Yourenhancement, Adtegrity, Right Media Exchange, and AdOn Network (MyGeek) Promoting GrindTV

Yourenhancement, Adtegrity, Right Media Exchange, and AdOn Network (MyGeek) Promoting GrindTV
How Spyware-Driven Forced Visits Inflate Web Site Traffic Counts - Ben Edelman

This page gives a screenshot and packet log showing how Yourenhancement spyware displayed the Grindtv site in testing of April 29, 2007. Additional discussion.

Screenshot

On a PC with Yourenhancement spyware installed (without my consent), I browsed the web. I received the full-screen popup shown below. The popup covered the Start Menu, Taskbar, and System Tray -- preventing me from easily switching to another program.

Packet Log

The Yourenhancement pop-up is unlabeled, without any indication of what spyware caused it to appear. But the packets copied below show the sequence of traffic that led to this display. Traffic started at the 63.123.224.168 ad server (yellow), using a distinctive "/mbop" URL form associated with Yourenhancement spyware. (In addition, this IP address falls within the same Class C (/24) address range as the Yourenhancement.com web server, further confirming the link.) Traffic then flowed to Adtegrity (green), to the Right Media Exchange (blue), to AdOn Network (MyGeek) (cpvfeed.com) (purple) and finally to Grindtv (red).

The packet log also indicates forced visits to other sites (other than GrindTV). Grey highlighting marks four 1x1 pixel IFRAMEs -- further inflating of the traffic count of other partner sites including Vindie.com and Yourstashbox.com.

GET /mbop/display.php3?aid=19&uid=... HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ZangoToolbar 4.8.3)
Host: 63.123.224.168
Connection: Keep-Alive
Cookie: ...

HTTP/1.1 200 OK
Date: Sun, 29 Apr 2007 20:30:26 GMT
Server: Apache/2.0.54 (Unix) PHP/5.0.5
X-Powered-By: PHP/5.0.5
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sun, 29 Apr 2007 20:30:26 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 1284
Keep-Alive: timeout=1, max=20
Connection: Keep-Alive
Content-Type: text/html

::update user set LastAd='2007-4-29 16:30', LastAdDate=CurDate() where uid=...

<SCRIPT TYPE="text/javascript" SRC="http://content.adtegrity.net/rmtag3.js"></SCRIPT>
<SCRIPT language="JavaScript">
var rm_host = "http://ad.adtegrity.net";
var rm_section_id = 4670;
var rm_banned_pop_types = 28;
var rm_pop_times = 1;
var rm_pop_frequency = 86400;

rmShowPop();
</SCRIPT>

<script language="JavaScript">

</script>

GET /imp?z=0&Z=0x0&s=4670&u=http%3A%2F%2F63.123.224.168%2Fmbop%2Fdisplay.php3%3Faid%3D19%26uid%3D...&r=1&y=28 HTTP/1.1
Accept: */*
Referer: http://63.123.224.168/mbop/display.php3?aid=19&uid=...
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ZangoToolbar 4.8.3)
Host: ad.adtegrity.net
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Sun, 29 Apr 2007 22:24:29 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Location: http://ad.yieldmanager.com/imp?z=0&Z=0x0&s=4670&u=http%3A%2F%2F63.123.224.168%2Fmbop%2Fdisplay.php3%3Faid%3D19%26uid%3D...&r=1&y=28
Cache-Control: no-store
Last-Modified: Sun, 29 Apr 2007 22:24:29 GMT
Pragma: no-cache
Content-Length: 0
Connection: close

HTTP/1.1 200 OK
Date: Sun, 29 Apr 2007 22:24:29 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Sun, 29 Apr 2007 22:24:29 GMT
Pragma: no-cache
Content-Length: 6092
Content-Type: application/x-javascript
Connection: close

...
var pop = fStart('http://ad.adtegrity.net/iframe3?AAAAAD4SAADV5AMAtnIBAAIADAAAAP8AAAABEwACAAMBEwAAR7QAAG9cAgAAAAAAAAAAAAAAAAAAAAAAAAAAAGZmZmZm5vA.ZmZmZmbm8D8AAAAAAAD6PwAAAAAAAPo.AAAAAAAABEAAAAAAAAAEQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyY-g453.fQJdTLLC.5FxrvhQi4h9XXF6Io-seQAAAAA=,,http://63.123.224.168/mbop/display.php3?aid=19&uid=...','','height='+screen.height+',width='+screen.width+',left=0,top=0,toolbar=1,status=0,menubar=0,scrollbars=1,resizable=0,location=0');
pop.blur();
window.focus();

GET /iframe3?AAAAAD4SAADV5AMAtnIBAAIADAAAAP8AAAABEwACAAMBEwAAR7QAAG9cAgAAAAAAAAAAAAAAAAAAAAAAAAAAAGZmZmZm5vA.ZmZmZmbm8D8AAAAAAAD6PwAAAAAAAPo.AAAAAAAABEAAAAAAAAAEQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyY-g453.fQJdTLLC.5FxrvhQi4h9XXF6Io-seQAAAAA=,,http://63.123.224.168/mbop/display.php3?aid=19&uid=... HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ZangoToolbar 4.8.3)
Host: ad.adtegrity.net
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Sun, 29 Apr 2007 22:24:42 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Location: http://ad.yieldmanager.com/iframe3?AAAAAD4SAADV5AMAtnIBAAIADAAAAP8AAAABEwACAAMBEwAAR7QAAG9cAgAAAAAAAAAAAAAAAAAAAAAAAAAAAGZmZmZm5vA.ZmZmZmbm8D8AAAAAAAD6PwAAAAAAAPo.AAAAAAAABEAAAAAAAAAEQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyY-g453.fQJdTLLC.5FxrvhQi4h9XXF6Io-seQAAAAA=,,http://63.123.224.168/mbop/display.php3?aid=19&uid=...
Cache-Control: no-store
Last-Modified: Sun, 01 May 2007 00:00:00 GMT
Pragma: no-cache
Content-Length: 0
Connection: close

HTTP/1.1 302 Found
Date: Sun, 29 Apr 2007 22:24:42 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: ...
Location: http://campaign.cpvfeed.com/cpvcampaign.jsp?p=110459&campaign=Mortgage&aid=522&partnerMin=.0047&ron=OFF&ranNum=&default=http%3A%2F%2Fcampaign.cpvfeed.com%2Fcpvcampaign.jsp%3Fp%3D110459%26campaign%3DMortgage%26aid%3D822%26partnerMin%3D.0038%26ron%3DOFF%26ranNum%3D%26default%3Dhttp%253A%252F%252Fpublishers.clickbooth.com%252Fsw%252F15213%252FCD7981%252F
Cache-Control: no-store
Last-Modified: Sun, 29 Apr 2007 22:24:42 GMT
Pragma: no-cache
Content-Length: 0
Connection: close

GET /cpv.jsp?p=110459&aid=522&partnerMin=0.0047&ron=OFF&ronMin=0.0&url=&context=equity%20loan,mortgage%20application,goapply.com,california%20mortgage,mortgageexpo.com,getsmart.com,eloan.com,refinancing%20mortgage,e-lends.com,mortgage.com,refinance%20mortgage,online%20mortgage,lendersinteractive.com,washington%20mortgage,lendingtree.com,florida%20mortgage,loan%20calculator,mortgage%20financing,mortgage,commercial%20mortgage,mortgage%20loan,Mortgage&default=http%3A%2F%2Fcampaign.cpvfeed.com%2Fcpvcampaign.jsp%3Fp%3D110459%26campaign%3DMortgage%26aid%3D822%26partnerMin%3D.0038%26ron%3DOFF%26ranNum%3D%26default%3Dhttp%253A%252F%252Fpublishers.clickbooth.com%252Fsw%252F15213%252FCD7981%252F HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ZangoToolbar 4.8.3)
Connection: Keep-Alive
Host: url.cpvfeed.com
Cookie: mgFreq=F|1|145300|1177885063219; mgData=B|2|K|232ykibweis|1180477063219; myGeekConv=558929|110495|65.96.161.192|121kwunique|24636147|1177885063219; mgUser=1|5bfff837cf1a431fa0ba92515cd05a43|65.96.161.192|1177885063219

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV INT STA"
Set-Cookie: ...
Location: http://www.grindtv.com/p/hs444/mygeek/
Content-Type: text/html
Content-Length: 0
Date: Sun, 29 Apr 2007 22:24:41 GMT
Connection: close