Educause Security Discussion mailing list archives
Re: Question regarding Marketscore spyware
From: rwatts <rwatts () CSUB EDU>
Date: Thu, 2 Dec 2004 07:42:51 -0800
The EDUCAUSE Security Discussion Group Listserv wrote:
I've been researching this a bit last night. Here are the IP's I've found so far: Web site: 66.119.41.71 www.marketscore.com Proxy servers via port 8000: 66.119.33.134 proxy.ia3.marketscore.com 66.119.33.166 proxy.ia4.marketscore.com 66.119.33.198 proxy.ia5.marketscore.com 66.119.34.38 proxy.ia2.marketscore.com 170.224.224.101 no DNS match this morning 170.224.224.133 no DNS match this morning 170.224.224.69 no DNS match this morning Last night all of these were doing successful DNS lookups, but now three are not. Interesting... The IP's without DNS names are still up and running Squid. (so much for the "Powered by Symantec") If someone has a better list, please share. Thanks. Karl Lutzen Systems Security Analyst UMR IT Information Systems Security kfl () umr edu -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Steele, John E. Sent: Thursday, December 02, 2004 8:26 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Question regarding Marketscore spywareIf some of those folks blocking the servers would provide an IP address list and/or their domain naming scheme I'm sure I'm not the only one here that would appreciate it. TIA.I second that TIA! Thank you, John E. Steele Workstation & Network Support Michigan Administrative and Information Services 734-647-8979 (phone) 734-368-4835 (Nextel) moonowl () umich edu -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Flynn Sent: Wednesday, December 01, 2004 10:27 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Question regarding Marketscore spyware Jason Richardson wrote:Hi all, I just read an article about the threat that this flavor of spyware poses to edus and that several, including those represented by frequent posters here and on Unisog, have blocked all access to/from their networks. Has anyone else had any experience with it? We have not (yet) to the best of my knowledge. Here's the story - http://www.pcworld.com/news/article/0,aid,118757,tk,dn120104X,00.asp.Its the first I've heard about it but the press seems to be picking it up as someone else just asked me about it. It doesn't appear to be anything new. I've seen posts about it that date back to 2001. University of Minnesota's web page on the subject says the page was last updated in 2003. http://www1.umn.edu/oit/security/marketscore.html I'd think a commercial venture that was man-in-the-middling SSL protected sessions would end up in court pretty quick but maybe their privacy policy discloses this and thereby the person turning their computer over to this unknown code is making a responsible, informed decision. Hey, I have this neat screen saver that works real well with it too.... ;) XP's software restrictions feature looks more and more attractive. A quick Google search makes me think Adaware and Spybot both detect it. If some of those folks blocking the servers would provide an IP address list and/or their domain naming scheme I'm sure I'm not the only one here that would appreciate it. TIA. Gary Flynn Security Engineer James Madison University ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. .
We found 51 sites related to this and are blocking all outgoing traffic to them at the Firewall. 66.119.33.134, proxy.ia3.marketscore.com 66.119.33.135, proxys.ia3.marketscore.com 66.119.33.136, proxycfg.ia3.marketscore.com 66.119.33.137, proxyevs.ia3.marketscore.com 66.119.33.139, proxyssl.ia3.marketscore.com 66.119.33.153, proxyche01.ia3.marketscore.com 66.119.33.155, proxyche03.ia3.marketscore.com 66.119.33.166, proxy.ia4.marketscore.com 66.119.33.167, proxys.ia4.marketscore.com 66.119.33.168, proxycfg.ia4.marketscore.com 66.119.33.169, proxyevs.ia4.marketscore.com 66.119.33.170, wwwc.ia4.marketscore.com 66.119.33.171, proxyssl.ia4.marketscore.com 66.119.33.185, proxyche01.ia4.marketscore.com 66.119.33.186, proxyche02.ia4.marketscore.com 66.119.33.187, proxyche03.ia4.marketscore.com 66.119.33.188, proxyche04.ia4.marketscore.com 66.119.34.38, proxy.ia2.marketscore.com 66.119.34.39, proxys.ia2.marketscore.com 66.119.34.40, proxycfg.ia2.marketscore.com 66.119.34.41, proxyevs.ia2.marketscore.com 66.119.34.42, wwwc.ia2.marketscore.com 66.119.34.43, proxyssl.ia2.marketscore.com 66.119.34.57, proxyche01.ia2.marketscore.com 66.119.34.58, proxyche02.ia2.marketscore.com 66.119.34.59, proxyche03.ia2.marketscore.com 66.119.34.60, proxyche04.ia2.marketscore.com 170.224.224.69, proxy.or2.marketscore.com 170.224.224.70, proxys.or2.marketscore.com 170.224.224.71, proxycfg.or2.marketscore.com 170.224.224.72, proxyevs.or2.marketscore.com 170.224.224.73, wwwc.or2.marketscore.com 170.224.224.92, proxyche04.or2.marketscore.com 170.224.224.101, proxy.or3.marketscore.com 170.224.224.102, proxys.or3.marketscore.com 170.224.224.103, proxycfg.or3.marketscore.com 170.224.224.104, proxyevs.or3.marketscore.com 170.224.224.105, wwwc.or3.marketscore.com 170.224.224.122, proxyche02.or3.marketscore.com 170.224.224.133, proxy.or4.marketscore.com 170.224.224.134, proxys.or4.marketscore.com 170.224.224.135, proxycfg.or4.marketscore.com 170.224.224.137, wwwc.or4.marketscore.com 170.224.224.155, proxyche03.or4.marketscore.com 170.224.224.156, proxyche04.or4.marketscore.com 216.148.244.69, proxy.sj2.marketscore.com 216.148.244.70, proxys.sj2.marketscore.com 216.148.244.75, proxycfg.sj2.marketscore.com 216.148.244.76, proxyevs.sj2.marketscore.com 216.148.244.77, wwwc.sj2.marketscore.com 216.148.244.78, proxyssl.sj2.marketscore.com -- Ron Watts Network Operations Security California State University Bakersfield 9001 Stockdale Highway Bakersfield, CA 93311 Work: 661-665-6107 Cell: 661-549-7995 Email: RWatts () CSUB EDU ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: Question regarding Marketscore spyware, (continued)
- Re: Question regarding Marketscore spyware Joel Rosenblatt (Dec 01)
- Re: Question regarding Marketscore spyware Gary Flynn (Dec 01)
- Re: Question regarding Marketscore spyware Gary Flynn (Dec 01)
- Re: Question regarding Marketscore spyware Brent Sweeny (Dec 01)
- Re: Question regarding Marketscore spyware Gary Dobbins (Dec 02)
- Re: Question regarding Marketscore spyware Steele, John E. (Dec 02)
- Re: Question regarding Marketscore spyware Lutzen, Karl F. (Dec 02)
- Re: Question regarding Marketscore spyware Gary Flynn (Dec 02)
- Re: Question regarding Marketscore spyware Joel Rosenblatt (Dec 02)
- Re: Question regarding Marketscore spyware Dave Monnier, IT Security Office, Indiana University (Dec 02)
- Re: Question regarding Marketscore spyware rwatts (Dec 02)
- Re: Question regarding Marketscore spyware Mike Iglesias (Dec 02)
- Re: Question regarding Marketscore spyware Schultz, Stephen (Dec 02)
- Re: Question regarding Marketscore spyware Joel Rosenblatt (Dec 02)
- Re: Question regarding Marketscore spyware Jeff Kell (Dec 02)
- Re: Question regarding Marketscore spyware Tom Klimek (Dec 02)
- Re: Question regarding Marketscore spyware Gary Dobbins (Dec 02)
- Re: Question regarding Marketscore spyware Scholz, Greg (Dec 02)
- Re: Question regarding Marketscore spyware Chris Allison (Dec 03)
- Re: Question regarding Marketscore spyware Joseph Karam (Dec 03)
- Re: Question regarding Marketscore spyware Eric Pancer (Dec 03)
(Thread continues...)