Summary:  Recent discussions on nationwide campus and ISP communications channels have raised the issue of a potentially serious security issue related to software distributed by a company called MarketScore. MarketScore (formerly known as 'NetSetter') software is often advertised as an internet connection accelerator, though independent experts have not been able to verify any appreciable increase in internet connection performance associated with the product.

MarketScore runs at startup and collects personal information entered in on-line forms/other browsing information and also opens advertisements on a user's Internet Explorer Browser. Based on these activities, MarketScore is considered as adverting-oriented spyware by some security organizations.

The Marketscore software also re-routes all web traffic from a host's computer through its own proxy servers and therefore allows MarketScore the ability to view all information sent to/from a user's web browser, INCLUDING TRAFFIC THAT WOULD NORMALLY BE PROTECTED BY HTTPS/SSL ENCRYPTION. Secured/encrypted traffic commonly includes such things as usernames/passwords, banking/health transactions, etc.

ITS has acted to minimize the risk of this potential security threat by blocking Internet access to the most well-known domains associated with MarketScore. On-Campus users whose systems are hosting MarketScore software will likely see either a University at Albany "Access to this domain has been blocked for security reasons" web page or a more generic Internet Explorer "Cannot Find Server" message when they try to access web pages via their browser. All other (non-browser) networked applications such as email, network shares, etc will not be affected by the MarketScore blocks

Recommended Actions:  Technical Coordinators, system administrators, etc are advised to detect and remove the MarketScore Software from their users' systems in order to minimize this security risk/restore web access. Most AV products are not reliable detectors of this software, (with the exception of Symantec AV 9.0 using the Expanded Threats option). Other Universities have reported success in detection/removal via the freeware anti-spyware product "SpyBot Search and Destroy" (see link below in the resouces section). Other anti-spyware products may also be successful at detection and removal; system administrators are encouraged to please send ALARM any information about removal techniques/applications they use (other than SpyBot) in an effort to build a better base of information about combating this type of threat.

ITS Actions:  Blocking of MarketScore proxies (as mentioned previously)

Resources:
ISS Description of MarketScore
http://xforce.iss.net/xforce/xfdb/14411

Cornell University Security Alert for MarketScore (includes some manual removal directions)
http://www.cit.cornell.edu/computer/security/alerts/marketscore.html

PennState MarketScore Warning
http://its.psu.edu/news/marketscore.html

Indiana University MarketScore Alert
http://kb.indiana.edu/data/apnh.html?cust=946089.48283.30

SpyBot Search And Destroy Home Page:
http://www.safer-networking.org/en/home/

NOTE:  PLEASE DO NOT REPLY TO THIS ALERT.  Alerts distributed by ALARM are not intended to supplant whatever security measures you are currently following. Technology coordinators, as well as the entire Ualbany computing community should continue to take all necessary precautions against threats to system security and information integrity.

Current Students  |  New Students  |  Distance Learners  |  Faculty  |  New Faculty  |  Staff Training  |  Schedules / Hours  |  Forms  |  FAQs & User Guides  |  Policies  |  About ITS  |  Home