Re: Question regarding Marketscore spyware

[Gary Flynn <flynngn () JMU EDU>]

Lutzen, Karl F. wrote:
> I've been researching this a bit last night. Here are the IP's I've
> found so far:
>
> Web site:
> 66.119.41.71 www.marketscore.com
>
> Proxy servers via port 8000:
>
> 66.119.33.134 proxy.ia3.marketscore.com
> 66.119.33.166 proxy.ia4.marketscore.com
> 66.119.33.198 proxy.ia5.marketscore.com
> 66.119.34.38  proxy.ia2.marketscore.com
> 170.224.224.101 no DNS match this morning
> 170.224.224.133 no DNS match this morning
> 170.224.224.69  no DNS match this morning

There are a bunch in the 216.246 netblock too.
I just started collecting this morning:
216.148.246.74
        244.77
        246.73
        241.71
        244.69
        246.71
        246.133
        246.137
        224.137
66.119.34.42
       34.32
       33.138
       33.139
       33.168
       41.76
170.224.224.73
        224.105

Doesn't look like an IP based block will be easy.
I noticed a few universities saying they are handling
it with DNS shenanigans.

Looks to me so far like both netsetter.com and
marketscore.com domains are involved with varying
hosts and subdomains.

An ngrep for an HTTP user agent of OSSProxy
provides interesting inventory results. Our Juniper
IDP Profiler inventories this for us but ngrep will
provide the same data. If you have the capability
to write IDP signatures, blocking traffic with
those user agent strings would seem to be a possible
blocking method for campus desktops. Looking for the
Marketscore certificate during SSL negotiations may
be another.

Interesting that the proxy-agent string is
"Proxy-agent: ManInTheMiddle-Proxy/1.0"
Borders on the illegal IMHO.


--
Gary Flynn
Security Engineer
James Madison University

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.