Vonage
money viewers
   Traffic Marketplace    
money viewers
Targetsaver

Targetsaver Promoting Vonage
How Vonage Funds Spyware - Ben Edelman

This page gives a screenshot and packet log reporting Targetsaver promoting Vonage on June 19, 2006. Additional discussion.

 

Screenshot

On a PC with Targetsaver installed, I browsed AOL's web site. I received the Vonage popup shown below.

 

Packet Log

The pop-up shown above is unlabeled -- without any direct indication that it came from Targetsaver spyware. But packet log analysis confirms that the ad was served in the way set out in the diagram at top-right. First Targetsaver spyware sent traffic to its controlling server (yellow), which sent back a URL to a Targetsaver ad-loader page (green). That page sent traffic to Traffic Marketplace (blue), which in turn sent me to aQuantive's Atlas (pink) (which tracks most Vonage ad placements). Finally, aQuantive's Atlas sent me to Vonage (red), yielding the ad shown in the screenshot.

POST /adshow HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: TSA/4.0.4.0;Ts2/4.0.4.0;OS/Windows_XP 2600;IE/62600;...;AID/113;NU/1
Host: a.targetsaver.com
Content-Length: 3172
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CPA_REVENUE_HISTORY_CLIENT_ID=...

@ÓÄ.....q.......’q—DMon Jun 19 23:54:58 2006 ...gE‹k.... http://free.aol.com/tryaolfree/index3.adp?promo=532075&service=aol......

HTTP/1.1 200 OK
Date: Tue, 20 Jun 2006 03:54:59 GMT
Server: Apache/1.3.29 (Unix)
Content-Length: 564
Connection: close
Content-Type: application/octet-stream

..../...6...http://www.targetsaver.com/redirect.php?clientID=...&finalURL= http%3A%2F%2Fwww.targetsaver.com%2Fjs%2Fjf1.html&affiliateID=1839&trace=T:4(498)3(1524)...

 

GET /redirect.php?clientID=...&finalURL= http%3A%2F%2Fwww.targetsaver.com%2Fjs%2Fjf1.html&affiliateID=1839&trace=T:4(498)3(1524) HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {...})
Host: www.targetsaver.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Tue, 20 Jun 2006 03:55:00 GMT
Server: Apache/2.0.54 (Fedora)
X-Powered-By: PHP/5.0.4
P3P: policyref="http://www.targetsaver.com/w3c/p3p.xml", CP="ADMa IVAa OUR IND DSP NON COR"
Set-Cookie: ...
Content-Length: 439
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "DTD/xhtml1-strict.dtd">
<html>
<head>
<style>body{margin:0px;}</style>
<title>TargetSaver</title>
<base target="_blank">
<script language="JavaScript">window.opener=self;</script>
</head>
<body>
<IFRAME ID=IFrame1 FRAMEBORDER=0 SRC="http://www.targetsaver.com/js/jf1.html" SCROLLING=YES width=100% height=100%></IFRAME>
</body>
</html>

 

GET /js/jf1.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.targetsaver.com/redirect.php?clientID=...&finalURL= http%3A%2F%2Fwww.targetsaver.com%2Fjs%2Fjf1.html&affiliateID=1839&trace=T:4(498)3(1524)
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {...})
Host: www.targetsaver.com
Connection: Keep-Alive
Cookie: ...

HTTP/1.1 200 OK
Date: Tue, 20 Jun 2006 03:55:01 GMT
Server: Apache/2.0.54 (Fedora)
Last-Modified: Wed, 15 Jun 2005 21:42:19 GMT
ETag: "3df700-16a-a08d64c0"
Accept-Ranges: bytes
Content-Length: 362
Connection: close
Content-Type: text/html; charset=UTF-8

<html>
<head>
</head>
<body>

<script language="javascript" src="http://ad.trafficmp.com/tmpad/banner/ad/tmp.asp?poID=emwG"></script>

...

</body>
</html>

 

GET /tmpad/banner/ad/tmp.asp?poID=emwG HTTP/1.1
Accept: */*
Referer: http://www.targetsaver.com/js/jf1.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {...})
Host: ad.trafficmp.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 20 Jun 2006 04:10:07 GMT
Connection: close
P3P: CP="NID PSD OUR STP STA NOI"
Content-Length: 5337
Content-Type: text/html
Expires: Tue, 20 Jun 2006 04:10:07 GMT
Cache-control: private

...
var poID = 15275;
...

if (window == top)
jURL = "http://t.trafficmp.com/p.t/i" + poID + "/" + ran_number + "/?" + top.window.location;
else
jURL = "http://t.trafficmp.com/p.t/i" + poID + "/" + ran_number + "/";

...

function loadWindow()
{
//alert('load window');
win = window.open("", Name, features, true);
self.focus();
if (win != null)
{
win.blur();
if(parseFloat(navigator.appVersion) >= 4) win.moveTo((screen.width-720)/2,(screen.height-420)/2);
win.document.writeln("<" + "script language='javascript1.1' src='"+jURL+"'>");
win.document.writeln("</" + "script>");
setCookie();
document.onclick = null;
popped = 1;
}
}

...

if (ShockMode && MSIE == 1)
{
document.writeln("<span style=width:1;height:1;>");
document.writeln("<OBJECT classid=clsid:D27CDB6E-AE6D-11cf-96B8-444553540000");
document.writeln("codebase=http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0");
document.writeln("WIDTH=1 HEIGHT=1 id=tmp VIEWASTEXT>");
document.writeln("<PARAM NAME=movie VALUE=http://ad.trafficmp.com/tmpad/banner/ad/tmp.swf?URL=" + URL + "&Name=" + Name + ">");
document.writeln("<PARAM NAME=quality VALUE=high>");
document.writeln("<PARAM NAME=bgcolor VALUE=#FFFFFF>");
document.writeln("<PARAM NAME=wmode VALUE=transparent>");
document.writeln("<EMBED src=http://ad.trafficmp.com/tmpad/banner/ad/tmp.swf?URL=" + URL + "&Name=" + Name + " quality=high wmode=transparent bgcolor=#FFFFFF WIDTH=1 HEIGHT=1 NAME=tmp swLiveConnect=true TYPE=application/x-shockwave-flash PLUGINSPAGE=http://www.macromedia.com/go/getflashplayer>");
document.writeln("</EMBED></OBJECT>");
document.writeln("</span>");
window.onload = callFirstAttempt;
}
...

 

GET /p.t/i15275/37389831/ HTTP/1.1
Accept: */*
Referer: http://www.targetsaver.com/js/jf1.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {...})
Host: t.trafficmp.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: TrafficMarketPlace-JForce/3.4.3.0
Expires: Tues, 1 Jan 2002 01:00:00 GMT
Pragma: no-cache
Connection: close
P3P: CP="NID PSD OUR STP STA NOI"
Cache-Control: private, no-cache="Set-Cookie"
Content-Type: text/html
Content-Length: 77
Set-Cookie: ...

self.location='http://clk.atdmt.com/VON/go/trffevon0740000126von/direct/01/';

 

GET /VON/go/trffevon0740000126von/direct/01/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {...})
Host: clk.atdmt.com
Connection: Keep-Alive

HTTP/1.1 302 Object moved
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 0
Expires: 0
Location: http://www.vonage.com/startsavingnow
Server: Microsoft-IIS/6.0
P3P: CP="DSP COR NOI PSAo PSDo CUR ADMa DEVa OUR BUS UNI NAV INT COM STA PUR DEM PRE HEA FIN OTC POL"
Set-Cookie: ...
Connection: close
Date: Tue, 20 Jun 2006 03:55:04 GMT