SearchingBoothPromoting Vonage

Vonage
money

viewers
aQuantive / Atlas
money

viewers
YieldManager
money

viewers
Adecn
money

viewers
MediaPrecision
money

viewers
Fullcontext

SearchingBooth Promoting Vonage
How Vonage Funds Spyware - Ben Edelman

This page gives a screenshot and packet log reporting SearchingBooth promoting Vonage on June 30, 2006. Additional discussion.

Screenshot

On a PC with SearchingBooth installed, I requested true.com. I received the Vonage ad shown below. Notice the insertion of the Vonage ad into a frame above the True.com site -- even though True.com does not sell this advertising space to any advertiser for any price.

Note also the exceptionally large size of the Vonage ad -- greatly reducing the amount of True.com material visible on screen. The Vonage ad is 300 pixels tall, leaving only 127 pixels of usable screen height (net of toolbars, title bars, the taskbar, etc.) for True.com. Were it not for SearchingBooth's intervention, True.com would have had the full 427 pixels of height. SearchingBooth thereby reduced True.com's screen space by more than 70%.

Packet Log

The injected Vonage ad (shown above) is unlabeled -- without any direct indication that it came from SearchingBooth spyware. But packet log analysis confirms that SearchingBooth was directly responsible for the injection. First SearchingBooth spyware on my test PC sent a request to its controlling server (yellow), seeking an ad to inject into the True.com site (shown, for good measure, as the HTTP Referer of the request, green). SearchingBooth's controlling server replied with a URL to Rpowermedia (grey), which redirected me to Adecn (brown). Adecn then sent me to Traffic Marketplace (blue), which specified a URL at aQuantive's Atlas (pink) (which tracks most Vonage ad placements). Finally, aQuantive's Atlas redirected me to Vonage (red).

GET /advertpro/servlet/view/dynamic/html/zone?zid=3&pid=0&DHWidth=720&DHHeight=300&DHScroll=no HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.true.com/default.htm
Accept-Language: en-us
Accept-Encoding: text, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: banners.searchingbooth.com
Connection: Keep-Alive
Cookie: AVPUID=e945715cfbfd41325af59008a8048b26

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 31 Dec 1998 11:59:59 GMT
P3P: CP="CAO DSP COR CURa ADMa OUR NOR UNI COM NAV INT"
Content-Type: text/html;charset=UTF-8
Content-Length: 469
Date: Fri, 30 Jun 2006 20:44:59 GMT

GET /advertpro/servlet/view/banner/url/zone?zid=26&pid=1 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://banners.searchingbooth.com/advertpro/servlet/view/dynamic/html/zone?zid=3&pid=0&DHWidth=720&DHHeight=300&DHScroll=no
Accept-Language: en-us
Accept-Encoding: text, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: serving.rpowermedia.com
Connection: Keep-Alive
Cookie: AVPUID=...

GET /here.spot?v=2.0;time=516;spotId=2368;c=0;ms=1151700298600;ref=http%3A//serving.rpowermedia.com/advertpro/servlet/view/banner/url/zone%3Fzid%3D26%26pid%3D1 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://cds.adecn.com/adecn/spot.html?v=2.0;siteId=60600;spotId=2368;width=775;height=575
Accept-Language: en-us
Accept-Encoding: text, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: ad2.adecn.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Transfer-encoding: chunked
Date: Fri, 30 Jun 2006 20:45:02 GMT
Last-modified: Fri, 30 Jun 2006 20:45:01 GMT
P3p: policyref="http://www.experclick.com/w3c/p3p.xml", CP="OTI DSP COR IVAa IVDa OUR BUS COM NAV DEM"
Content-type: text/html
Server: ADECN/2.0
Set-Cookie: ...

<html><head><title></title></head><body leftmargin='0' topmargin='0' marginwidth='0' marginheight='0'>
<script src="http://cds.adecn.com/adecn/script.js"></script>
<script>
</script>
<IFRAME SRC="http://t.trafficmp.com/b.t/emhG/24787258946" WIDTH="775" HEIGHT="575" MARGINWIDTH="0" MARGINHEIGHT="0" HSPACE="0" VSPACE="0" FRAMEBORDER="0" SCROLLING=yes BORDERCOLOR="#000000"></IFRAME>
<script language='javascript'>window.resizeTo(775,575);</script>
</body></html>

GET /b.t/emhG/24787258946 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://ad2.adecn.com/here.spot?v=2.0;time=516;spotId=2368;c=0;ms=1151700298600;ref=http%3A//serving.rpowermedia.com/advertpro/servlet/view/banner/url/zone%3Fzid%3D26%26pid%3D1
Accept-Language: en-us
Accept-Encoding: text, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: t.trafficmp.com
Connection: Keep-Alive
Cookie: ...

HTTP/1.1 302 Object moved
Server: TrafficMarketPlace-JForce/3.4.3.0
Expires: Tues, 1 Jan 2002 01:00:00 GMT
Pragma: no-cache
Connection: close
P3P: CP="NID PSD OUR STP STA NOI"
Cache-Control: private, no-cache="Set-Cookie"
Content-Type: text/html
Location: http://clk.atdmt.com/VON/go/trffevon0740000126von/direct/01/
Content-Length: 179
Set-Cookie: ...

<head><title>Object moved</title></head><body><h1>Object Moved</h1>This object may be found <a HREF="http://clk.atdmt.com/VON/go/trffevon0740000126von/direct/01/">here</a>.</body>

GET /VON/go/trffevon0740000126von/direct/01/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://ad2.adecn.com/here.spot?v=2.0;time=516;spotId=2368;c=0;ms=1151700298600;ref=http%3A//serving.rpowermedia.com/advertpro/servlet/view/banner/url/zone%3Fzid%3D26%26pid%3D1
Accept-Language: en-us
Accept-Encoding: text, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: clk.atdmt.com
Connection: Keep-Alive
Cookie: ...

HTTP/1.1 302 Object moved
Cache-Control: no-store
Content-Length: 0
Expires: 0
Location: http://www.vonage.com/startsavingnow
Connection: close
Date: Fri, 30 Jun 2006 20:45:02 GMT