFY -->
<SCRIPT TYPE="text/javascript" SRC="http://content.adtegrity.net/rmtag3.js"></SCRIPT>
<SCRIPT language="JavaScript">
var rm_host = "http://ad.adtegrity.net";
var rm_section_id = 113743;
var rm_banned_pop_types = 28;
var rm_pop_times = 1;
var rm_pop_frequency = 86400;

rmShowPop();
</SCRIPT>
<!-- END TAG -->

<iframe src="http://www.vindie.com/enter.html" width="1" height="1" frameborder="0"></iframe>
<iframe src="http://www.yourstashbox.com/" width="1" height="1" frameborder="0"></iframe>

<!-- BEGIN: AdSolution-Tag 4.3: Global-Code [PLACE IN HTML-HEAD-AREA!] -->
<script type="text/javascript" language="javascript"
src="http://a.as-eu.falkag.net/dat/dlv/aslmain.js"></script>
<!-- END: AdSolution-Tag 4.3: Global-Code -->
<!-- BEGIN: AdSolution-Website-Tag 4.3 : US-hostedmedia2.com / US-hostedmedia2.com-
PopDyn -->
<script language="javascript" type="text/javascript">
Ads_kid=0;Ads_bid=0;Ads_xl=0;Ads_yl=0;Ads_xp='';Ads_yp='';Ads_xp1='';Ads_yp1='';Ads_opt=0;Ads_par='';Ads_cnturl='';
</script>
<script type="text/javascript" language="javascript"
src="http://a.as-eu.falkag.net/dat/cjf/00/75/63/04.js"></script>
<noscript>
<a href="http://sel.as-eu.falkag.net/sel?cmd=lnk&dat=756304&opt=0&rdm=[timestamp]"
target="_blank"><img
src="http://sel.as-eu.falkag.net/sel?cmd=ban&dat=756304&opt=0&rdm=[timestamp]"
alt="Please click here." border="0"></a>
</noscript>

<iframe src="http://www.vindie.com/enter.html" width="1" height="1" frameborder="0"></iframe>
<iframe src="http://www.yourstashbox.com/" width="1" height="1" frameborder="0"></iframe>
<iframe src="http://www.vindie.com/enter.html" width="1" height="1" frameborder="0"></iframe>
<iframe src="http://www.yourstashbox.com/" width="1" height="1" frameborder="0"></iframe>

 

 

GET /imp?z=0&Z=0x0&s=113743&u=http%3A%2F%2F63.123.224.168%2Fmbop%2Fdisplay.php3%3Faid%3D18%26uid%3D...&r=1&y=28 HTTP/1.1
Accept: */*
Referer: http://63.123.224.168/mbop/display.php3?aid=18&uid=...
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ZangoToolbar 4.8.3)
Host: ad.adtegrity.net
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Sun, 29 Apr 2007 22:17:41 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Location: http://ad.yieldmanager.com/imp?z=0&Z=0x0&s=113743&u=http%3A%2F%2F63.123.224.168%2Fmbop%2Fdisplay.php3%3Faid%3D18%26uid%3D...&r=1&y=28
Cache-Control: no-store
Last-Modified: Sun, 29 Apr 2007 22:17:41 GMT
Pragma: no-cache
Content-Length: 0
Connection: close

 

GET /imp?z=0&Z=0x0&s=113743&u=http%3A%2F%2F63.123.224.168%2Fmbop%2Fdisplay.php3%3Faid%3D18%26uid%3D...&r=1&y=28 HTTP/1.1
Accept: */*
Referer: http://63.123.224.168/mbop/display.php3?aid=18&uid=...
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ZangoToolbar 4.8.3)
Cookie: ...
Connection: Keep-Alive
Host: ad.yieldmanager.com

HTTP/1.1 200 OK
Date: Sun, 29 Apr 2007 22:17:41 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Sun, 29 Apr 2007 22:17:41 GMT
Pragma: no-cache
Content-Length: 6077
Content-Type: application/x-javascript
Connection: close

...
var l = (screen.width - 720) / 2;
var t = (screen.height - 300) / 2;
var pop = fStart('http://ad.adtegrity.net/iframe3?AAAAAE-8AQBJ6wQARMcBAAIACAAAAP8AAAABEwACAAMBEwAAR7QAAEjgAgAAAAAAAAAAAAAAAAAAAAAAAAAAAClcj8L1qPc.KVyPwvWo9z8zMzMzMzMCQDMzMzMzMwJAAAAAAAAADEAAAAAAAAAMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAvEKG-AX-fQLKYFyI9Y6ymL1.rKC6WUB-KfQXCwAAAAA=,,http://63.123.224.168/mbop/display.php3?aid=18&uid=...','','height=300,width=720,left='+l+',top='+t+',toolbar=0,status=0,menubar=0,scrollbars=1,resizable=1,location=0');
pop.blur();
window.focus();

 

GET /iframe3?AAAAAE-8AQBJ6wQARMcBAAIACAAAAP8AAAABEwACAAMBEwAAR7QAAEjgAgAAAAAAAAAAAAAAAAAAAAAAAAAAAClcj8L1qPc.KVyPwvWo9z8zMzMzMzMCQDMzMzMzMwJAAAAAAAAADEAAAAAAAAAMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAvEKG-AX-fQLKYFyI9Y6ymL1.rKC6WUB-KfQXCwAAAAA=,,http://63.123.224.168/mbop/display.php3?aid=18&uid=... HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ZangoToolbar 4.8.3)
Host: ad.adtegrity.net
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Sun, 29 Apr 2007 22:17:42 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Location: http://ad.yieldmanager.com/iframe3?AAAAAE-8AQBJ6wQARMcBAAIACAAAAP8AAAABEwACAAMBEwAAR7QAAEjgAgAAAAAAAAAAAAAAAAAAAAAAAAAAAClcj8L1qPc.KVyPwvWo9z8zMzMzMzMCQDMzMzMzMwJAAAAAAAAADEAAAAAAAAAMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAvEKG-AX-fQLKYFyI9Y6ymL1.rKC6WUB-KfQXCwAAAAA=,,http://63.123.224.168/mbop/display.php3?aid=18&uid=...
Cache-Control: no-store
Last-Modified: Sun, 29 Apr 2007 22:17:42 GMT
Pragma: no-cache
Content-Length: 0
Connection: close

 

GET /iframe3?AAAAAE-8AQBJ6wQARMcBAAIACAAAAP8AAAABEwACAAMBEwAAR7QAAEjgAgAAAAAAAAAAAAAAAAAAAAAAAAAAAClcj8L1qPc.KVyPwvWo9z8zMzMzMzMCQDMzMzMzMwJAAAAAAAAADEAAAAAAAAAMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAvEKG-AX-fQLKYFyI9Y6ymL1.rKC6WUB-KfQXCwAAAAA=,,http://63.123.224.168/mbop/display.php3?aid=18&uid=... HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ZangoToolbar 4.8.3)
Host: ad.yieldmanager.com
Connection: Keep-Alive
Cookie: ...

HTTP/1.1 302 Found
Date: Sun, 29 Apr 2007 22:17:42 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: ...
Location: http://campaign.cpvfeed.com/cpvcampaign.jsp?p=110495&campaign=121kwunique&aid=501&partnerMin=.0036&ron=OFF&ranNum=&default=http%3A%2F%2Fwww.lynxtrack.com%2Fafclick.php%3Fo%3D1295%26b%3Dsz5db29g%26p%3D2527%26l%3D1%26s%3DSEARCHTEXT110368
Cache-Control: no-store
Last-Modified: Sun, 29 Apr 2007 22:17:42 GMT
Pragma: no-cache
Content-Length: 0
Connection: close

 

GET /cpvcampaign.jsp?p=110495&campaign=121kwunique&aid=501&partnerMin=.0036&ron=OFF&ranNum=&default=http%3A%2F%2Fwww.lynxtrack.com%2Fafclick.php%3Fo%3D1295%26b%3Dsz5db29g%26p%3D2527%26l%3D1%26s%3DSEARCHTEXT110368 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ZangoToolbar 4.8.3)
Connection: Keep-Alive
Host: campaign.cpvfeed.com

HTTP/1.1 302 Found
Date: Sun, 29 Apr 2007 22:17:42 GMT
Server: Apache/1.3.34 (Unix) mod_ssl/2.8.25 OpenSSL/0.9.7i ApacheJServ/1.1.2
Set-Cookie: ...
Location: http://url.cpvfeed.com/cpv.jsp?p=110495&aid=501&partnerMin=0.0036&ron=OFF&ronMin=0.0&url=&context=121kwunique,121kwunique&default=http%3A%2F%2Fwww.lynxtrack.com%2Fafclick.php%3Fo%3D1295%26b%3Dsz5db29g%26p%3D2527%26l%3D1%26s%3DSEARCHTEXT110368
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://url.cpvfeed.com/cpv.jsp?p=110495&amp;aid=501&amp;partnerMin=0.0036&amp;ron=OFF&amp;ronMin=0.0&amp;url=&amp;context=121kwunique,121kwunique&amp;default=http%3A%2F%2Fwww.lynxtrack.com%2Fafclick.php%3Fo%3D1295%26b%3Dsz5db29g%26p%3D2527%26l%3D1%26s%3DSEARCHTEXT110368">here</A>.<P>
<HR>
<ADDRESS>Apache/1.3.34 Server at ws27.mygeek.com Port 443</ADDRESS>
</BODY></HTML>

 

GET /cpv.jsp?p=110495&aid=501&partnerMin=0.0036&ron=OFF&ronMin=0.0&url=&context=121kwunique,121kwunique&default=http%3A%2F%2Fwww.lynxtrack.com%2Fafclick.php%3Fo%3D1295%26b%3Dsz5db29g%26p%3D2527%26l%3D1%26s%3DSEARCHTEXT110368 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ZangoToolbar 4.8.3)
Connection: Keep-Alive
Host: url.cpvfeed.com

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV INT STA"
Set-Cookie: ...
Location: http://www.broadcaster.com/tms/video/index.php?show=trated&bcsrtkr=a85d2&utm_campaign=Traffic&utm_source=Adon&utm_medium=popunder
Content-Type: text/html
Content-Length: 0
Date: Sun, 29 Apr 2007 22:17:42 GMT