Travelocity
money viewers
   Ad-Flow (Rydium)    
money viewers
Deskwizz / Searchingbooth

Deskwizz/Searchingbooth, Ad-Flow (Rydium) Promoting Travelocity
Advertising Through Spyware -- After Promising to Stop - Ben Edelman

This page gives a screenshot and packet log reporting Deskwizz/Searchingbooth promoting Travelocity on March 9, 2007. Additional discussion.

Screenshot

On a PC with Deskwizz/Searchingbooth installed, I requested true.com. I received the Travelocity ad shown below. Notice the insertion of the Travelocity ad into a frame below the True.com site -- even though True.com does not sell this advertising space to any advertiser for any price.

Packet Log

The injected Travelocity ad (shown above) is unlabeled -- without any direct indication that it came from Deskwizz/Searchingbooth spyware. But packet log analysis confirms that Deskwizz/Searchingbooth was directly responsible for the injection. First Deskwizz/Searchingbooth spyware on my test PC sent a request to its controlling server headlinesandnews.com (yellow), seeking an ad to inject into the True site (shown, for good measure, as the HTTP Referer of the request, green). Headlinesandnews replied with a URL to Uzoogle (blue), which redirected me to Ad-Flow (Rydium) (purple), which in turn sent me on to the Right Media Exchange marketplace (yieldmanager.com) (grey). Right Media sent back a DoubleClick-hosted ad (pink) that prompotes Travelocity (red).

GET /media/servlet/view/banner/unique/url/strip?zid=25&pid=0&total=2&layout=horizontal&margin=0&padding=0&DHWidth=600&DHHeight=250&DHScroll=no&Ref=25 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.true.com/phelp_landing.htm?svw=global
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: servedby.headlinesandnews.com
Connection: Keep-Alive
Cookie: ...

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 31 Dec 1998 11:59:59 GMT
P3P: CP="CAO DSP COR CURa ADMa OUR NOR UNI COM NAV INT"
Content-Type: text/html;charset=UTF-8
Content-Length: 686
Date: Sat, 10 Mar 2007 00:34:52 GMT

<DIV style="padding: 0px"><TABLE border="0" cellpadding="0" cellspacing="0"><TR valign="middle"><TD align="center" NOWRAP><html>
<head>
</head>
<body>
<center>
<iframe src="http://www.uzoogle.com/indexP.php?PID=811" width="300" height="250" align="center" frameborder="0" scrolling="no" marginheight="0" marginwidth="0">
</body>
</html>
</TD><TD align="center" style="padding: 0px 0px 0px 0px" NOWRAP><html>
<head>
</head>
<body>
<center>
<iframe src="http://www.headlinesandnews.com/?PID=3202" width="300" height="250" align="center" frameborder="0" scrolling="no" marginheight="0" marginwidth="0">
</body></html>
</TD></TR></TABLE></DIV>

POST / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.uzoogle.com/indexP.php?PID=811
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www.uzoogle.com
Content-Length: 7
Connection: Keep-Alive
Cache-Control: no-cache

PID=811

HTTP/1.1 200 OK
Date: Sat, 10 Mar 2007 00:34:53 GMT
Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) PHP/4.3.6
X-Powered-By: PHP/4.3.6
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

<!-- BEGIN STANDARD TAG - 300 x 250 - ROS: Uzoogle - DO NOT MODIFY -->
<SCRIPT TYPE="text/javascript" SRC="http://content.ad-flow.com/rmtag3.js"></SCRIPT>
<SCRIPT language="JavaScript">
var rm_host = "http://ad.ad-flow.com";
var rm_section_id = 118935;

rmShowAd("300x250");
</SCRIPT>
<!-- END TAG -->

GET /imp?z=2&Z=300x250&s=118935&u=http%3A%2F%2Fwww.uzoogle.com%2FindexP.php%3FPID%3D811&r=0 HTTP/1.1
Accept: */*
Referer: http://www.uzoogle.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: ad.ad-flow.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Sat, 10 Mar 2007 00:34:53 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Location: http://ad.yieldmanager.com/imp?z=2&Z=300x250&s=118935&u=http%3A%2F%2Fwww.uzoogle.com%2FindexP.php%3FPID%3D811&r=0
Cache-Control: no-store
Last-Modified: Sat, 10 Mar 2007 00:34:53 GMT
Pragma: no-cache
Content-Length: 0
Connection: close

GET /imp?z=2&Z=300x250&s=118935&u=http%3A%2F%2Fwww.uzoogle.com%2FindexP.php%3FPID%3D811&r=0 HTTP/1.1
Accept: */*
Referer: http://www.uzoogle.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Cookie: ...
Connection: Keep-Alive
Host: ad.yieldmanager.com

HTTP/1.1 302 Found
Date: Sat, 10 Mar 2007 00:34:55 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
X-RightMedia-Advertiser: 15713
X-RightMedia-Creative: 218354
X-RightMedia-Campaign: 87026
X-RightMedia-Vurl: 1351298
Set-Cookie: ...
Location: http://ad.doubleclick.net/adj/N447.rightmedia.com/B2130591.2;sz=300x250;click0=http://ad.ad-flow.com/click,gp4UAJfQAQDyVAMA8lMBAAIAAAAAAP8AAAAGFAAAAgOv0AEAl2MAANQjAgAAAAAAAAAAAAAAAAAAAAAAAAAAAC.98UUAAAAA,,http%3A%2F%2Fwww%2Euzoogle%2Ecom%2Findexp%2Ephp%3Fpid%3D811,;ord=1173486895?
Cache-Control: no-store
Last-Modified: Sat, 10 Mar 2007 00:34:55 GMT
Pragma: no-cache
Content-Length: 0
Connection: close

GET /adj/N447.rightmedia.com/B2130591.2;sz=300x250;click0=http://ad.ad-flow.com/click,gp4UAJfQAQDyVAMA8lMBAAIAAAAAAP8AAAAGFAAAAgOv0AEAl2MAANQjAgAAAAAAAAAAAAAAAAAAAAAAAAAAAC.98UUAAAAA,,http%3A%2F%2Fwww%2Euzoogle%2Ecom%2Findexp%2Ephp%3Fpid%3D811,;ord=1173486895? HTTP/1.1
Accept: */*
Referer: http://www.uzoogle.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: Keep-Alive
Host: ad.doubleclick.net
Cookie: ...

HTTP/1.0 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 2586
Content-Encoding: gzip

document.write('<style>\n#h_30x25{background-image:url(\"http://m1.2mdn.net/551711/300x250_30_trv_usm1_h_bg.gif\");width:300px;height:250px;position:relative;text-align:left;}\n#h_30x25 form{margin:0;padding:0;}\n#h_30x25_l{background-image:url(\"http://m1.2mdn.net/551711/300x250_30_trv_usm1_h_l.gif\");position:absolute;top:7px;left:2px;width:116px;height:48px;display:block;}\n#h_30x25_c{position:absolute;top:57px;left:0;width:300px;height:100px;display:block;}\n#h_30x25_f{position:absolute;left:0px;bottom:10px;width:300px;}\n#h_30x25_f label{font:bold 11px Arial;color:#fff;float:left;display:block;width:28px;margin:3px 3px 0 0px;text-align:right;}\n#h_30x25_f label.checkin {width:55px;float:left;margin-top:11px;margin-left:0px;margin-right:1px;clear:left;}\n* html #h_30x25_f label.checkin{margin-right:0;}\n#h_30x25_f label.checkout {width:62px;float:none;margin-left:2px;display:inline;margin-bottom:2px;}\n#h_30x25_f select {font-size:11px;font-family:Arial;}\n#state {width:50px;margin:0 0 1px 1px;margin-right:30px;}\n* html #state {margin-left:-2px;}\n.trvMonth{width:45px;margin:8px 4px 0 0px;}\n.trvDate{width:38px;}\n* html .trvDate{width:36px;} \n#doD,#doM{}\n#h_30x25 input {width:118px;font:11px Arial;float:left;margin-right:4px;width:expression(t_qm()?\"117px\":\"111px\");height:expression(t_qm()?\"20px\":\"14px\");} \n #city{margin:0 0 1px 1px;}\n#h_30x25_b{background-image:url(\"http://m1.2mdn.net/551711/300x250_30_trv_usm1_h_b.gif\");width:53px;height:26px;position:absolute;bottom:35px;right:1px;display:block;}\n#t_1bx6_f select{margin:0 3px;}\n</style>\n');

var t_w3c=((!document.getElementById && !document.createElement)||(/(msie)[\S\s]+(mac)/i.test(navigator.userAgent)))?false:true;
var t_fu="http://ad.doubleclick.net/click%3Bh=v8/3511/17/a8/%2a/v%3B67439382%3B3-0%3B0%3B15238551%3B4307-300/250%3B19465949/19483843/1%3B%3B%7Esscs%3D%3fhttp://ad.ad-flow.com/click,gp4UAJfQAQDyVAMA8lMBAAIAAAAAAP8AAAAGFAAAAgOv0AEAl2MAANQjAgAAAAAAAAAAAAAAAAAAAAAAAAAAAC.98UUAAAAA,,http%3A%2F%2Fwww%2Euzoogle%2Ecom%2Findexp%2Ephp%3Fpid%3D811,http%3a%2f%2ftravel.travelocity.com/hotel/HotelCobrand.do?WA1=03010&WA2=67439382&WA3=15238551&WA4=19465949";
var t_ct1="http://ad.doubleclick.net/click%3Bh=v8/3511/17/a8/%2a/v%3B67439382%3B3-0%3B0%3B15238551%3B4307-300/250%3B19465949/19483843/1%3B%3B%7Esscs%3D%3fhttp://ad.ad-flow.com/click,gp4UAJfQAQDyVAMA8lMBAAIAAAAAAP8AAAAGFAAAAgOv0AEAl2MAANQjAgAAAAAAAAAAAAAAAAAAAAAAAAAAAC.98UUAAAAA,,http%3A%2F%2Fwww%2Euzoogle%2Ecom%2Findexp%2Ephp%3Fpid%3D811,http%3a%2f%2fwww.travelocity.com/?Service=TRAVELOCITY&WA1=03010&WA2=67439382&WA3=15238551&WA4=19465949";
var t_ct2="http://ad.doubleclick.net/click%3Bh=v8/3511/17/a8/%2a/v%3B67439382%3B3-0%3B0%3B15238551%3B4307-300/250%3B19465949/19483843/1%3B%3B%7Esscs%3D%3fhttp://ad.ad-flow.com/click,gp4UAJfQAQDyVAMA8lMBAAIAAAAAAP8AAAAGFAAAAgOv0AEAl2MAANQjAgAAAAAAAAAAAAAAAAAAAAAAAAAAAC.98UUAAAAA,,http%3A%2F%2Fwww%2Euzoogle%2Ecom%2Findexp%2Ephp%3Fpid%3D811,http%3a%2f%2fwww.travelocity.com/Hotels/?Service=TRAVELOCITY&WA1=03010&WA2=67439382&WA3=15238551&WA4=19465949";
Date.prototype.isLeapYear=function(){var y=this.getFullYear();return(y%4==0&&y%100!=0)||y%400==0;};
Date.prototype.getDaysInMonth=function(){return [31,(this.isLeapYear()?29:28),31,30,31,30,31,31,30,31,30,31][this.getMonth()];};
Date.prototype.addDays=function(n){this.setDate(this.getDate()+n);return this;};
var t_id = new Date();
var t_od = new Date();
t_id.addDays(14);
t_od.addDays(17);
function t_qm(){if(typeof document.compatMode != "undefined" && /CSS.Compat/.test(document.compatMode)){return false;}return true;}
function t_ws(n,o,e){document.write('<select size="1" name="'+n+'" '+e+'>'+o+'</select>');}
function t_do(n){var s="";for(var i=1;i<=31;i++){s+='<option value="'+i+'"'+((n==i)?' selected':'')+'>'+i+'</option>';}return s;}
function t_mo(n){var s='';var m=["","Jan","Feb","Mar","Apr","May","Jun","Jul","Aug","Sep","Oct","Nov","Dec"];for(var i=1; i<13; i++){s+='<option value="'+i+'"'+((n==i)?' selected':'')+'>'+m[i]+'</option>';}return s;}
function t_so(){var s='';var states=[{id:"",name:"--"},{id:"AK",name:"AK"},{id:"AL",name:"AL"},{id:"AR",name:"AR"},{id:"AZ",name:"AZ"},{id:"CA",name:"CA"},{id:"CO",name:"CO"},{id:"CT",name:"CT"},{id:"DC",name:"DC"},{id:"DE",name:"DE"},{id:"FL",name:"FL"},{id:"GA",name:"GA"},{id:"HI",name:"HI"},{id:"IA",name:"IA"},{id:"ID",name:"ID"},{id:"IL",name:"IL"},{id:"IN",name:"IN"},{id:"KS",name:"KS"},{id:"KY",name:"KY"},{id:"LA",name:"LA"},{id:"MA",name:"MA"},{id:"MD",name:"MD"},{id:"ME",name:"ME"},{id:"MI",name:"MI"},{id:"MN",name:"MN"},{id:"MO",name:"MO"},{id:"MS",name:"MS"},{id:"MT",name:"MT"},{id:"NC",name:"NC"},{id:"ND",name:"ND"},{id:"NE",name:"NE"},{id:"NH",name:"NH"},{id:"NJ",name:"NJ"},{id:"NM",name:"NM"},{id:"NV",name:"NV"},{id:"NY",name:"NY"},{id:"OH",name:"OH"},{id:"OK",name:"OK"},{id:"OR",name:"OR"},{id:"PA",name:"PA"},{id:"RI",name:"RI"},{id:"SC",name:"SC"},{id:"SD",name:"SD"},{id:"TN",name:"TN"},{id:"TX",name:"TX"},{id:"UT",name:"UT"},{id:"VA",name:"VA"},{id:"VT",name:"VT"},{id:"WA",name:"WA"},{id:"WI",name:"WI"},{id:"WV",name:"WV"},{id:"WY",name:"WY"}];for(var i=0;i<states.length;i++){s+='<option value="'+states[i].id+'">'+states[i].name+'</option>';}return s;}
function t_ce(e){var cc;if(e&&e.which){e=e;cc=e.which;}else{cc=e.keyCode;}if(cc==13){t_sfm();return false;}else{return true;}}
function t_sfm(){var f=document.t_bf;if(f.city.value != ""){var url=t_fu+"?";for(var i=0;i<f.elements.length;i++){url+=f.elements[i].name+"="+escape(f.elements[i].value)+"&";}}else{url=t_ct2;}window.open(url,"Travelocity","width=800,height=800,location=1,toolbar=yes,menubar=yes,status=yes,scrollbars=yes,resizable=yes");return;}
function t_wh(){
document.write('<div id="h_30x25"><form action="'+t_fu+'"name="t_bf"method="get"onsubmit="t_sfm();return false;">'+
'<input type="hidden"name="Service"value="TRAVELOCITY">'+
'<input type="hidden"name="SearchPath"value="hots">'+
'<input type="hidden"name="old_cb"value="N">'+
'<input type="hidden"name="mode"value="1">'+
'<input type="hidden"name="x"value="53">'+
'<input type="hidden"name="y"value="14">'+
'<input type="hidden"name="pax_cnt"value="2">'+
'<a href="'+t_ct1+'"id="h_30x25_l"target="_blank"></a><a href="'+t_ct2+'"id="h_30x25_c"target="_blank"></a><div id="h_30x25_f">'+
'<label for="city">City:</label><input name="city"id="city"onkeypress="t_ce(event)">'+
'<label for="state">State:</label>');
t_ws('state',t_so(),'id="state" onkeypress="t_ce(event)"');
document.write('<label for="leavingMonth" class="checkin">Check-in:</label>');
t_ws('dateLeavingMonth',t_mo(t_id.getMonth()+1),'id="puM" class="trvMonth" onkeypress="t_ce(event)" ' );
t_ws('dateLeavingDay',t_do(t_id.getDate()),'class="trvDate" onkeypress="t_ce(event)"');
document.write('<label for="returnMonth" class="checkout">Check-out:</label>');
t_ws('dateReturningMonth',t_mo(t_od.getMonth()+1),'id="doM" class="trvMonth" onkeypress="t_ce(event)"');
t_ws('dateReturningDay',t_do(t_od.getDate()),'class="trvDate" id="doD" onkeypress="t_ce(event)"');
document.write('</div><a href="'+t_ct2+'"onclick="t_sfm();return false;"id="h_30x25_b"></a></form></div>');
}
if(t_w3c){t_wh();}else{document.write('<a href="'+t_ct2+'"target="_blank"><img src="http://m1.2mdn.net/551711/300x250_20_trv_usm1_h_def.gif"width="300"height="250"border="0"></a>');}
document.write('<noscript><a href=\"http://ad.doubleclick.net/click%3Bh=v8/3511/17/a8/%2a/v%3B67439382%3B3-0%3B0%3B15238551%3B4307-300/250%3B19465949/19483843/1%3B%3B%7Esscs%3D%3fhttp://ad.ad-flow.com/click,gp4UAJfQAQDyVAMA8lMBAAIAAAAAAP8AAAAGFAAAAgOv0AEAl2MAANQjAgAAAAAAAAAAAAAAAAAAAAAAAAAAAC.98UUAAAAA,,http%3A%2F%2Fwww%2Euzoogle%2Ecom%2Findexp%2Ephp%3Fpid%3D811,http%3a%2f%2fwww.travelocity.com/Hotels/?Service=TRAVELOCITY\" target=\"_blank&WA1=03010&WA2=67439382&WA3=15238551&WA4=19465949\"><img src=\"http://m1.2mdn.net/551711/300x250_20_trv_usm1_h_def.gif\" width=\"300\" height=\"250\" border=\"0\"></a></noscript>');