DollarRevenue Promoting Vonage by Covering Other Sites' Ads with Vonage Ads
How Vonage Funds Spyware - Ben Edelman
This page gives a screenshot and packet log showing DollarRevenue promoting Vonage on July 16, 2006. Additional general discussion.
On a PC with DollarRevenue installed, I browsed boston.com. As shown in this video of on-screen appearances, I initially received an ordinary Boston.com-delivered ad for the Kellogg School of Management. But that ad was only visible for a fifth of a second -- from 0:00:3.65 to 0:00:3.85 in the video. The Kellogg ad was then covered by the Vonage ad shown below.
The injected Vonage ad (shown above) is unlabeled -- without any direct indication that it came from DollarRevenue spyware rather than from Boston.com itself. The screen-capture video indicates something unusual is occurring -- notice the Kellog School of Management ad disappearing after just 0.2 seconds on screen, only to be replaced by the Vonage at shown in the screenshot above.
Packet log analysis confirms the parties responsible for the ad replacement shown above. First, DollarRevenue spyware on my test PC monitored the ads in the page I visited, sending a message to its controlling server nonameforthisdomain.com (yellow) to report selected ad URLs observed (green). Nonameforthisdomain returned a URL to another DollarRevenue server, popupsandbanners.com (yellow), from which an ad was to be loaded. DollarRevenue spyware injected that popupsandbanners ad into my browser, covering the original ad. The popupsandbanners ad specified that its content was to come from Firstadsolution (Oridian, recently spun off from Cydoor) (blue) , Firstadsolution then sent me on to Yield Manager (grey), which sent me to 24/7 RealMedia (brown), which redirected me to aQuantive's Atlas (pink) (which tracks most Vonage ad placements). Finally, aQuantive's Atlas redirected to Vonage (red).
GET /iframe_sp2.asp?url=http%3a%2f%2fad%2edoubleclick%2enet%2fadi%2fN763%2e integrentmedia%2ecom%2fB1906385%2e2%3bsz%3d728x90%3bhttp%3a%2f%2frmedia%2e boston%2ecom%2fRealMedia%&hoogte=90&breedte=728 HTTP/1.1
User-Agent: vb wininet
Host: www.nonameforthisdomain.com
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 16 Jul 2006 10:14:04 GMT
Content-Length: 42
Content-Type: text/html
Cache-control: private
http://www.popupsandbanners.com/728x90.asp
GET /728x90.asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.boston.com/business/columnists/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {...})
Host: www.popupsandbanners.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 16 Jul 2006 10:10:41 GMT
pragma: no-cache
cache-control: private
Content-Length: 621
Content-Type: text/html
Expires: Fri, 14 Jul 2006 10:10:42 GMT
Cache-control: no-cache
<HTML>
<HEAD>
<META HTTP-EQUIV="Expires" CONTENT="Fri, Jun 12 1981 08:20:00 GMT">
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Cache-Control" CONTENT="no-cache">
</HEAD>
<BODY TOPMARGIN="0" LEFTMARGIN="0">
<!-- BEGIN STANDARD TAG - 728 x 90 - Fastserving Direct: Run-of-site - DO NOT MODIFY -->
<SCRIPT TYPE="text/javascript" SRC="http://content.yieldmanager.com/rmtag3.js"></SCRIPT>
<SCRIPT language="JavaScript">
var rm_host = "http://ad.firstadsolution.com";
var rm_section_id = 64184;
var rm_iframe_tags = 1;
rmShowAd("728x90");
</SCRIPT>
<!-- END TAG -->
</BODY>
</HTML>
GET /imp?z=6&Z=728x90&s=64184&t=3&u=http%3A%2F%2Fwww.boston.com%2Fbusiness%2Fcolumnists%2F&r=0 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.popupsandbanners.com/728x90.asp
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {...})
Host: ad.firstadsolution.com
Connection: Keep-Alive
HTTP/1.1 302 Found
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Location: http://ad.yieldmanager.com/imp?z=6&Z=728x90&s=64184&t=3&u=http%3A%2F%2Fwww.boston.com%2Fbusiness%2Fcolumnists%2F&r=0
Cache-Control: no-store
Content-Length: 0
GET /imp?z=6&Z=728x90&s=64184&t=3&u=http%3A%2F%2Fwww.boston.com%2Fbusiness%2Fcolumnists%2F&r=0 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.popupsandbanners.com/728x90.asp
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {...})
Cookie: ...
Connection: Keep-Alive
Host: ad.yieldmanager.com
HTTP/1.1 200 Ok
Connection: close
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Set-Cookie: ...
Cache-Control: no-store
Content-Length: 859
<html><body style="margin-left: 0%; margin-right: 0%; margin-top: 0%; margin-bottom: 0%"><html>
<body style="margin: 0; padding: 0">
<!--- start of iconmedianetworks_entertainment_728x90_(728x90)_247RealMediaAdTag --->
<IFRAME WIDTH=728 HEIGHT=90 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR="#000000" SRC="http://network.realmedia.com/RealMedia/ads/adstream_sx.ads/iconmedianetworks/entertainment_728x90/ron/ent/ss/a@Top1">
<A HREF="http://network.realmedia.com/RealMedia/ads/click_nx.ads/iconmedianetworks/entertainment_728x90/ron/ent/ss/a@Top1">
<IMG SRC="http://network.realmedia.com/RealMedia/ads/adstream_nx.ads/iconmedianetworks/entertainment_728x90/ron/ent/ss/a@Top1"></a>
</iframe>
<!--- end of iconmedianetworks_entertainment_728x90_(728x90)_247RealMediaAdTag --->
</body>
</html></body></html>
GET /RealMedia/ads/adstream_sx.ads/iconmedianetworks/entertainment_728x90/ron/ent/ss/a@Top1 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://ad.yieldmanager.com/imp?z=6&Z=728x90&s=64184&t=3&u=http%3A%2F%2Fwww.boston.com%2Fbusiness%2Fcolumnists%2F&r=0
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {...})
Host: network.realmedia.com
Connection: Keep-Alive
Cookie: ...
HTTP/1.1 200 OK
Date: Sun, 16 Jul 2006 10:18:02 GMT
Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_ssl/2.8.12 OpenSSL/0.9.6b mod_oas/5.8 with cap module/2.0
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Set-Cookie: RMFW=011G23hK710BCG; expires=Fri, 31-Dec-2020 23:59:59 GMT; path=/; domain=.realmedia.com
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Keep-Alive: timeout=300
Connection: Keep-Alive
Content-Type: text/html
Set-Cookie: ...
Cache-Control: private
Content-Encoding: gzip
Content-Length: 433
<iframe src="http://view.atdmt.com/VON/iview/247mavon0880000002von/direct/01&844989628? click=http://network.realmedia.com/RealMedia/ads/click_lx.ads/iconmedianetworks/enterta inment_728x90/ron/ent/ss/a/844989628/Top1/OasDefault/BCN2006060124_01_Vonage/Vonage_728 x90.html/34323166326364653434626130663930?" frameborder="0" scrolling="no" marginheight="0" marginwidth="0" topmargin="0" leftmargin="0" width="728" height="90">
<script language="JavaScript" type="text/javascript">
document.write('<a href="http://network.realmedia.com/RealMedia/ads/click_lx.ads/iconme dianetworks/entertainment_728x90/ron/ent/ss/a/844989628/Top1/OasDefault/BCN2006060124_0 1_Vonage/Vonage_728x90.html/34323166326364653434626130663930?844989628" target="_blank"><img border="0" src="http://clk.atdmt.com/VON/go/247mavon0880000002von/direct/01/844989628" /></a>');
</script>
<noscript>
<a href="http://network.realmedia.com/RealMedia/ads/click_lx.ads/iconmedianetworks/ente rtainment_728x90/ron/ent/ss/a/844989628/Top1/OasDefault/BCN2006060124_01_Vonage/Vonage_ 728x90.html/34323166326364653434626130663930?844989628" target="_blank"><img border="0" src="http://clk.atdmt.com/VON/go/247mavon0880000002von/direct/01/844989628" /></a>
</noscript>
</iframe>
GET /RealMedia/ads/click_lx.ads/iconmedianetworks/entertainment_728x90/ron/ent/ss/a/844 989628/Top1/OasDefault/BCN2006060124_01_Vonage/Vonage_728x90.html/343231663263646534346 26130663930?http://clk.atdmt.com/go/247mavon0880000002von/direct;ai.14265838;ct.1/01 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {...})
Host: network.realmedia.com
Connection: Keep-Alive
Cookie: ...
HTTP/1.1 302 Found
Date: Sun, 16 Jul 2006 10:18:12 GMT
Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_ssl/2.8.12 OpenSSL/0.9.6b mod_oas/5.8 with cap module/2.0
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Location: http://clk.atdmt.com/VON/go/247mavon0880000002von/direct/01/http:// clk.atdmt.com/go/247mavon0880000002von/direct;ai.14265838;ct.1/01
Keep-Alive: timeout=300
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: NSC_f3pbto1efm_Qppm_iuuq=445c21353660;path=/
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://clk.atdmt.com/VON/go/247mavon0880000002von/direct/01/ http://clk.atdmt.com/go/247mavon0880000002von/direct;ai.14265838;ct.1/01">here</A>.<P>
<HR>
<ADDRESS>Apache/1.3.27 Server at e1oasndel5.east1.247realmedia.com Port 80</ADDRESS>
</BODY></HTML>
GET /VON/go/247mavon0880000002von/direct/01/http://clk.atdmt.com/go/ 247mavon0880000002von/direct;ai.14265838;ct.1/01 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {...})
Cookie: AA002=...
Connection: Keep-Alive
Host: clk.atdmt.com
HTTP/1.1 302 Object moved
Cache-Control: no-store
Content-Length: 0
Expires: 0
Location: http://www.vonage.com/startsavingnow/
Connection: close
Date: Sun, 16 Jul 2006 10:18:12 GMT