Stanford: Information Security Office

Information
Security

Information Security Office
Security Alert: MarketScore Spyware
11 Jan 2005

Summary

MarketScore (also called NetSetter) is a spyware-like application that compromises the security of all data sent or received by your web browser, even on "secure" encrypted web sites. All external browser communications are re-routed through MarketScore's proxy servers, so they have access to any "secure" traffic/passwords/accounts that otherwise would be encrypted.

MarketScore affects the most popular browsers on the Microsoft Windows platform, including Internet Explorer, Netscape, Mozilla, and Firefox. It does not appear to affect Macintosh or Linux platforms.

What to Do

SpySweeper, available at no cost from the Essential Stanford Software web site, will detect and remove MarketScore if you make sure to download the latest spyware definitions. Another free product that will remove MarketScore is SpyBot Search and Destroy, and there are manual removal instructions on Columbia University's MarketScore removal web site.

If you have MarketScore installed on your computer and have used your browser for any services that require WebLogin, your password should be considered compromised. After you have removed MarketScore from your computer, we strongly recommend that you change your SUNet password. This advice also applies to any other secure web sites you may have visited with your browser.

The Information Security Office is directly contacting owners of machines that appear to behave as if MarketScore is present. If your computer is on the Stanford campus, you can also do a rudimentary self-check of your browser by going to the fixme.stanford.edu web page. If you get a message saying access is forbidden, your browser might be configured to use an outside proxy, so to be safe you should follow one of the removal procedures listed above or in the References section below.

Technical Detail

MarketScore reconfigures the browser to use a "proxy server" for all non-local connections, including HTTPS connections. A proxy server is a machine that acts as a middle-man, brokering web page requests intended for other sites. So if the browser on machine A wants to visit web sites C, D, and E it makes all those requests through the proxy server B. B then contacts C, D, and E and passes the results back to A. This is usually transparent to the user on machine A after the browser has been configured to use the proxy.

Web proxies are typically used in a corporate environment where all web traffic must be controlled or inspected centrally, although in the case of secure HTTPS traffic there is ordinarily nothing the proxy can do except forward the connection or refuse it. In this case, the proxy servers belong to a company called ComScore where they collect and analyze the intercepted data.

While ordinarily an HTTPS connection would simply pass through a proxy securely, in this case MarketScore also installs a new root certificate in your browser so that it can decrypt all intercepted SSL connections (a "man-in-the-middle" attack) without triggering a security warning from the browser. In normal operation, browsers would complain if a site certificate doesn't match the domain of the URL, but the new root certificate tells the browser to trust ComScore's site certificate for any URL.

MarketScore attracts people to install it by claiming that its proxy servers "speed up the Internet", but proxying non-cacheable traffic (such as HTTPS) is impossible, so the only "benefit" possible for such traffic is loss of privacy and slower connections.

Users may not be aware that they are installing the software. The IMesh file sharing application, for example, came bundled with MarketScore.

Stanford will likely soon block, either via DNS or via router blocks, any accesses to or from MarketScore's proxy addresses.

References

Additional information regarding this vulnerability is available at