Vitalix
money viewers
Zedo
money viewers
YieldManager
money viewers
Z-Quest
money viewers
Deskwizz / SearchingBooth

Deskwizz/SearchingBooth, Z-Quest, YieldManager, and Zedo Showing Vitalix
Spyware Showing Unrequested Sexually-Explicit Images - Ben Edelman

This page gives a screenshot and packet log reporting a Deskwizz/SearchingBooth ad display on February 15, 2006. Additional discussion.

 

Screenshots

On a massively infected test PC, I browsed family-friendly web sites such as the signup area of AOL.com. I received the popup shown below.

 

Packet Log

Packet log analysis indicates that the popup shown above was served in the way set out in the diagram at top-right. In particular, first SearchingBooth spyware sent traffic to its SearchingBooth.com controlling server (yellow), seeking an ad to be displayed. SearchingBooth.com replied with a URL to a Z-quest.com (green). Z-quest sent me on to YieldManager (blue). YieldManager in turn sent me to Zedo (pink). Finally, Zedo used JavaScript to open a new window (grey) of the Vitalix site (red), which showed the sexually-explicit content at issue.

Notice that SearchingBooth automatically reloads its ads every 45 seconds (grey), a practice that seems to violate some ad network rules, while increasing advertisers' costs. See related article about spyware-delivered banner farms and their practices.

GET /advertpro/servlet/view/dynamic/html/campaign?cid=14&pid=5&DHWidth=720&DHHeight=300&DHScroll=no HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://free.aol.com/tryaolfree/index3.adp?promo=532075&service=aol
Accept-Language: en-us
Accept-Encoding: text, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: banners.searchingbooth.com
Connection: Keep-Alive
Cookie: ...

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-cache
Pragma: no-cache
Expires: Thu, 31 Dec 1998 11:59:59 GMT
P3P: CP="CAO DSP COR CURa ADMa OUR NOR UNI COM NAV INT"
Content-Type: text/html;charset=UTF-8
Content-Length: 410
Date: Wed, 15 Feb 2006 22:27:14 GMT

<HTML>
<HEAD>
<META http-equiv="refresh" content="45;url=http://banners.searchingbooth.com/advertpro/servlet/view/ dynamic/html/campaign?cid=14&pid=4&DHWidth=720&DHHeight=300&DHScroll=no">
</HEAD>
<BODY>
<CENTER>
<IFRAME marginheight="0" frameborder="0" width="720" height="300" align="center" marginwidth="0" scrolling="no" src="http://ads.z-quest.com/MarkSect720x300.html">
</BODY>
</HTML>

 

GET /MarkSect720x300.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://banners.searchingbooth.com/advertpro/servlet/view/dynamic/html/campaign?cid=14&pid=5&DHWidth=720&DHHeight=300&DHScroll=no
Accept-Language: en-us
Accept-Encoding: text, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: ads.z-quest.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Thu, 16 Feb 2006 00:14:04 GMT
Server: Apache/2.0.46 (Red Hat)
Last-Modified: Sun, 08 Jan 2006 12:11:30 GMT
ETag: "1800a0-131-c84dc080"
Accept-Ranges: bytes
Content-Length: 305
Connection: close
Content-Type: text/html; charset=UTF-8

<html>
<head>
<title>MarkSectr 720x300</title>
</head>
<body>
<!-- BEGIN RAW TAG - prepopped - ROS: Run-of-site - DO NOT MODIFY -->
<SCRIPT TYPE="text/javascript" SRC="http://ad.yieldmanager.com/imp?z=0&s=16185&r=1&y=23&w=720&h=300"></SCRIPT>
<!-- END TAG -->
</body>
</html>

 

GET /imp?z=0&s=16185&r=1&y=23&w=720&h=300 HTTP/1.1
Accept: */*
Referer: http://ads.z-quest.com/MarkSect720x300.html
Accept-Language: en-us
Accept-Encoding: text, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: ad.yieldmanager.com
Connection: Keep-Alive
Cookie: ...

HTTP/1.1 200 OK
Connection: close
P3P: policyref="/w3c/p3p.xml",CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Set-Cookie: ...
Content-Type: application/x-javascript
Content-Length: 195

document.write('<iframe scrolling="no" marginwidth="0" marginheight="0" frameborder="0" height="300" width="720" src="http://c5.zedo.com/jsc/c5/ff2.html?n=377;c=40;s=17;d=15;w=1;h=1"></iframe>');

 

GET /ads2/d/3869/172/377/40/i4.js?z=5414 HTTP/1.1
Accept: */*
Referer: http://c5.zedo.com/jsc/c5/ff2.html?n=377;c=40;s=17;d=15;w=1;h=1
Accept-Language: en-us
Accept-Encoding: text, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: c4.zedo.com
Connection: Keep-Alive
Cookie: ...

HTTP/1.1 200 OK
Server: ZEDO 3G
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Content-Type: application/x-javascript
Content-Length: 1097
Cache-Control: max-age=2506
Expires: Wed, 15 Feb 2006 23:10:07 GMT
Date: Wed, 15 Feb 2006 22:28:21 GMT
Connection: keep-alive

var zzDate = new Date();
var zzLogData ="a=146636;x=3869;g=172,0;c=377000040,377000040;i=4;n=377;" + zzStr;
function zzPop() {
var zzAg = navigator.userAgent.toLowerCase();
var zzAOL = (zzAg.indexOf('aol') != -1);
var zzNS6 = (zzAg.indexOf('netscape6/6.') != -1);
var zzNS7 = (zzAg.indexOf('netscape/7') != -1);
var zzHW=",width=380,height=680";
if (!zzAOL && !zzNS7) {
zzHW+=",left=3000,top=3000";
}
if (!zzNS6) {
zzHW+=",menubar=no,location=no";
}
else {
zzHW+=",menubar=no,location=yes";
}
var zzWindow=window.open("about:blank","_blank","toolbar=no,resizable=yes,scrollbars=no,channelmode=no,directories=no"+zzHW);
self.focus();
if ((zzWindow != null) && (!zzWindow.closed)) {
if (!zzWindow.closed && !zzAOL && !zzNS7) {
zzWindow.moveTo(Math.ceil((screen.availWidth - 380) / 2),Math.ceil((screen.availHeight - 680) / 2));
}
if (!zzWindow.closed) {zzWindow.blur();}
self.focus();
zzWindow.location.href="http://l5.zedo.com//log/p.html?" + zzLogData + ";y=http://ads.vitalix.net/ads/3day/wb03/index.html?prov=seedcorn&subprov=stageshow";
}
}
zzPop();

 

GET //log/p.html?a=146636;x=3869;g=172,0;c=377000040,377000040;i=4;n=377;i=4;u=unknown;e=i;s=17;g=172; m=30;w=22;z=0.43402249141222154;y=http://ads.vitalix.net/ads/3day/wb03/index.html?prov=seedcorn&subprov=stageshow HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: text, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: l5.zedo.com
Connection: Keep-Alive
Cookie: ...

HTTP/1.1 200 OK
Server: ZEDO 3G/1.0.0
Last-Modified: Tue, 19 Jul 2005 09:03:53 GMT
ETag: "4a-a1-3fc3cfec9b040"
Accept-Ranges: bytes
Content-Length: 161
Content-Type: text/html; charset=ISO-8859-1
Cache-Control: max-age=3600
Expires: Wed, 15 Feb 2006 23:28:22 GMT
Date: Wed, 15 Feb 2006 22:28:22 GMT
Connection: keep-alive

<HTML><BODY>
<SCRIPT LANGUAGE="JavaScript">
var r=location.search.indexOf(";y=");
if(r>0){location.href=location.search.substring(r+3);}
</SCRIPT></BODY></HTML>

 

SearchingBooth Injecting Ads into Others' Sites

The screenshot below shows SearchingBooth injecting a Vonage ad inserted into the Vistaprint site, without Vistaprint's consent. SearchingBooth widely inserts such ads into both the top and bottom of sites users request.

In this example, trafic flowed from SearchingBooth to Z-Quest to Cpxinteractive to YieldManager to Headlinesandnews.com to Marketingsector to YieldManager to aQuantive's Atlas DMT to Vonage. (Packet log on file.) This lengthy chain is representative of SearchingBooth's practices and partners.

Notice the extreme prominence of the Vonage ad, the unattractive design (excessive whitespace) in the resulting page, and the dramatic reduction in screen space available to the page I had requested (VistaPrint). All these attributes are common when SearchingBooth inserts ads into others' sites .

Screenshot captured on June 16, 2006.