Claria    
(promoting installation of Claria "adware")
money viewers
Zedo.com
(an ad network)
money viewers
02320.net
money viewers
Yieldmanager.com
(an ad network)
money viewers
Venus123.com
money viewers
ContextPlus
(spyware installed without consent)

Claria Recruiting Installations through Spyware-Delivered Popups - Packet Log
Claria Shows Ads Through Exploit-Delivered Popups - Ben Edelman

This page gives a packet log of example traffic from spyware (installed without notice or consent) promoting installations of Claria screensavers (with bundled Claria advertising software).

Traffic begins with ContextPlus (orange highlighting) noticing a popup just delivered by DealHelper (blue). ContextPlus decides to show a popup obtained from clickandtrack.net (first HTTP transaction). Clickandtrack.net forwards me to Venus123.com. Venus123 embeds multiple ads from ad.yieldmanager.com. After a lengthy series of redirects (presented here in part; additional traffic omitted), yieldmanager.com instructs that my browser open a script from 02320.net, which in turn calls for a page from zedo.com. Zedo then provides a series of further embeddings. Finally, Zedo loads a Claria Belnk.com ad placement.

Throughout, yellow highlighting marks redirect instructions, and green highlighting marks the next step in the advertisement chain.

 

Traffic Originating at ContextPlus, Loading Clickandtrack.net

GET /services/AdChannelServer?site=CP.AOP&uid={X2e59e2a-abaa-4243-3906 c12f03a20589}&size=aamsz%3D%2F&rnd=41_1129583182_421875&v=1.0.226&b=6.0.2600.0&o=5.1.2600+%28%29+PI%3D2 HTTP/1.1
Referer: http://ads.dealhelper.com/adserver/ad1.php?gmiurl=http://69.20 .94.234/search.php?keyword=computers&partner=abc_tk&ret=http%3A%2F%2Fme dia.fastclick.net%2Fw%2Fpop.cgi%3Fsid%3D18665%26m%3D2%26CK%3DN%26JS%3DN %26c%3D1129583183&gmititle=&gmih=600&gmiw=800&gmip=middle&gmif=popunder
Accept: application/vnd.pop.ad.channel.redirect, application/vnd.pop.ad.creative.html
Cookie: freq_caps4=HpEPQymQD0MekQ9DHpEPQxAAAACuGAAAAAAAAAEAAAAShw9D0BgA AAAAAAABAAAAdocPQ7cZAAAAAAAAAQAAACmQD0OsGgAAAAAAAAEAAABniw9DahsAAAAAAAA BAAAAHpEPQ+8bAAAAAAAAAQAAADaPD0P/GwAAAAAAAAEAAACbiw9DBRwAAAAAAAABAAAAUY kPQw8cAAAAAAAAAQAAAFmMD0ODHAAAAQAAAAAAAACEHAAAAQAAAAAAAAATHQAAAAAAAAEAA ACUhw9DLx0AAAAAAAABAAAATI0PQ2UdAAAAAAAAAQAAANaQD0N3HQAAAAAAAAEAAAB0jg9D hB0AAAAAAAABAAAAc4oPQwItbp8|||||; freq_caps4=BXYgQ5d1IEMFdiBDBXYgQxgAAAC3GQAAAAAAAAEAAADcZCBDrBoAAAAAAAAB AAAA+1sgQxsbAAAAAAAAAQAAAKFuIEMtHAAAAQAAAAAAAABUHAAAAAAAAAEAAADiWiBDgxw AAAAAAAABAAAAA2EgQ4QcAAABAAAAAAAAABMdAAAAAAAAAQAAAK1aIEMvHQAAAAAAAAIAAA AOYCBDKWcgQzUdAAABAAAAAAAAAEsdAAAAAAAAAQAAAGNlIENOHQAAAAAAAAEAAADpXCBDV B0AAAEAAAAAAAAAVx0AAAAAAAABAAAA5WAgQ1wdAAAAAAAAAQAAAJd1IENqHQAAAAAAAAIA AABaXCBDqlwgQ3cdAAAAAAAAAQAAAHxhIEN9HQAAAAAAAAIAAADcZSBDwm8gQ4QdAAAAAAA AAQAAACNdIEOGHQAAAAAAAAEAAAAbdSBDqx0AAAAAAAABAAAAXG4gQ7EdAAABAAAAAAAAAN gdAAAAAAAAAQAAAGFgIEPbHQAAAQAAAAAAAAAcs3iQ||||
User-Agent: Apropos
Host: adchannel.contextplus.net

HTTP/1.1 200 OK
Date: Mon, 17 Oct 2005 21:06:38 GMT
Server: Apache
Set-Cookie: freq_caps4=YRJUQ2ESVEMFdiBDYRJUQwMAAACEHAAAAAAAAAEAAABhElRDNR0AAAEAAAAAAAAAVB0AAAEAAAAAAAAANzBEZQ||||||; expires=Thu, 15-Oct-2015 21:6:41 GMT; path=/services/
Cache-Control: no-cache
AM-AD-CREATIVE-CATEGORY: RON
AM-AD-CREATIVE-TYPE: popunder
Set-Cookie: freq_caps4=na; expires=Sun, 17-Oct-2004 21:6:41 GMT; path=/services/AdChannelServer
P3P: CP="NOI DSP LAW CURa DEVa TAIa PSAa PSDa OUR STP BUS UNI COM NAV INT"
Content-Length: 360
Connection: close
Content-Type: application/vnd.pop.ad.creative.html

<html>
<body>
<script type="text/javascript" language="JavaScript">
popWin = open('http://hits.clickandtrack.net/cgi-bin/hit?page=12107-1123182578320194','_blank','width=800,height=600,resizable=no,scrollbars=yes');
if(popWin) {
popWin.blur();
window.focus();
if("") {
var tp_img = new Image();
tp_img.src = "";
}
}
</script>
</body>
</html>

 

Clickandtrack.net redirects to Venus123.com

GET /cgi-in/hit?page=12107-123182578320194 HTTP/1.1
Accept: */*
Accept-Language: en us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {DB5CC11C-030D-2BEC-A311-6B43D6FCBF02})
Host: hits.clickandtrack.net
Connection: Keep-Alive

HTTP/1.1 302 Moved
Date: Mon, 17 Oct 2005 21:06:47 GMT
Server: Apache/2.0.40 (Red Hat Linux)
P3P: policyref="/w3c/p3p.xml", CP="NOI CUR ADM DEV OUR BUS NAV"
Set-Cookie: SW_12107 1123182578320194=1129583207; path=/; expires=Wed, 16-Nov-2005 21:06:47 GMT
Set-Cookie: CF_12107 1123182578320194=1129583207; path=/; expires=Tue, 18-Oct-2005 21:06:47 GMT
Location: http://www.Venus123.com/homepage.precision.asp?group=See d3eVenus&lpt=18&pops=yes&pop=no&float=yes&poponlpt=no&floatonlpt=yes&cb=70
Content-Length: 342
Connection: close
Content Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Moved</title>
</head><body>
<h1>Moved</h1>
<p>The document has moved <a href="http://www.Venus123.com/homepage.precision.asp? group=Seed3eVenus&amp;lpt=18&amp;pops=yes&amp;pop=no&amp;float=yes&amp;poponlpt=no &amp;floatonlpt=yes&amp;cb=70">here</a>.</p>
</body></html>

 

Venus123.com Embeds Multiple Yieldmanager.com Ads

GET /homepage.precision.asp?group=Seed3eVenus&lpt=18&pops=yes&pop=no&float=yes&poponlpt=no&floatonlpt=yes&cb=70 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {DB5CC11C-030D-2BEC-A311-6B43D6FCBF02})
Host: www.venus123.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Connection: close
Date: Mon, 17 Oct 2005 21:06:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 26354
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQQTBBBDR=JMHNDDMBJHJKJLOKMPCOPBDH; path=/
Cache-control: private

<html>
<head>
<title>Venus123</title>

...

<SCRIPT TYPE='text/javascript' SRC='http://ad.yieldmanager.com/rmtag2.js'></SCRIPT><SCRIPT language='JavaScript'>var rm_host = 'http://ad.yieldmanager.com';var rm_site_id = 2578;var rm_section_code =4400;var rm_banned_pop_types = 23;var rm_prepopped_width = 720;var rm_prepopped_height = 300;var rm_pop_frequency = 0;rmShowPop();</script>

...

<iframe src="728x90.asp?jscode=<SCRIPT TYPE='text/javascript' SRC='http://ad.yieldmanager.com/rmtag2.js'></SCRIPT><SCRIPT language='JavaScript'>var rm_host = 'http://ad.yieldmanager.com';var rm_site_id = 2578;var rm_section_code =4400;var rm_iframe_tags = 1;rmShowAd('728x90');</script>&lpt=18" width=728 height=90 frameborder=0 scrolling=no></iframe>

...

<iframe src="300x250.asp?jscode=<SCRIPT TYPE='text/javascript' SRC='http://ad.yieldmanager.com/rmtag2.js'></SCRIPT><SCRIPT language='JavaScript'>var rm_host = 'http://ad.yieldmanager.com';var rm_site_id = 2578;var rm_section_code =4400;var rm_iframe_tags = 1;rmShowAd('300x250');</script>&lpt=18" width=300 height=250 frameborder=0 scrolling=no></iframe>

...

<iframe src="160x600.asp?jscode=<SCRIPT TYPE='text/javascript' SRC='http://ad.yieldmanager.com/rmtag2.js'></SCRIPT><SCRIPT language='JavaScript'>var rm_host = 'http://ad.yieldmanager.com';var rm_site_id = 2578;var rm_section_code =4400;var rm_promote_sizes = 1;rmShowAd('120x600/160x600');</script>&lpt=18" width=120 height=600 frameborder=0 scrolling=no></iframe>

...

<iframe src="468x60.asp?jscode=<SCRIPT TYPE='text/javascript' SRC='http://ad.yieldmanager.com/rmtag2.js'></SCRIPT><SCRIPT language='JavaScript'>var rm_host = 'http://ad.yieldmanager.com';var rm_site_id = 2578;var rm_section_code =4400;var rm_iframe_tags = 1;rmShowAd('468x60');</script>&lpt=18" width=468 height=60 frameborder=0 scrolling=no></iframe>

...

</body>
</html>

 

Multiple Yieldmanager.com File-Loads, JavaScripts, and Redirects

GET /rmtag2.js HTTP/1.1
Accept: */*
Referer: http://www.venus123.com/homepage.precision.asp?group=Seed3eVenus&lpt=18&pops=yes&pop=no&float=yes&poponlpt=no&floatonlpt=yes&cb=70
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {DB5CC11C-030D-2BEC-A311-6B43D6FCBF02})
Host: ad.yieldmanager.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Connection: close
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: max-age=86400
Content-Type: application/x-javascript
Content-Length: 11980

[extended JavaScript code omitted]


GET /160x600.asp?jscode=<SCRIPT%20TYPE='text/javascript'%20SRC='http:// ad.yieldmanager.com/rmtag2.js'></SCRIPT><SCRIPT%20language='JavaScript' >var%20rm_host%20=%20'http://ad.yieldmanager.com';var%20rm_site_id%20=% 202578;var%20rm_section_code%20=4400;var%20rm_promote_sizes%20=%201; rmShowAd('120x600/160x600');</script>&lpt=18 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.venus123.com/homepage.precision.asp?group= Seed3eVenus&lpt=18&pops=yes&pop=no&float=yes&poponlpt=no&floatonlpt=yes&cb=70
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {DB5CC11C-030D-2BEC-A311-6B43D6FCBF02})
Host: www.venus123.com
Connection: Keep-Alive
Cookie: ASPSESSIONIDQQTBBBDR=JMHNDDMBJHJKJLOKMPCOPBDH; flashInstalled=7.0expires=Mon, 31 Oct 2005 21:06:41 UTC

HTTP/1.1 200 OK
Connection: close
Date: Mon, 17 Oct 2005 21:07:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 750
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSSRBADRS=GGLGPMIBFIBGBPENIOMHNFON; path=/
Cache-control: private

<html>
<head>
<meta http-equiv="Refresh" content="url=160x600.asp?jscode=<SCRIPT%20TYPE='text/javascript' %20SRC='http://ad.yieldmanager.com/rmtag2.js'></SCRIPT><SCRIPT%20language='JavaScript'>var %20rm_host%20=%20'http://ad.yieldmanager.com'-var%20rm_site_id%20=%202578-var%20rm_section_code%20=4400-var%20rm_promote_sizes%20=%201-rmShowAd('120x600/160x600')-</script>&lpt=17">
</head>
<body leftmargin=0 rightmargin=0 topmargin=0 bottommargin=0 >
<SCRIPT TYPE='text/javascript' SRC='http://ad.yieldmanager.com/rmtag2.js'> </SCRIPT><SCRIPT language='JavaScript'>var rm_host = 'http://ad.yieldmanager.com';var rm_site_id = 2578;var rm_section_code =4400;var rm_promote_sizes = 1;rmShowAd('120x600/160x600');</script>
</body>
</html>


GET /imp?z=10&i=2578&S=4400&p=1&u=http%3A%2F%2Fwww.venus123.com%2F homepage.precision.asp%3Fgroup%3DSeed3eVenus%26lpt%3D18%26pops%3Dyes&r=0 HTTP/1.1
Accept: */*
Referer: http://www.venus123.com/160x600.asp?jscode=<SCRIPT TYPE='text/javascript' SRC='http://ad.yieldmanager.com/rmtag2.js'></SCRIPT><SCRIPT language='JavaScript'>var rm_host = 'http://ad.yieldmanager.com';var rm_site_id = 2578;var rm_section_code =4400;var rm_promote_sizes = 1;rmShowAd('120x600/160x600');</script>&lpt=18
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {DB5CC11C-030D-2BEC-A311-6B43D6FCBF02})
Host: ad.yieldmanager.com
Connection: Keep-Alive
Cookie: testbounce="testing"; lf="b!!!!$!!#Td!!!!#!!$7m!!!!$"; lh="b!!!!%!!#Td8ZL[s!!$7m8ZL[l!!$7m8ZL[j"; ih="b!!!!$!!!Tq!!!!#8Z@`J!!'DI!!!!$8Z@`C"; BSUID=1

HTTP/1.1 200 OK
Connection: close
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Set-Cookie: cf="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: hi="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: cr="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: ch="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: lf="b!!!!%!!#Rj!!!!#!!#Td!!!!#!!$7m!!!!$"; path=/; expires=Mon, 14-Aug-2017 00:00:00 GMT
Set-Cookie: lh="b!!!!'!!#Rj8ZL[u!!#Td8ZL[s!!$7m8ZL[l!!$7m8ZL[j"; path=/; expires=Mon, 14-Aug-2017 00:00:00 GMT
Set-Cookie: pv1="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: pc1="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: ih="b!!!!%!!!Tq!!!!#8Z@`J!!'$I!!!!#8Z@`L!!'DI!!!!$8Z@`C"; path=/; expires=Mon, 14-Aug-2017 00:00:00 GMT
Set-Cookie: vh="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: bh="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: ia="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: BSUID=""; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Content-Type: application/x-javascript
Content-Length: 371

document.write('<iframe scrolling="no" marginwidth="0" marginheight="0" frameborder="0" height="600" width="120" src="http://ad.yieldmanager.com/iframe3?AAAAAAQeAACzcQAAHxkAAAAAAA AAAP8AAP8CEgEACgHEKwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJqZmZmZ mck.mpmZmZmZyT8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA91GQJJ8BibE="></iframe>');


GET /iframe3?AAAAAAQeAACzcQAAHxkAAAAAAAAAAP8AAP8CEgEACgHEKwAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJqZmZmZmck.mpmZmZmZyT8AAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAA91GQJJ8BibE= HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.venus123.com/160x600.asp?jscode=<SCRIPT TYPE='text/javascript' SRC='http://ad.yieldmanager.com/rmtag2.js'></SCRIPT><SCRIPT language='JavaScript'>var rm_host = 'http://ad.yieldmanager.com';var rm_site_id = 2578;var rm_section_code =4400;var rm_promote_sizes = 1;rmShowAd('120x600/160x600');</script>&lpt=18
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {DB5CC11C-030D-2BEC-A311-6B43D6FCBF02})
Host: ad.yieldmanager.com
Connection: Keep-Alive
Cookie: testbounce="testing"; lf="b!!!!%!!#Rj!!!!#!!#Td!!!!#!!$7m!!!!$"; lh="b!!!!'!!#Rj8ZL[u!!#Td8ZL[s!!$7m8ZL[l!!$7m8ZL[j"; ih="b!!!!%!!!Tq!!!!#8Z@`J!!'$I!!!!#8Z@`L!!'DI!!!!$8Z@`C"; BSUID=1

HTTP/1.1 200 OK
Connection: close
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Set-Cookie: cf="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: hi="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: cr="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: ch="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: lf="b!!!!%!!#Rj!!!!$!!#Td!!!!#!!$7m!!!!$"; path=/; expires=Mon, 14-Aug-2017 00:00:00 GMT
Set-Cookie: lh="b!!!!(!!#Rj8ZL[w!!#Rj8ZL[u!!#Td8ZL[s!!$7m8ZL[l!!$7m8ZL[j"; path=/; expires=Mon, 14-Aug-2017 00:00:00 GMT
Set-Cookie: pv1="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: pc1="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: ih="b!!!!%!!!Tq!!!!#8Z@`J!!'$I!!!!$8Z@`N!!'DI!!!!$8Z@`C"; path=/; expires=Mon, 14-Aug-2017 00:00:00 GMT
Set-Cookie: vh="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: bh="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: ia="b"; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Set-Cookie: BSUID=""; path=/; expires=Mon, 01-Mar-2004 00:00:00 GMT
Content-Type: text/html
Content-Length: 671

<html><body style="margin-left: 0%; margin-right: 0%; margin-top: 0%; margin-bottom: 0%"><!-- BEGIN: AdSolution-Website-Tag 4.3 : huladirect / 120x600 -->
<script type="text/javascript" language="javascript" src="http://a.as-us.falkag.net/dat/dlv/aslmain.js"></script>
<script language="javascript" type="text/javascript">
Ads_kid=0;Ads_bid=0;Ads_xl=120;Ads_yl=600;Ads_xp='';Ads_yp=''; Ads_xp1='';Ads_yp1='';Ads_opt=0;Ads_wrd='';Ads_prf=''; Ads_par='';Ads_cnturl='';Ads_sec=0;Ads_channels='';
</script>
<script type="text/javascript" language="javascript" src="http://a.as-us.falkag.net/dat/cjf/00/12/18/12.js"></script>
<!-- END:AdSolution-Tag 4.3 --></body></html>

 

[omitted: encoded traffic to falkag.net and 02320.net]

 

 

02320.net Redirects to Zedo.com

GET /services/AdChannelServer?app=PS&v=1.2.2&site=PS.DHELIX&size=120x600&rnd=7084447&referer=http%3A%2F%2Fwww.venus123.com%2F160x600.asp%3Fjscode%3D%3CSCRIPT%20TYPE%3D'text%2Fjavascript'%20SRC%&xinfopsid=0&format=js&btop=0&xinfopsbase=http%3A%2F%2Fps-s.02320.net%2Fps%2FPS.DHELIX%2F&prck=0&glbfcap=0 HTTP/1.1
Accept: */*
Referer: http://ad.yieldmanager.com/iframe3?AAAAAAQeAACzcQAAHxkAAAAAAAAAAP8AAP8CEgEACgHEKwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJqZmZmZmck.mpmZmZmZyT8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA91GQJJ8BibE=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {DB5CC11C-030D-2BEC-A311-6B43D6FCBF02})
Host: adchannel.02320.net
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Mon, 17 Oct 2005 21:07:41 GMT
Server: Apache
Set-Cookie: freq_caps4=AAAAAAAAAAAAAAAAnRJUQwEAAADZHgAAAAAAAAEAAACdElRDTZVCGA||||||; expires=Thu, 15-Oct-2015 21:7:41 GMT; path=/services/
Cache-Control: no-cache
AM-AD-CREATIVE-CATEGORY: RON
AM-AD-CREATIVE-TYPE: 120x600
P3P: CP="NOI DSP LAW CURa DEVa TAIa PSAa PSDa OUR STP BUS UNI COM NAV INT"
Set-Cookie: uid={Z0000000-0000-0000-0000-000000000000}; expires=Thu, 15-Oct-2015 21:7:41 GMT; path=/services/
Content-Length: 129
Connection: close
Content-Type: text/html

zd47f5c1333_PS.show_banner(
0,
"http://c5.zedo.com/jsc/c5/ff2.html?n=350;c=355/6;s=234;d=8;w=120;h=600",
120,
600
);

 

Multiple Layers of Zedo.com Ad Wrappers

GET /jsc/c5/ff2.html?n=350;c=355/6;s=234;d=8;w=120;h=600 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://ad.yieldmanager.com/iframe3?AAAAAAQeAACzcQAAHxkAAAAAAAAAAP8AAP8CEgEACgHEKwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJqZmZmZmck.mpmZmZmZyT8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA91GQJJ8BibE=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {DB5CC11C-030D-2BEC-A311-6B43D6FCBF02})
Host: c5.zedo.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: ZEDO 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Last-Modified: Wed, 14 Sep 2005 13:59:46 GMT
ETag: "a1b2b-392-43282cd2"
Accept-Ranges: bytes
Content-Length: 914
Content-Type: text/html
Cache-Control: max-age=228321
Expires: Thu, 20 Oct 2005 12:33:04 GMT
Date: Mon, 17 Oct 2005 21:07:43 GMT
Connection: keep-alive

<!-- Copyright (c) 2000-2005 ZEDO Inc. All Rights Reserved.
<html>
<head>
<title>Powered by ZEDO</title>
<script language="JavaScript">
var c3=new Image();
if(document.cookie.indexOf('ZEDOIDX')==-1){
var z2=new Date();
z2.setTime(z2.getTime()+18000000);
document.cookie='ZEDOIDX=1000;expires='+z2.toGMTString()+';domain=.zedo.com;path=/;';
}
if((document.cookie.indexOf('ZEDOIDX')!=-1)&&(document.cookie.indexOf('geo')==-1)){
c3.src='http://g.zedo.com/init/'+Math.random()+'/g.gif';
}
</script>
</head>
<body marginwidth=0 marginheight=0 leftmargin=0 topmargin=0 style="background-color:transparent">
<script language="JavaScript" src="http://c5.zedo.com/bar/v12-500/c5/jsc/iframe2.js"></script>
<noscript>
<iframe src="http://xads.zedo.com/ads2/a?" width=999 height=999 frameborder=0 border=0 marginwidth=0 marginheight=0 scrolling="no" align="top" allowTransparency="true"></iframe>
</noscript>
</body>
</html>


GET /bar/v12-500/c5/jsc/iframe2.js HTTP/1.1
Accept: */*
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=350;c=355/6;s=234;d=8;w=120;h=600
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {DB5CC11C-030D-2BEC-A311-6B43D6FCBF02})
Host: c5.zedo.com
Connection: Keep-Alive
Cookie: ZEDOIDX=1000

HTTP/1.1 200 OK
Server: ZEDO 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Last-Modified: Wed, 14 Sep 2005 14:00:10 GMT
ETag: "349324-2123-43282cea"
Accept-Ranges: bytes
Content-Length: 8483
Content-Type: application/x-javascript
Cache-Control: max-age=2234934
Expires: Sat, 12 Nov 2005 17:56:38 GMT
Date: Mon, 17 Oct 2005 21:07:44 GMT
Connection: keep-alive

[extended JavaScript code omitted]


GET /ads2/d/2077/172/350/355/6/i0.js?z=9419 HTTP/1.1
Accept: */*
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=350;c=355/6;s=234;d=8;w=120;h=600
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {DB5CC11C-030D-2BEC-A311-6B43D6FCBF02})
Host: c4.zedo.com
Connection: Keep-Alive
Cookie: ZEDOIDX=29; ZEDOIDA=puwokdjrULAAADOeWigAAAAT; geo=497324; FFcat=350,355,8; FFad=0

HTTP/1.1 200 OK
Server: ZEDO 3G
Edge-Control: dca=esi
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=3600
Content-Type: application/x-javascript
Age: 196
Date: Mon, 17 Oct 2005 21:07:48 GMT
Expires: Mon, 17 Oct 2005 22:04:32 GMT
Content-Length: 3088
Connection: close

[extended JavaScript code omitted]

document.write("<SCRIPT LANGUAGE='JavaScript' SRC='http://c4.zedo.com//ads2/k/" + zxa + "/2077/172/0/350000355/350000355//0/350/" + zzSection + "/" + "/" + zxv + "/i.js'><\/SCRIPT>");

 

Zedo Loads Claria Belnk.Ad

GET //ads2/k/83990/2077/172/0/350000355/350000355//0/350/234//1000045/i.js HTTP/1.1
Accept: */*
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=350;c=355/6;s=234;d=8;w=120;h=600
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {DB5CC11C-030D-2BEC-A311-6B43D6FCBF02})
Host: c4.zedo.com
Connection: Keep-Alive
Cookie: ZEDOIDX=29; ZEDOIDA=puwokdjrULAAADOeWigAAAAT; geo=497324; FFcat=350,355,8; FFad=0

HTTP/1.1 200 OK
Server: ZEDO 3G
Edge-Control: dca=esi
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=2592000
Content-Type: application/x-javascript
Age: 3903
Date: Mon, 17 Oct 2005 21:08:00 GMT
Expires: Wed, 16 Nov 2005 20:02:57 GMT
Content-Length: 343
Connection: close

var zzDate = new Date();

document.write('<script language="JavaScript" src="http://dist.belnk.com/4/placement/1461/ ?h=http://xads.zedo.com//ads2/c%3Fa=83990%3Bx=2077%3Bg=172,0%3Bc=350000355,350000355%3Bi=0 %3Bn=350%3Bs=234%3Bp%3D6%3Bf%3D124352%3Bk=http://dist.belnk.com/4/placement/1461/alt_lp/AQ UATICAREDIRECT.html"><\/script>');

 

Belnk.Ad Opens Claria Screensaver Ad

GET /4/placement/1461/?h=http://xads.zedo.com//ads2/c%3Fa=83990%3Bx=2077%3Bg=172,0 %3Bc=350000355,350000355%3Bi=0%3Bn=350%3Bs=234%3Bp%3D6%3Bf%3D124352%3Bk= http://dist.belnk.com/4/placement/1461/alt_lp/AQUATICAREDIRECT.html HTTP/1.1
Accept: */*
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=350;c=355/6;s=234;d=8;w=120;h=600
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {DB5CC11C-030D-2BEC-A311-6B43D6FCBF02})
Host: dist.belnk.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Date: Mon, 17 Oct 2005 21:08:01 GMT
Server: Apache
X-Powered-By: PHP/4.3.3
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Mon, 17 Oct 2005 21:08:01 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
P3P: CP="NOI DEVa TAIa OUR BUS UNI", policyref="http://dist.belnk.com/w3c/p3p.xml"
Set-Cookie: MINT128=3445211BA09F60F90000B11BC02E; expires=Thu, 15-Oct-15 21:08:01 GMT; path=/; domain=.belnk.com
Set-Cookie: dPL=1461%3A613%3A1%3A435412b1%3A1; expires=Fri, 16-Dec-05 21:08:01 GMT; path=/; domain=.dist.belnk.com
Set-Cookie: dMS=5883%3A8%3A1%3A435412b1; expires=Fri, 16-Dec-05 21:08:01 GMT; path=/; domain=.dist.belnk.com
Location: ../../message/5883/?q=cD0xNDYxJmQ9MzU3MTI3JmVsPTEmdz1RMVFTc1Fy NUJwOEFBQnV4RE9JJmFtPTM0NDUyMTFCQTA5RjYwRjkwMDAwQjExQkMwMkU%3D&h=http%3A %2F%2Fxads.zedo.com%2F%2Fads2%2Fc%3Fa%3D83990%3Bx%3D2077%3Bg%3D172%2C0%3 Bc%3D350000355%2C350000355%3Bi%3D0%3Bn%3D350%3Bs%3D234%3Bp%3D6%3Bf%3D124 352%3Bk%3Dhttp%3A%2F%2Fdist.belnk.com%2F4%2Fplacement%2F1461%2Falt_lp%2F AQUATICAREDIRECT.html
Keep-Alive: timeout=120, max=9978
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html

 

 
enter">