Naughtyplay
money viewers
MyGeek
money viewers
Instant Navigation / eXact Advertising
money viewers
Falk AG / DoubleClick
money viewers
YieldManage
money viewers
FirstAdSolutionr / Oridian
money viewers
Look2me / Ad-w-a-r-e / Intern-etadvertising

Look2me/Ad-w-a-r-e, FirstAdSolution, YieldManager, Falk AG/DoubleClick, eXact Advertising, and MyGeek Showing Naughtyplay
Spyware Showing Unrequested Sexually-Explicit Images - Ben Edelman

This page gives a screenshot and packet log reporting a Look2me/Ad-w-a-r-e ad display on May 7, 2006. Additional discussion.

 

Screenshots

On a massively infected test PC, I attempted to view the Google.com. I received a series of pop-ups, ultimately including the image shown below.

This screenshot has been modified to cover sexually-explicit areas and to reconstruct screen portions damaged by video compression.

 

Packet Log

Packet log analysis indicates that the popup shown above was served in the way set out in the diagram at top-right. First, Look2me sought an ad from its controlling server, Ad-w-a-r-e.com (yellow). Look2me selected this ad based on minimal targeting, noting only that I was then browsing (or requesting to browse) Google (light yellow). The Ad-w-a-r-e controlling server specified an ad at intern-etadvertising.com (light green), a standard Look2me ad farm which shows untargeted (run-of-network) ads. Intern-etadvertising specified that the ad was to come from Firstadsolution.com (dark green), which in turn sent me to YieldManager (blue), which specified that the ad was actually at Falkag.net (pink) (part of DoubleClick). Falk AG in turn sent me on to Instantnavigation.com (eXact Advertising) (grey). Instantnavigation sent me to the 207.97.227.29 server (also eXact Advertising) (grey), which then sent me to MyGeek (orange), which finally passed me to Naughtyplay (red), the sexually-explicit web site shown to me.

POST /cgi-bin/UMonitorV2 HTTP/1.0
Host: www.ad-w-a-r-e.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Referer:
Connection: close
Content-Length: 68
Content-Type: application/x-www-form-urlencoded

!{B67536BD-C7AB-E94F-9C19-...} HTTP www.google.com / Popup!

HTTP/1.1 200 OK
Set-Cookie: AlteonP=f4f3a433f4f3a4a1; path=/
Date: Mon, 08 May 2006 03:12:52 GMT
Server: Apache/1.3.33 (Unix) PHP/4.3.11 mod_perl/1.29
Connection: close
Content-Type: text/html

POPUP:http://www.intern-etadvertising.com/muon.html

 

GET /muon.html HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {B67536BD-C7AB-E94F-9C19-E97F6E985912})
Host: www.intern-etadvertising.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Mon, 08 May 2006 03:12:53 GMT
Content-Length: 559
Content-Type: text/html
ETag: "34126-22f-443c0e0b"
Last-Modified: Tue, 11 Apr 2006 20:14:03 GMT
Accept-Ranges: bytes
Server: Apache/1.3.33 (Unix) PHP/4.3.11 mod_perl/1.29
Connection: keep-alive

<HTML>
<BODY style="margin-left: 0px; margin-top: 0px; margin-right: 0px; margin-bottom: 0px;" onUnload="window.open('http://64.194.221.33/cgi-bin/7upV2?query=ron');">
<!-- Tag for size prepopped for site NT - MB-U Direct: Run-of-site - DO NOT MODIFY -->
<SCRIPT TYPE="text/javascript" SRC="http://ad.firstadsolution.com/rmtag2.js"></SCRIPT>
<SCRIPT language="JavaScript">
var rm_host = "http://ad.firstadsolution.com";
var rm_section_id = 3926;
var rm_banned_pop_types = 23;
var rm_pop_frequency = 0;

rmShowPop();
</SCRIPT>
</BODY>
</HTML>
<!-- END TAG -->

 

GET /imp?z=0&s=3926&u=http%3A%2F%2Fwww.intern-etadvertising.com%2Fmuon.html&r=1&y=23 HTTP/1.1
Accept: */*
Referer: http://www.intern-etadvertising.com/muon.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {B67536BD-C7AB-E94F-9C19-...})
Host: ad.firstadsolution.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Location: http://ad.yieldmanager.com/imp?z=0&s=3926&u=http%3A%2F%2Fwww.intern-etadvertising.com%2Fmuon.html&r=1&y=23
Cache-Control: no-store
Content-Length: 0

 

GET /imp?z=0&s=3926&u=http%3A%2F%2Fwww.buyer-shabit.com%2Fmuon.html&r=1&y=23 HTTP/1.1
Accept: */*
Referer: http://www.buyer-shabit.com/muon.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {B67536BD-C7AB-E94F-9C19-...})
Cookie: ...
Connection: Keep-Alive
Host: ad.yieldmanager.com

HTTP/1.1 200 Ok
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Content-Type: application/x-javascript
Cache-Control: no-store
Content-Length: 680

if (navigator.appName=="Netscape") {window.innerWidth=800;
window.innerHeight=600; } else {window.resizeBy(800 - document.body.clientWidth, 600 - document.body.clientHeight); } window.moveTo((screen.width - 800) / 2, (screen.height - 600) / 2) ;
document.write('<iframe src="http://ad.firstadsolution.com/iframe3?AAAAAFYPAAAJTQEAi4EAAAAA AAAAAP8AAP8BGAEIAAPcvwAAkU0AAP.EAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKRwPQrXo.E.pHA9Ctej8T8zMzMzMzP 5PzMzMzMzM.k.AAAAAAAAAkAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAt4XqdsGbpwCfXd F8tMJ0Rt4NqCAJcYXNBk6qtgAAAAA=," scrolling="no" marginwidth="0" marginheight="0" name="rm_frm" id="rm_frm" frameborder="0" height="600" width="800"></iframe>');

 

GET /iframe3?AAAAAFYPAAAJTQEAi4EAAAAAAAAAAP8AAP8BGAEIAAPcvwAAkU0AAP.EAAAAA AAAAAAAAAAAAAAAAAAAAAAAAKRwPQrXo.E.pHA9Ctej8T8zMzMzMzP5PzMzMzMzM.k.AAAAAAA AAkAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAt4XqdsGbpwCfXdF8t MJ0Rt4NqCAJcYXNBk6qtgAAAAA=, HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.buyer-shabit.com/muon.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {B67536BD-C7AB-E94F-9C19-...})
Host: ad.firstadsolution.com
Connection: Keep-Alive

HTTP/1.1 302 Found
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Location: http://ad.yieldmanager.com/iframe3?AAAAAFYPAAAJTQEAi4EAAAA AAAAAAP8AAP8BGAEIAAPcvwAAkU0AAP.EAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKRwPQr Xo.E.pHA9Ctej8T8zMzMzMzP5PzMzMzMzM.k.AAAAAAAAAkAAAAAAAAACQAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAt4XqdsGbpwCfXdF8tMJ0Rt4NqCAJcYXNBk6 qtgAAAAA=,
Cache-Control: no-store
Content-Length: 0

 

GET /iframe3?AAAAAFYPAAAJTQEAi4EAAAAAAAAAAP8AAP8BGAEIAAPcvwAAkU0AAP.EAAAA AAAAAAAAAAAAAAAAAAAAAAAAAKRwPQrXo.E.pHA9Ctej8T8zMzMzMzP5PzMzMzMzM.k.AAAAA AAAAkAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAt4XqdsGbpwCfXd F8tMJ0Rt4NqCAJcYXNBk6qtgAAAAA=, HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.buyer-shabit.com/muon.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {B67536BD-C7AB-E94F-9C19-...})
Cookie: ...
Connection: Keep-Alive
Host: ad.yieldmanager.com

HTTP/1.1 200 Ok
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Content-Type: text/html
Set-Cookie: ...
Cache-Control: no-store
Content-Length: 928

<html><head><title></title></body><body style="margin-left: 0%; margin-right: 0%; margin-top: 0%; margin-bottom: 0%"><!-- BEGIN: AdSolution-Website-Tag 4.3 : Rydium (cpm) / 800x600_casino_2_($2.25) -->
<iframe src="http://a.as-us.falkag.net/dat/dlv/aslframe.html?dat=147307&kid=130138&xl=800&yl=600&mod=111" width=800 height=600 noresize scrolling=no hspace=0 vspace=0 frameborder=0 marginheight=0 marginwidth=0>
<script type="text/javascript" language="javascript" src="http://a.as-us.falkag.net/dat/dlv/aslmain.js"></script>
<script language="javascript" type="text/javascript">
Ads_kid=130138;Ads_bid=0;Ads_xl=800;Ads_yl=600;Ads_bt='';Ads_xp='';Ads_yp='';Ads_xp1='';Ads_yp1='';Ads_opt=0;Ads_wrd='';Ads_prf='';Ads_par='';Ads_cnturl='';
</script>
<script type="text/javascript" language="javascript" src="http://a.as-us.falkag.net/dat/cjf/00/14/73/07.js"></script></iframe>
<!-- END:AdSolution-Tag 4.3 --></body></html>

 

GET /dat/dlv/aslframe.html?dat=147307&kid=130138&xl=800&yl=600&mod=111 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://ad.yieldmanager.com/iframe3?AAAAAFYPAAAJTQEAi4EAAAAA AAAAAP8AAP8BGAEIAAPcvwAAkU0AAP.EAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKRwPQrX o.E.pHA9Ctej8T8zMzMzMzP5PzMzMzMzM.k.AAAAAAAAAkAAAAAAAAACQAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAt4XqdsGbpwCfXdF8tMJ0Rt4NqCAJcYXNBk6q tgAAAAA=,
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {B67536BD-C7AB-E94F-9C19-...})
Host: a.as-us.falkag.net
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: Apache/2.0.52 (Red Hat)
Last-Modified: Mon, 22 Aug 2005 13:50:36 GMT
ETag: "205860-22b-f6c56300"
Accept-Ranges: bytes
Content-Length: 555
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa DEVa PSAa OUR BUS COM NAV INT"
Content-Type: text/html; charset=iso-8859-1
Cache-Control: max-age=481181
Expires: Sat, 13 May 2006 16:52:46 GMT
Date: Mon, 08 May 2006 03:13:05 GMT
Connection: keep-alive

<html><head><link rel="P3Pv1" href="/w3c/p3p.xml">
<script type="text/javascript" language="JavaScript" src="aslframe.js"></script>
<script language="JavaScript"><!--
if(typeof(Ads_i_File)=='undefined')Ads_i_File='';if(Ads_i_File!='')
document.write('<scr'+'ipt type="text/javascript" language="JavaScript" src="'+Ads_garrContentServer[Ads_sec]+'/dat/'+Ads_i_File+'"></scr'+'ipt>');
// --></script>
<script language="JavaScript"><!--
if(typeof(Ads_i_Fuss)!='undefined'){if(Ads_i_Fuss)document.write('</td></tr></table>');}
// --></script></body></html>

 

 

GET /search.php?cat=dvd&partner=ap_tk HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://a.as-us.falkag.net/dat/dlv/aslframe.html?dat=147307&kid=130138&xl=800&yl=600&mod=111
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {B67536BD-C7AB-E94F-9C19-...})
Host: www.instantnavigation.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Mon, 08 May 2006 03:13:15 GMT
Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_python/2.7.8 Python/1.5.2 mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.3.10 mod_perl/1.26
X-Powered-By: PHP/4.3.10
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

<html>
<head>
<title>Loading...</title>
<meta http-equiv="refresh" content="2;url=http://ad.yieldmanager.com/imp?z=0&s=40249&y=23&t=3">
</head>

<script language="javascript">
<!--
var detect = navigator.userAgent.toLowerCase();
var OS,browser,version,total,thestring;
function checkIt(string)
{
place = detect.indexOf(string) + 1;
thestring = string;
return place;
}

document.write("<body>\n");
document.write("<div style=\"visibility:hidden\">\n");

if (checkIt('msie')){
//document.write("<FORM name=\"searchform\" method=GET action=\"http://search.brainfox.com/searchsidebar.php\" target=\"_search\">\n");
//document.write("<INPUT type=\"hidden\" name=\"Keywords\" value=\"heather+hunter\">\n");
//document.write("<INPUT type=\"hidden\" name=\"affiliate\" value=\"ap_tk\">\n");
//document.write("<INPUT type=\"submit\">\n");
//document.write(" </form>\n");
//document.searchform.submit();
}
document.write("<FORM name=\"mainform\" method=post action=\" http://207.97.227.29/clk/?313b313134373035373939352e34327e61705f746b3b3036\">\n");
document.write("<INPUT type=\"submit\">\n");
document.write(" </form>\n");
document.write(" </div>\n");
document.write("</body>\n");
document.write("</html>\n");
document.mainform.submit();
-->
</script>

 

 

 

POST /clk/?313b313134373035373939352e34327e61705f746b3b3036 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.instantnavigation.com/search.php?cat=dvd&partner=ap_tk
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {B67536BD-C7AB-E94F-9C19-...})
Host: 207.97.227.29
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 302 Found
Date: Mon, 08 May 2006 03:13:17 GMT
Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_python/2.7.8 Python/1.5.2 mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.3.10 mod_perl/1.26
Location: http://xmlsearch.mygeek.com/presults.jsp?partnerid=110126&vendorId= 500830&type=2&code=9040720&rate=604362362&cr=604906906&domain=www.naughtyplay .com&query=1147057995873%3A%3A...%3A%3Aheather+hunter&rnk=1&url=http%3A%2F%2F www.naughtyplay.com%2Fpornstars%2Fheatherhunter%2Findex.html
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://xmlsearch.mygeek.com/presults.jsp?partnerid=110126&amp;vendorId= 500830&amp;type=2&amp;code=9040720&amp;rate=604362362&amp;cr=604906906&amp;domain=www.naughtyplay.com&a mp;query=1147057995873%3A%3A...%3A%3Aheather+hunter&amp;rnk=1&amp;url=http%3A%2F%2Fwww.naughtyplay.com% 2Fpornstars%2Fheatherhunter%2Findex.html">here</A>.<P>
<HR>
<ADDRESS>Apache/1.3.27 Server at www.instantnavigation.com Port 80</ADDRESS>
</BODY></HTML>

 

 

GET /presults.jsp?partnerid=110126&vendorId=500830&type=2&code=9040720&rate=604362362 &cr=604906906&domain=www.naughtyplay.com&query=1147057995873%3A%3A...%3A%3Ah eather+hunter&rnk=1&url=http%3A%2F%2Fwww.naughtyplay.com%2Fpornstars%2Fheatherhunter% 2Findex.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.instantnavigation.com/search.php?cat=dvd&partner=ap_tk
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {B67536BD-C7AB-E94F-9C19-...})
Host: xmlsearch.mygeek.com
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 302 Found
Date: Mon, 08 May 2006 03:13:21 GMT
Server: Apache/1.3.12 (Unix)
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV INT STA"
Set-Cookie: ...
Location: http://www.naughtyplay.com/pornstars/heatherhunter/index.html
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://www.naughtyplay.com/pornstars/heatherhunter/index.html">here</A>.<P>
<HR>
<ADDRESS>Apache/1.3.12 Server at xmlsearch.mygeek.com Port 80</ADDRESS>
</BODY></HTML>