FYI: EverAdSv.exe / PlayJ http traffic frenzy

[Adam Kujawski <adamkuj () GATORDOG COM>]

Today I noticed a very large number of failed HTTP requests originating
from a Windows NT workstation on my network. There were no web browsers
open. My first thought was that the workstations was being used in a DOS
attack.  Here is an overview of the traffic:

len= 24 TCP from xxx.xxx.xxx.xxx.3960 to 216.74.130.30.80 seq 5F5342B0,
ack 0x0, win 8192, SYN
len= 28 TCP from 216.74.130.30.80 to xxx.xxx.xxx.xxx.3960 seq 7F3241C6,
ack 0x5F5342B1, win 8760, SYN ACK
len= 20 TCP from xxx.xxx.xxx.xxx.3960 to 216.74.130.30.80 seq 5F5342B1,
ack 0x7F3241C7, win 8760, ACK
len= 20 TCP from xxx.xxx.xxx.xxx.3960 to 216.74.130.30.80 seq 5F5342B1,
ack 0x7F3241C7, win 8760, FIN ACK
len= 20 TCP from 216.74.130.30.80 to xxx.xxx.xxx.xxx.3960 seq 7F3241C7,
ack 0x5F5342B2, win 0, RST
len= 20 TCP from 216.74.130.30.80 to xxx.xxx.xxx.xxx.3960 seq 7F3241C7,
ack 0x5F5342B2, win 0, ACK
len= 20 TCP from xxx.xxx.xxx.xxx.3960 to 216.74.130.30.80 seq 5F5342B2,
ack 0x5F5342B2, win 0, RST

There were several of these exchanges per second - about 7KB/sec worth,
and it had been going on four about 5 hours.

It turns out that the traffic was being generated by the program
EverAdSv.exe called by the registry at startup. The program was installed
as a part of PlayJ (www.playj.com), a free multimedia/music player that is
supported by banner adds. Even though the PlayJ program was not being
used, the banner add client was running. Further, it appears that the
banner add webserver had died and was not fullfilling requests (I could
sucessfully telnet to port 80 of 216.74.130.30, but not issue any
commands). Rather than retrying after a specified time, the EverAdSv.exe
client immediatly issued more HTTP requests. The client was probably
overwhelming their web servers.

Anyways, you may want to keep an eye out for this problem and keep the
PlayJ program off of your network.

-Adam Kujawski