An Analysis of the New Marketscore Proxy

Abstract

Marketscore (http://www.marketscore.com), a subsidiary of the marketing firm ComScore, has made software available to Internet users which is advertised as a tool to help the user influence the Internet and gain "benefits" as part of the Marketscore community and to protect the user's system from e-mail-borne viruses while providing marketing data to the Marketscore company.
The installation process for this software places an agent on the client PC. This agent periodically polls the Marketscore servers for configuration and software updates. Software updates occur frequently and appear to bring additional technical capabilities. Configuration updates occur very frequently, often every few minutes, and instruct the local agent on sites and content of interest, how to acquire and package data, what applications to monitor, and what data about the local machine to gather. This data, when gathered, is compressed and returned to the Marketscore servers. It is important to note that, once installed, the activities of this agent are undetectable and may not be configured by the PC user.
The new Marketscore proxy is capable of intercepting SSL sessions, can eavesdrop on various instant messaging traffic, gathers a great deal of local hardware information, intercepts and redirects POP e-mail traffic, and proxies HTTP and FTP sessions. What follows is a technical discussion of these capabilities, their implementation, and implications for sites attempting to detect Marketscore PCs and limit loss of data.
The findings of this analysis represent the work of the staff of the Cornell University IT Security Office and technical staff of Carnegie Mellon University. Information regarding older versions of the Marketscore software and Cornell University's response to it can be found at http://www.cit.cornell.edu/computer/security/marketscore/.