Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question regarding Marketscore spyware

From: Gary Dobbins <dobbins () ND EDU>
Date: Thu, 2 Dec 2004 08:03:13 -0500
Same here - works for us.  We use Packeteer for the redirect, but same effect.

Brent Sweeny wrote:

Indiana University has written a good page on it too:
   see http://kb.indiana.edu/data/apnh.html
they did two things: redirect the DNS name resolutions for the marketscore
servers from campus users toward a security page that told them they'd been
owned and how to remove it.  also used netflow to identify the affected users
and made sure they were contacted.  I don't work for the security office so
don't know more details, but it seems to have been an effective and justified
approach.

On Wed, Dec 01, 2004 at 10:26:57PM -0500, Gary Flynn wrote:


Jason Richardson wrote:



Hi all, I just read an article about the threat that this flavor of
spyware poses to edus and that several, including those represented by
frequent posters here and on Unisog, have blocked all access to/from
their networks.  Has anyone else had any experience with it?  We have
not (yet) to the best of my knowledge.  Here's the story -
http://www.pcworld.com/news/article/0,aid,118757,tk,dn120104X,00.asp.




Its the first I've heard about it but the press seems to be picking it
up as someone
else just asked me about it. It doesn't appear to be anything new. I've
seen posts
about it that date back to 2001. University of Minnesota's web page on the
subject says the page was last updated in 2003.
http://www1.umn.edu/oit/security/marketscore.html

I'd think a commercial venture that was man-in-the-middling SSL protected
sessions would end up in court pretty quick but maybe their privacy policy
discloses this and thereby the person turning their computer over to this
unknown code is making a responsible, informed decision. Hey,
I have this neat screen saver that works real well with it too.... ;)
XP's software restrictions feature looks more and more attractive.

A quick Google search makes me think Adaware and Spybot both detect
it.

If some of those folks blocking the servers would provide an IP address list
and/or their domain naming scheme I'm sure I'm not the only one here that
would appreciate it. TIA.

Gary Flynn
Security Engineer
James Madison University



**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.


--

  ------------------------------------------------------------
  Gary Dobbins, CISSP -- Director, Information Security
  University of Notre Dame, Office of Information Technologies

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.
Previous By Date Next
Previous By Thread Next

Current thread: