WebBuying Promoting Diet.com

WebBuying Promoting Diet.com
How Spyware-Driven Forced Visits Inflate Web Site Traffic Counts - Ben Edelman

This page gives a screenshot and packet log showing how WebBuying spyware displayed Rootv's site in testing of April 23, 2007. Additional discussion.

Screenshot

On a PC with WebBuying spyware installed, I browsed the web. I received the full-screen popup shown below. See also a video archive of what appeared.

The popup covered the Start Menu, Taskbar, and System Tray -- preventing me from easily switching to another program. The popup also appeared substantially unlabeled -- with a small Web Buying caption at ad bottom, but with the caption's letters substantially off-screen.

Packet Log

The packet log below shows the series of redirects that caused this pop-up to appear. Traffic flowed from WebBuying (yellow) directly to Diet.com (green).

The packet log also includes explicit instructionas to the height and width of the pop-up: height=608, width=808 (blue). When viewed on a PC with a 800x600 pixel screen, the bottom of this pop-up wil inevitably appear off-screen, exactly as shown above. This and other WebBuying/Web Nexus ads consistently appear in this same layout on multiple of my test PCs -- suggesting that WebBuying intends its pop-ups' labeling to be substantially unreadable, and that WebBuying intends that its pop-ups cover the Start Menu and Taskbar.

POST /e/check.php?cid=13352451&lid=327&cc=US&u=aHR0cDovL3d3dy5maW5pc2hsaW5lLmNvbS8=&se= HTTP/1.1
Accept: text/*, application/*, */*
Content-Type: application/x-www-form-urlencoded
User-Agent: wb v1.6.8
Host: c.webbuying.net
Content-Length: 60
Cache-Control: no-cache

tp=10070,10011,9928,10010,9973,9644,8028,9967,10034&ntp=9087

HTTP/1.1 200 OK
Date: Tue, 24 Apr 2007 00:03:23 GMT
Server: Apache
X-Powered-By: PHP/4.3.9
Pragma: no-cache
Cache-Control: private, max-age=18000
Expires: Tue, 24 Apr 2007 05:03:23 GMT
Content-Length: 264
Connection: close
Content-Type: text/plain; charset=UTF-8

url=http://s.webbuying.net/e/sp.php/6+rv6uaSiObv7uvm7e_v6e7o6e3m6erk
type=1
show=0
size=0
style=0
height=608
width=808
title=Diet.com | Love your body
pid=7636
scroll=0
validity=72
logo_height=17
logo_url=http://www.webbuying.net/webbuying.htm
pos=0

GET /e/sp.php/6+rv6uaSiObv7uvm7e_v6e7o6e3m6erk HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: s.webbuying.net
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Tue, 24 Apr 2007 00:03:49 GMT
Server: Apache
X-Powered-By: PHP/4.3.9
Pragma: no-cache
Cache-Control: private, max-age=18000
Location: http://www.diet.com/tracking/index.php?id=1052
Expires: Tue, 24 Apr 2007 05:03:49 GMT
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8