Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question regarding Marketscore spyware

From: "Skrdla, David" <david.skrdla () OKSTATE EDU>
Date: Tue, 21 Dec 2004 15:30:01 -0600
Hi,

On December 6th I posted a list of IPs identified as destination IPs of
MarketScore proxy servers so that traffic destined toward these IPs
could be monitored or re-directed traffic.  With the much-appreciated
observations of Daniel Drumm, University of Michigan, Ann Arbor (thanks,
Daniel!), we determined that three of the IPs listed provide hosting
service for image content also accessed by non-proxied connections (such
as those to msn.com and cnn.com).

The IPs are as follows:

----
IP                         DNS name                     ARIN
64.37.246.17    Non-existent domain     OrgName: Savvis
208.172.128.222 Non-existent domain     OrgName: Savvis (https) 
216.39.69.76    Non-existent domain     OrgName: Savvis
----

As a result, the IPs 64.37.246.17, 208.172.128.222, and 216.39.69.76
should be removed from global blocks/redirects to avoid false positives.
It may be  a good idea to continue to monitor this traffic with
supplemental approaches to detecting the presence of MarketScore
proxying.

Additionally, Snort users may want to check out signatures under
Spyware/Malware - Marketscore.com Research that are now available at
Bleeding Snort 
(http://www.bleedingsnort.com/forum/viewtopic.php?forum=11&showtopic=342

I apologize for the premature posting of the IPs.

David Skrdla
Network Security Analyst
Systems Security Office
IT/Technology Operations
Oklahoma State University
Ph. 405-744-7806

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.
Previous By Date Next
Previous By Thread Next

Current thread: