WebBuying and Exit Exchange Promoting Roo TV
How Spyware-Driven Forced Visits Inflate Web Site Traffic Counts - Ben Edelman

This page gives a screenshot and packet log showing how WebBuying spyware displayed Roo TV's site in testing of April 23, 2007. Additional discussion.

 

Screenshot

On a PC with WebBuying spyware installed, I browsed the web. I received the full-screen popup shown below.

The popup covered the Start Menu, Taskbar, and System Tray -- preventing me from easily switching to another program. The popup also appeared substantially unlabeled -- with a small Web Buying caption at ad bottom, but with the caption's letters substantially off-screen.

 

Packet Log

The packet log below shows the series of redirects that caused this pop-up to appear. Traffic flowed from WebBuying (yellow) to Exit Exchange (green) to Roo TV (blue).

Rootv definitely knew that the traffic at issue was forced-visit traffic. Notice the telltale "channel=pop" (grey) admission within the Roo TV landing page URL.

GET /e/sp.php/5ers7+aSiObv7uvm7e_v6e7o6e3m6erk HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: s.webbuying.net
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Tue, 24 Apr 2007 00:42:24 GMT
Server: Apache
X-Powered-By: PHP/4.3.9
Pragma: no-cache
Cache-Control: private, max-age=18000
Location: http://count.exitexchange.com/exit/1196612
Expires: Tue, 24 Apr 2007 05:42:24 GMT
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

 

GET /exit/1196612 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: count.exitexchange.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Tue, 24 Apr 2007 00:42:24 GMT
Server: Apache/1.3.33 (Debian GNU/Linux) mod_gzip/1.3.26.1a mod_backhand/1.2.2 mod_perl/1.29
Set-Cookie: ...
Pragma: no-cache
Cache-control: no-cache
X-Module-Sender: Apache::Dynagzip
Expires: Tuesday, 24-April-2007 00:47:24 GMT
Transfer-Encoding: chunked
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Encoding: gzip

<html><head><title>Please Visit Our Sponsors</title>
<!-- Changed by: , 12-Sep-2006 -->
<script language="JavaScript" type="text/javascript">
// 1196612
var resize = 1;
if (resize) {
window.moveTo(0,0); window.resizeTo(screen.availWidth,screen.availHeight);
}
window.blur();
</script>
</head>
<body topmargin="0" leftmargin="0" bgcolor="#cccccc">
<table width="100%" height="100%" border=0 cellpadding=0 cellspacing=0>
<tr><td valign=top style="padding-top: 5px;" colspan=2 height=70><iframe src="/navbar/3346838?71252681/BTR_US" height=1 width=1 style="visibility: hidden; display: none"></iframe><iframe src="/banners/top" height=100% width=100% scrolling=no marginwidth=0 marginheight=0 frameborder=0></iframe></td></tr>
<tr>
<td valign=top width=130 align=center style="padding-left: 5px; padding-right: 5px;"><iframe src="/banners/left" height=100% width=130 scrolling=no marginwidth=0 marginheight=0 frameborder=0></iframe></td>
<td width="100%" valign=top bgcolor="#ffffff"><iframe src="http://ads.exitexchange.com/roo/?url=http://www.rootv.com/?channel=pop&fmute=true&bitrate=56" name="EEmF1" height="1800" width="100%" scrolling="no" marginwidth=0 marginheight=0></iframe></td>
</tr>
</table>
</body></html>

 

GET /roo/?url=http://www.rootv.com/?channel=pop&fmute=true&bitrate=56 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://count.exitexchange.com/exit/1196612
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: ads.exitexchange.com
Connection: Keep-Alive
Cookie: ...

HTTP/1.1 200 OK
Date: Tue, 24 Apr 2007 00:42:25 GMT
Server: Apache/1.3.33 (Debian GNU/Linux) PHP/4.3.10-16.uvt2 mod_ssl/2.8.22 OpenSSL/0.9.7e mod_perl/1.29
Last-Modified: Thu, 05 Apr 2007 21:55:30 GMT
ETag: "104800e-d5-46157052"
Accept-Ranges: bytes
Content-Length: 213
Keep-Alive: timeout=1, max=10000
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

<html><head>
<script>
function bustOut(){
top.location = document.URL.substring( document.URL.indexOf('url=')+4, document.URL.length );}
</script></head><body onLoad="setTimeout('bustOut()',3000);"></body></html>