MorpheusOfPorn
money viewers
Direct Revenue

Direct Revenue Showing MorpheusOfPorn, Unrequested
Spyware Showing Unrequested Sexually-Explicit Images - Ben Edelman

This page gives a screenshot and packet log reporting a Direct Revenue ad display on June 15, 2006. Additional discussion.

 

Screenshots

On a massively infected test PC, I browsed True.com. I received the popup shown below, served to me by unknown spyware which sent traffic to the YieldManager ad network. Notice that the AdultFriendFinder site includes no sexually-explicit images, but rather only a disclosure and associated links.

 

Observing that I was at AdultFriendFinder.com, Direct Revenue served the popup shown below. The screenshot has been edited to cover sexually-explicit areas.

 

Packet Log

Packet log analysis indicates that unknown spyware on my test PC sent traffic to YieldManager (yellow), which sent me to AdultFriendFinder (green). In extended investigation, I have been unable to determine what spyware caused this traffic.

Direct Revenue spyware (using its btgrab.com and offeroptimizer.com controlling servers, blue) observed that I was at AdultFriendFinder (pink), and instructed my PC to display the MorpheusOfPorn site (red).

GET /imp?z=0&s=44850&t=3&y=23&w=800&h=600 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; knst; knst2008)
Host: ad.yieldmanager.com
Connection: Keep-Alive
Cookie: ...

Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: ...
Location: http://www.adultfriendfinder.com/search/ p263736 &show=f&age=18-35&ip=auto
Cache-Control: no-store
Content-Length: 0

 

GET /a/Drk.syn?bho=aurora.exe&InstID={BF0510AC-F78C-4051-8503-...}&DistID=143|1|0|0|THIN-143-1-X-X.EXE&countrycodein=US&lastAdTime=||1150414416|||||||&lastAdCode=3&NumWindows=7&VSN=1000201&MA=000C2907EE86&HN=unpatched&PI=55274-640-0690141-23045&budver=2000103&status=1&adcontext=http://www.adultfriendfinder.com/search/%20p263736%20%26show%3Df%26age%3D18-35%26ip%3Dauto&WindowTitle=Age+verification&TM=00&ads5m=01&ads1h=1&ads24h=01&adsClkh=iZ2401&ads7d=401&tmsys=3daacu1dx&tmac=3daaf41bn&act1h=1m&act24h=10&actClkh=iZ2412&act7d=403&smode=9&cookie1=capdatedy%3D0615%26capcntdy%3D1%26capdate%3D1519%26capcnt%3D1%26lupgtry%3D1%26lflshdt%3D1123536404%26lupgdt%3D1150412802119%26lupgid%3D245%26lstlogdt%3D20060615%26cntp%3Dcable%26&cookie2=fstcidt%3D1123536404291%26&cookie3=0&cookie4=0&event=0&inststat=axed HTTP/1.1
User-Agent: {BF0510AC-F78C-4051-8503-60C1008B7131}|0.21.5.114
Host: btg.btgrab.com
Cookie: ...

HTTP/1.1 200 OK
Server: Resin/3.0.14
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: ...
Content-Type: text/html
Content-Length: 1127
Connection: close
Date: Thu, 15 Jun 2006 23:35:18 GMT

<HTML><BODY><HR>ServerName: qs02.fgrep.pvt<BR>Current Date: Thu Jun 15 19:35:19 EDT 2006<HR><b>General Configuration Pairs</b>
<br>
configcode=442
<br>
status=1
<br>

<br>
<b>Context Adds and Deletes</b>
<br>

<br>

<br>
<b>Window Control Pairs</b>
<br>
adcode=4
<br>
Resizable=0
<br>
adheight=500
<br>
adurl=http://xmat.offeroptimizer.com/imp/servlet/ImpServe?urlContext=http%3A%2F%2Fwww.adultfriendfinder.com%2Fsearch%2F+p263736+%26show%3Df%26age%3D18-35%26ip%3Dauto&domainContext=adultfriendfinder.com&distID=143%7C1%7C0%7C0%7CTHIN-143-1-X-X.EXE&country=US&transponderID={BF0510AC-F78C-4051-8503-60C1008B7131}&broad=[broad]&premium=0&build=0.21.5.114&s=53010&c=91896&ca=18519&s0=53010&bho=aurora.exe
<br>
adwidth=800
<br>
BuddyType=0
<br>
adfocus=1
<br>
adtime=||1150414416|1150414519||||||
<br>
adplacement=1
<br>
Life="7200"
<br>

<br>
Caption="The Best Offers"
<br>

<br>

<br>
<b>Cookie Control Pairs</b>
<br>
cookie1=...
<br>
cookie2=fstcidt=1123536404291&

<br>

<br>

</BODY></HTML>

 

GET /imp/servlet/ImpServe?urlContext=http%3A%2F%2Fwww.adultfriendfinder.com%2Fsearch%2F+p263736+%26show%3Df%26age%3D18-35%26ip%3Dauto&domainContext=adultfriendfinder.com&distID=143%7C1%7C0%7C0%7CTHIN-143-1-X-X.EXE&country=US&transponderID={BF0510AC-F78C-4051-8503-60C1008B7131}&broad=[broad]&premium=0&build=0.21.5.114&s=53010&c=91896&ca=18519&s0=53010&bho=aurora.exe HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; knst; knst2008)
Host: xmat.offeroptimizer.com
Connection: Keep-Alive
Cookie: ...

HTTP/1.1 200 OK
Server: Resin/3.0.14
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: ...
Content-Type: text/html
Content-Length: 2452
Connection: close
Date: Thu, 15 Jun 2006 23:35:39 GMT

<BODY>
<title>---</title>
<SCRIPT LANGUAGE="JavaScript">
// define the domain on which this will reside/operate
var zqz_bits = document.domain.split(".");
var zqz_hostdomain = zqz_bits[zqz_bits.length-2]+'.'+zqz_bits[zqz_bits.length-1];
document.domain = zqz_hostdomain;
document.title = '---';

// set up defaults
width=250;
height=250;
valign='top';
align='left';
hosted=1;
statusbar=0;
titlebar=0;
menubar=0;
locationbar=0;
toolbar=0;
scrollbars=0;
resizable=0;
ontop=0;
offsetx=0;
offsety=0;

screenx=0;
screeny=30;

url="http://www.morpheusofporn.com/hc/bo.php";
width=800;
height=500;
ontop=1;
hosted=0;

screenx = window.screen.availWidth;
screeny = window.screen.availHeight;

if (valign=='middle'){
windowy = (screeny/2) - (height/2);
} else if (valign=='bottom'){
windowy = screeny - height - 50;
} else {
windowy = 30;
}

if (align=='center'){
windowx = (screenx/2) - (width/2);
} else if (align=='right'){
windowx = (screenx - width) - 20;
} else {
windowx = 0;
}

// if this window requires any physical changes...
if(
(statusbar == 1) ||
(titlebar == 1) ||
(menubar == 1) ||
(locationbar == 1) ||
(toolbar == 1) ||
(resizable == 1)
){

// ...then pop another window with those attributes.
attrib = "width=" + width + "," +
"height=" + height + "," +
"top=" + windowy + "," +
"left=" + windowx + "," +
"status=" + statusbar + "," +
"titlebar=" + titlebar + "," +
"menubar=" + menubar + "," +
"location=" + locationbar + "," +
"toolbar=" + toolbar + "," +
"scrollbars=" + scrollbars + "," +
"resizable=" + resizable;

winad=window.open(url, "_blank", attrib);

// the ad is in another window so we can close this one.
self.location.href="http://ximages.offeroptimizer.com/close.html";

} else {

// change to correct size
// self.resizeTo(width+offsetx,height+offsety);

// if this is an external creative go ahead and move
// it to the right screen x,y
if(hosted == 0){
self.moveTo(windowx,windowy);
} else {
//add the ontop variable
if(url.indexOf('?') == -1){url += '?';}
url += '&ontop='+ontop+'&xpos='+windowx+'&ypos='+windowy+'&xsize='+(width+offsetx)+'&ysize='+(height+offsety);
// url += '&ontop='+ontop+'&xpos='+windowx+'&ypos='+windowy;
}

// change to correct size
self.resizeTo(width+offsetx,height+offsety);

if(ontop == 0){
var timer1 = setTimeout('self.blur();',100);
}

// change to the ad url.
self.location.href=url;

}
</SCRIPT>
</BODY>