SurfSideKick Sending Traffic Directly to Hula's Venus123 - Packet Log and Screenshot
Banner Farms in the Crosshairs - Ben Edelman

This page gives packet log and screenshot proof of traffic passing from SurfSideKick (controlling server kmpads.com, yellow) directly to Hula's Clickandtrack.net (green) and on to Hula's Venus123 (blue).

Because this packet log shows traffic flowing directly from SurfSideKick spyware to Hula's ClickAndTrack tracking server, this log serves as strong evidence that Hula knew, or reasonably should have known, that it was receiving traffic from notorious spyware such as SurfSideKick. See also other examples.

The screenshot and packet log were taken on May 22, 2006.

 

Packet Log

GET /ip8545640772.htm?cid=77975&pc_id=88107275&d=127928311283130787&pck_id=79&guid=01000201-0184-290C-0000-001588000000&ctg_id=26&sub_id=&version=6.5.20&bapo=0&rnd=1300901448&info=ver1IzkJMjAwNi0wNS0yMiAyMToxMjowOD ozMSAtMDcJNzc5NzUJODgxMDcyNzUJNzkJNTgzNTA0CQkyNglBZGR5LkltcHJlc3Npb25JbmZvCTAxMDAwMjAxLTAxODQtMjkwQy0wMDAwL TAwMTU4ODAwMDAwMAkoZGkgaXMgbnVsbCkJYWQuZG91YmxlY2xpY2submV0CTA%24&link=http%3a%2f%2fhits.clickandtrack.net%2fcgi-bin%2fhit%3fpage%3d12107-114178810016011 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: text, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: ads.kmpads.com
Connection: Keep-Alive
Cookie: ...

HTTP/1.1 200 OK
Content-Length: 239
Content-Type: text/html
Last-Modified: Wed, 09 Nov 2005 13:36:35 GMT
Accept-Ranges: bytes
ETag: "2cf26c9a32e5c51:341"
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR NID ADMa DEVa TAIo PSAo PSDo OUR BUS IND COM NAV STA"
X-Powered-By: ASP.NET
Date: Mon, 22 May 2006 21:12:12 GMT

<html>
<script>
navigator.ipixelLoaded = true;
var px = new RegExp('(\\?|&)link=(.+)($|&)', 'ig');
if (self.location.href.match(px) != null)
{
self.location.replace(unescape(RegExp.$2));
}
</script>
</html>

 

GET /cgi-bin/hit?page=12107-114178810016011 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: text, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: hits.clickandtrack.net
Connection: Keep-Alive
Cookie: ...

HTTP/1.1 302 Moved
Date: Mon, 22 May 2006 21:12:15 GMT
Server: Apache/2.0.40 (Red Hat Linux)
P3P: policyref="/w3c/p3p.xml", CP="NOI CUR ADM DEV OUR BUS NAV"
Set-Cookie: ...
Location: http://venus123.com/index_tiny.asp?st=10176&sc=123041&lc=60&ld=25&sf=1&flc=4&fld=35&sp=0&fd=8
Content-Length: 309
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Moved</title>
</head><body>
<h1>Moved</h1>
<p>The document has moved <a href="http://venus123.com/index_tiny.asp?st=10176&amp;sc=123041&amp;lc=60&amp;ld=25&amp;sf=1&amp;flc=4&amp;fld=35&amp;sp=0&amp;fd=8">here</a>.</p> </body></html>

 

Screenshot

The image below shows the resulting on-screen display (partially scrolled down). Note that the on-screen display was partially modified by SearchingBooth. (SearchingBooth had injected another ad into the top of the Venus123 site, as is its general practice. Further discussion.)

 

To confirm that ClickAndTrack.net is one-and-the-same as Hula, see ClickAndTrack's Whois data. Notice the email address @huladirect.com, as well as the listed company name.