Spyware or Researchware?

prostoalex writes "When the story of Firefox Web site visitors being predominantly male was published, many questioned the methodology used to acquire such research data. This MSNBC article talks about another research company, ComScore Networks, using a free antivirus utility to lure the Web users into downloading a small utility to their hard drives. The catch? The software watches not only sites visited, but even locations of the mouse clicks. ComScore swears the final data does not contain any personal information, but, as the article states, anti-spyware utility manufacturers are still thinking whether to include it on their list."

Hostile code - forges SSL certs

[Animats]

It's more than spyware. This thing reroutes all your browser traffic through their proxy. That's how they see what you're doing. It includes rogue SSL certificates so it can capture encrypted connections. Yes, they get to see all your credit card numbers. Major universities, including UCIC, UCLA, UC Riverside, UCSD, Texas Tech, Windsor, UNC, Old Dominion, Michigan, Iowa, McGill, Carlton, Cornell, American University, Stanford, and Columbia are blocking conections to Marketscore for this reason. If you have Marketscore installed at one of those schools, you get a warning page like this.

Some banks also block online banking sessions coming in via Marketscore's proxies.

This is the same spyware previously known as "netsetter". There's no question about this being spyware.

Here's Stanford's Information Security Office's statement on Marketscore.

• Security Alert: MarketScore Spyware
  11 Jan 2005

  MarketScore (also called NetSetter) is a spyware-like application that compromises the security of all data sent or received by your web browser, even on "secure" encrypted web sites. All external browser communications are re-routed through MarketScore's proxy servers, so they have access to any "secure" traffic/passwords/accounts that otherwise would be encrypted.

  If you have MarketScore installed on your computer and have used your browser for any services that require WebLogin, your password should be considered compromised. After you have removed MarketScore from your computer, we strongly recommend that you change your SUNet password. This advice also applies to any other secure web sites you may have visited with your browser.

  The Information Security Office is directly contacting owners of machines that appear to behave as if MarketScore is present.

  Technical Detail

  MarketScore reconfigures the browser to use a "proxy server" for all non-local connections, including HTTPS connections. A proxy server is a machine that acts as a middle-man, brokering web page requests intended for other sites. So if the browser on machine A wants to visit web sites C, D, and E it makes all those requests through the proxy server B. B then contacts C, D, and E and passes the results back to A. This is usually transparent to the user on machine A after the browser has been configured to use the proxy.

  Web proxies are typically used in a corporate environment where all web traffic must be controlled or inspected centrally, although in the case of secure HTTPS traffic there is ordinarily nothing the proxy can do except forward the connection or refuse it. In this case, the proxy servers belong to a company called ComScore where they collect and analyze the intercepted data.

  While ordinarily an HTTPS connection would simply pass through a proxy securely, in this case MarketScore also installs a new root certificate in your browser so that it can decrypt all intercepted SSL connections (a "man-in-the-middle" attack) without triggering a security warning from the browser. In normal operation, browsers would complain if a site certificate doesn't match the domain of the URL, but the new root certificate tells the browser to trust ComScore's site certificate for any URL.

This goes well beyond what Marketscore claims their program does.

That seems to settle the issue.