Deskwizz/Searchingbooth, Right Media Promoting Cingular
Advertising Through Spyware -- After Promising to Stop - Ben Edelman
This page gives a screenshot and packet log reporting Deskwizz/Searchingbooth promoting Cingular on March 9, 2007. Additional discussion.
On a PC with Deskwizz/Searchingbooth installed, I requested true.com. I received the Cingular ad shown below. Notice the insertion of the Cingular ad into a frame below the True.com site -- even though True.com does not sell this advertising space to any advertiser for any price.
The injected Cingular ad (shown above) is unlabeled -- without any direct indication that it came from Deskwizz/Searchingbooth spyware. But packet log analysis confirms that Deskwizz/Searchingbooth was directly responsible for the injection. First Deskwizz/Searchingbooth spyware on my test PC sent a request to its controlling server headlinesandnews.com (yellow), seeking an ad to inject into the True site (shown, for good measure, as the HTTP Referer of the request, green). Headlinesandnews replied with a URL to Rmxads (blue), a division of Right Media. Rmxads in turn sent me on to the Right Media Exchange marketplace (yieldmanager.com) (grey). Right Media sent back a Atlas tracking link (pink) that ultimately redirected to Cingular (red).
GET /media/servlet/view/banner/unique/url/strip?zid=26&pid=0&total=3&layout=vertical&margin=0&padding=0&DHWidth=728&DHHeight=270&DHScroll=no&Ref=30 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.true.com/phelp_landing.htm?svw=global
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: servedby.headlinesandnews.com
Connection: Keep-Alive
Cookie: ...
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 31 Dec 1998 11:59:59 GMT
P3P: CP="CAO DSP COR CURa ADMa OUR NOR UNI COM NAV INT"
Content-Type: text/html;charset=UTF-8
Content-Length: 1197
Date: Sat, 10 Mar 2007 00:34:14 GMT
<DIV style="padding: 0px"><TABLE border="0" cellpadding="0" cellspacing="0"><TR valign="middle"><TD align="center" NOWRAP><!-- BEGIN STANDARD TAG - 728 x 90 - http://games.uzoogle.com: Run-of-site - DO NOT MODIFY -->
<script type="text/javascript" src="http://content.globalinteractive.com/rmtag3.js"></script>
<script language="JavaScript">
var rm_host = "http://ad.globalinteractive.com";
var rm_section_id = 117772;
rmShowAd("728x90");
</script>
<!-- END TAG -->
</TD></TR><TR valign="middle"><TD align="center" style="padding: 0px 0px 0px 0px" NOWRAP><!-- BEGIN STANDARD TAG - 728 x 90 - ROS: Uzoogle - DO NOT MODIFY -->
<script type="text/javascript" src="http://content.ad-flow.com/rmtag3.js"></script>
<script language="JavaScript">
var rm_host = "http://ad.ad-flow.com";
var rm_section_id = 118935;
rmShowAd("728x90");
</script>
<!-- END TAG -->
</TD></TR><TR valign="middle"><TD align="center" style="padding: 0px 0px 0px 0px" NOWRAP><!-- BEGIN TAG - 728x90 - headlinesandnews.com - DO NOT MODIFY -->
<script type="text/javascript" src="http://optimizedby.rmxads.com/st?ad_type=ad&ad_size=728x90§ion=160636"></script>
<!-- END TAG -->
</TD></TR></TABLE></DIV>
GET /st?ad_type=ad&ad_size=728x90§ion=160636 HTTP/1.1
Accept: */*
Referer: http://servedby.headlinesandnews.com/media/servlet/view/banner/unique/url/strip?zid=26&pid=0&total=3&layout=vertical&margin=0&padding=0&DHWidth=728&DHHeight=270&DHScroll=no&Ref=30
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: optimizedby.rmxads.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 10 Mar 2007 00:34:15 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Sat, 10 Mar 2007 00:34:15 GMT
Pragma: no-cache
Content-Length: 4354
Connection: close
/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;rm_url = "http://ad.yieldmanager.com/imp?Z=728x90&s=160636&_salt=3434563176";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if(rm_crex_data.length>0){rm_url+="&X=";for(var i=0;i<rm_crex_data.length;i++){rm_url+=rm_crex_data[i];if(i!=rm_crex_data.length-1){rm_url+=",";}}}}else{rm_pb_data.push(rm_crex_data.pop());rm_url+="&X=";for(var i=0;i<rm_pb_data.length;i++){rm_url+=rm_pb_data[i];if(i!=rm_pb_data.length-1){rm_url+=",";}}rm_url+="&Y=pb";}var gCookieName="rmCookiesChecked";if(document.cookie.indexOf(gCookieName)==-1){writeCookie(gCookieName,"1");if(document.cookie.indexOf(gCookieName)!=-1){rm_url+="&B=2";}else{rm_url+="&B=1";}}var url='';try{if(top==self){url=encodeURIComponent(top.location.href);}else{url=encodeURIComponent(document.referrer);}url=url.substr(0,256);}catch(e){}rm_url+="&u="+url;if(top==self){rm_url+="&r=1";}else{rm_url+="&r=0";}var rm_flash_version=0;if(flashInstalledCookieExists()){rm_flash_version=flashInstalledCookieExists();}else{var flash=new Object();flash=flashDetection();if(flash.installed==true){writeFlashInstalledCookie(flash.version);rm_flash_version=flash.version;}else{writeFlashInstalledCookie(0);}}if(rm_flash_version==0){rm_url+="&m=2";}else if(rm_ban_flash==1){rm_url+="&m=23";}var rm_tag_src='<SCRIPT TYPE="text/javascript" SRC="'+rm_url+'"><\/SCRIPT>';if(rm_pop_frequency){if(rmCanShowPop(rm_pop_id,rm_pop_times,rm_pop_frequency)||rm_pop_nofreqcap){document.write(rm_tag_src);}}else{document.write(rm_tag_src);}function flashInstalledCookieExists(){var cookieName="flashInstalled";if(rmGetCookie(cookieName)==null){return false;}else{return rmGetCookie(cookieName);}}function rmGetCookie(Name){var search=Name+"=";var CookieString=document.cookie;var result=null;if(CookieString.length>0){offset=CookieString.indexOf(search);if(offset!=-1){offset+=search.length;end=CookieString.indexOf(";",offset);if(end==-1){end=CookieString.length;}result=unescape(CookieString.substring(offset,end));}}return result;}function flashDetection(){var flash=new Object();flash.installed=false;flash.version='0.0';if(navigator.plugins&&navigator.plugins.length){for(x=0;x<navigator.plugins.length;x++){if(navigator.plugins[x].name.indexOf('Shockwave Flash')!=-1){flash.version=navigator.plugins[x].description.split('Shockwave Flash ')[1];flash.installed=true;break;}}}else if(window.ActiveXObject){for(x=2;x<10;x++){try{oFlash=eval("new ActiveXObject('ShockwaveFlash.ShockwaveFlash."+x+"');");if(oFlash){flash.installed=true;flash.version=x+'.0';}}catch(e){}}}return flash;}function writeFlashInstalledCookie(version){writeCookie("flashInstalled",version);}function rmReplace(myString,toReplace,replaceBy){return(myString.replace(new RegExp(toReplace,'gi'),replaceBy));}function writeCookie(ckName,ckVal){var numdays=14;var today=new Date();var expires=new Date();expires.setTime(today.getTime()+(1000*60*60*24*numdays));var cookieText=ckName+"="+ckVal+";expires="+expires.toGMTString()+";path=/;";document.cookie=cookieText;return null;}function rmCanShowPop(rm_pop_id,pop_times,pop_frequency){var countCookieName=RM_POP_COOKIE_NAME+rm_pop_id;var expireCookieName=RM_POP_COOKIE_NAME+"_expiration"+rm_pop_id;var shownTimes=rmGetCookie(countCookieName);if(shownTimes==null){rmWriteExpirationCookie(expireCookieName,pop_frequency);shownTimes=0;}else{shownTimes=Number(shownTimes);}if(shownTimes<pop_times){shownTimes=1+shownTimes;var expiration=rmGetCookie(expireCookieName);rmWritePopFrequencyCookie(rm_pop_id,shownTimes,expiration);return_value=true;}else{return_value=false;}return return_value;}function rmWritePopFrequencyCookie(rm_pop_id,shownTimes,expiration){var cookieName=RM_POP_COOKIE_NAME+rm_pop_id;var cookieText=cookieName+"="+shownTimes+";"+"expires="+expiration+";path=/;";document.cookie=cookieText;}function rmWriteExpirationCookie(cookieName,frequency){var today=new Date();var expires=new Date();expires.setTime(today.getTime()+(1000*frequency));var cookieText=cookieName+"="+expires.toGMTString()+";"+"expires="+expires.toGMTString()+";path=/;";document.cookie=cookieText;}
GET /imp?Z=728x90&s=160636&_salt=3434563176&u=http%3A%2F%2Fwww.true.com%2Fphelp_landing.htm%3Fsvw%3Dglobal&r=0 HTTP/1.1
Accept: */*
Referer: http://servedby.headlinesandnews.com/media/servlet/view/banner/unique/url/strip?zid=26&pid=0&total=3&layout=vertical&margin=0&padding=0&DHWidth=728&DHHeight=270&DHScroll=no&Ref=30
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: ad.yieldmanager.com
Connection: Keep-Alive
Cookie: ...
HTTP/1.1 200 OK
Date: Sat, 10 Mar 2007 00:34:15 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
X-RightMedia-Advertiser: 6020
X-RightMedia-Creative: 214009
X-RightMedia-Campaign: 87221
X-RightMedia-Vurl: 7912
Set-Cookie: ...
Cache-Control: no-store
Last-Modified: Sat, 10 Mar 2007 00:34:15 GMT
Pragma: no-cache
Content-Length: 619
Content-Type: application/x-javascript
Connection: close
if (window.rm_crex_data) {rm_crex_data.push(214009);}
document.write('<iframe scrolling="no" marginwidth="0" marginheight="0" frameborder="0" height="90" width="728" src="http://optimizedby.rmxads.com/iframe3?6B4AAHxzAgD5QwMAtVQBAAIAAAAAAP8AAAAGFAAABgJQFQIAoiQCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEcJXT-6-s0.jhI0973lzj-7h800m.vYP3YPVqNzv9k.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAmRnvCofhOgIMIAuemih11YR9Tp7sr3C0DbMqeQAAAAA=,,http://www.true.com/phelp_landing.htm?svw=global"></iframe>');
var rm_data = new Object();
rm_data.creative_id = 214009;
rm_data.offer_type = 16;
rm_data.entity_id = 6020;
GET /iframe3?6B4AAHxzAgD5QwMAtVQBAAIAAAAAAP8AAAAGFAAABgJQFQIAoiQCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEcJXT-6-s0.jhI0973lzj-7h800m.vYP3YPVqNzv9k.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAmRnvCofhOgIMIAuemih11YR9Tp7sr3C0DbMqeQAAAAA=,,http://www.true.com/phelp_landing.htm?svw=global HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://servedby.headlinesandnews.com/media/servlet/view/banner/unique/url/strip?zid=26&pid=0&total=3&layout=vertical&margin=0&padding=0&DHWidth=728&DHHeight=270&DHScroll=no&Ref=30
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: optimizedby.rmxads.com
Connection: Keep-Alive
HTTP/1.1 302 Found
Date: Sat, 10 Mar 2007 00:34:15 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Location: http://ad.yieldmanager.com/iframe3?6B4AAHxzAgD5QwMAtVQBAAIAAAAAAP8AAAAGFAAABgJQFQIAoiQCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEcJXT-6-s0.jhI0973lzj-7h800m.vYP3YPVqNzv9k.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAmRnvCofhOgIMIAuemih11YR9Tp7sr3C0DbMqeQAAAAA=,,http://www.true.com/phelp_landing.htm?svw=global
Cache-Control: no-store
Last-Modified: Sat, 10 Mar 2007 00:34:15 GMT
Pragma: no-cache
Content-Length: 0
Connection: close
GET /iframe3?6B4AAHxzAgD5QwMAtVQBAAIAAAAAAP8AAAAGFAAABgJQFQIAoiQCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEcJXT-6-s0.jhI0973lzj-7h800m.vYP3YPVqNzv9k.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAmRnvCofhOgIMIAuemih11YR9Tp7sr3C0DbMqeQAAAAA=,,http://www.true.com/phelp_landing.htm?svw=global HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://servedby.headlinesandnews.com/media/servlet/view/banner/unique/url/strip?zid=26&pid=0&total=3&layout=vertical&margin=0&padding=0&DHWidth=728&DHHeight=270&DHScroll=no&Ref=30
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Cookie: ...
Connection: Keep-Alive
Host: ad.yieldmanager.com
HTTP/1.1 200 OK
Date: Sat, 10 Mar 2007 00:34:15 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: ...
Cache-Control: no-store
Last-Modified: Sat, 10 Mar 2007 00:34:15 GMT
Pragma: no-cache
Content-Length: 650
Content-Type: text/html
Connection: close
<html><body style="margin-left: 0%; margin-right: 0%; margin-top: 0%; margin-bottom: 0%"><script type="text/javascript">if (window.rm_crex_data) {rm_crex_data.push(214009);}
</script><iframe src="http://view.atdmt.com/CNT/iview/rghtccin0470000088cnt/direct;wi.728;hi.90/01?click=http://optimizedby.rmxads.com/click,6B4AAHxzAgD5QwMAtVQBAAIAAAAAAP8AAAAGFAAABgJQFQIAoiQCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAf98UUAAAAA,,http%3A%2F%2Fwww%2Etrue%2Ecom%2Fphelp%5Flanding%2Ehtm%3Fsvw%3Dglobal," frameborder="0" scrolling="no" marginheight="0" marginwidth="0" topmargin="0" leftmargin="0" allowtransparency="true" width="728" height="90"></iframe></body></html>
GET /goiframe/22411278/rghtccin0470000088cnt/direct;wi.728;hi.90/01 HTTP/1.1
Accept: */*
Referer: http://view.atdmt.com/CNT/iview/rghtccin0470000088cnt/direct;wi.728;hi.90/01?click=http://optimizedby.rmxads.com/click,6B4AAHxzAgD5QwMAtVQBAAIAAAAAAP8AAAAGFAAABgJQFQIAoiQCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAf98UUAAAAA,,http%3A%2F%2Fwww%2Etrue%2Ecom%2Fphelp%5Flanding%2Ehtm%3Fsvw%3Dglobal,
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: Keep-Alive
Host: clk.atdmt.com
Cookie: ...
HTTP/1.1 302 Object moved
Cache-Control: no-store
Content-Length: 0
Expires: 0
Location: http://www.cingular.com/cell-phone-service/cell-phone-details/?q_list=true&q_phoneName=Nokia+6030+(Refurb)+-+GoPhone+(Pay+As+You+Go)&q_sku=sku40023
Connection: close
Date: Sat, 10 Mar 2007 00:34:51 GMT
GET /cell-phone-service/cell-phone-details/?q_list=true&q_phoneName=Nokia+6030+(Refurb)+-+GoPhone+(Pay+As+You+Go)&q_sku=sku40023 HTTP/1.1
Accept: */*
Referer: http://view.atdmt.com/CNT/iview/rghtccin0470000088cnt/direct;wi.728;hi.90/01?click=http://optimizedby.rmxads.com/click,6B4AAHxzAgD5QwMAtVQBAAIAAAAAAP8AAAAGFAAABgJQFQIAoiQCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAf98UUAAAAA,,http%3A%2F%2Fwww%2Etrue%2Ecom%2Fphelp%5Flanding%2Ehtm%3Fsvw%3Dglobal,
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: www.cingular.com
Connection: Keep-Alive
Cookie: ...
HTTP/1.1 302 Moved Temporarily
Server: Sun-ONE-Web-Server/6.1
Content-Type: text/html
X-atg-version: ATGPlatform/2006.3 [ DASLicense/0 DPSLicense/2 DSSLicense/0 B2CLicense/0 ]
P3p: policyref=""/w3c/p3p.xml"", CP="CAO DSP COR LAW CURa ADMa DEVa TAIa PSAa PSDa OUR DELa BUS IND PHY ONL UNI PUR COM NAV DEM STA GOV"
Location: http://www.cingular.com/cell-phone-service/get-started/index.jsp?q_returnUrl=/cell-phone-service/cell-phone-details/%3Fq_list%3Dtrue%26q_phoneName%3DNokia%2B6030%2B(Refurb)%2B-%2BGoPhone%2B(Pay%2BAs%2BYou%2BGo)%26q_sku%3Dsku40023
Expires: Sat, 10 Mar 2007 00:34:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Vary: Accept-Encoding
Date: Sat, 10 Mar 2007 00:34:52 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Connection: Transfer-Encoding
Set-Cookie: ...
<HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD>
<H1>302 Moved Temporarily</H1><BODY>
</BODY>