Computer Security Administration

	Backup & Recovery

	Best Practices

	Browser Security

	Compromised Systems

	E-Mail Security

	Endpoint Security Policy System

	Firewalls

	Malicious Code

	Network Security Policy

	Open-Source Firewall

	Password Usage Guidelines

	Phishing

	Security Incident Reporting

	Spam

	Spyware

	Symantec Anti-Virus

	Windows Security Maintenance

	Windows Incident Response

	Windows Security

Marketscore Resource Information for System/Network Administrators

This page is intended to provide up to date technical information for system and network administrators regarding the efforts by the University to restrict access to Marketscore servers.

Marketscore Application Information

The Marketscore software affects Microsoft operating systems only. A Marketscore-compromised computer will forward http requests to a Marketscore server on port 80 and 8000. Secure http (https) requests are forwarded over port 443. Images do not appear to be proxied.

The use of multiple browsers on a Marketscore-compromised host will cause the user to see different behaviour depending upon which browser they use due to the fact that trusted certificate stores are generally unique to a browser. For example, if Marketscore is installed using Internet Explorer, then all http and https traffic will be proxied as usual. However, if Netscape is subsequently used on the same computer, only http proxying is done by Marketscore because the trusted root certificate from Marketscore is present in IE only - not in Netscape.

These links from other universities provide more details including process location and removal experience:

Columbia University

University of Minnesota

Details of University Response

The effort to restrict access to Marketscore servers consists of two parts:

UTORnet client blocking by DNS redirection of *.marketscore.com address requests.
UTORnet server protection.

DNS Redirection

To prevent internal UTORnet users from accessing Marketscore servers, University caching name servers will be configured effective 01/24/05 to return 128.100.102.182 for any 'A record' client queries for *.marketscore.com. The web server at this site is configured to redirect the requested URL to a document which informs users of the restricted Marketscore access and provides instructions on how to remove Marketscore software.

Institutional caching name server IPs:

128.100.100.128
128.100.102.201
128.100.56.135

CNS requests that all campus DNS server administrators configure their servers similarly. The following configuration information is provided to help with this:

BIND versions 8 or 9:

zone "marketscore.com" {
    type forward;
    forward only;
    forwarders {
128.100.100.128;
128.100.102.201;
128.100.56.135;
    };
};

Dan Astoorian of DCS provided the above configuration and has volunteered to provide assistance to those needing assistance making BIND 4 configuration changes. Philip Murton of CNS has volunteered to provide assistance for 'djbdns' users.

Server Protection

To protect the privacy of infomation on University servers, CNS recommends that web server software be configured to redirect all traffic from Marketscore servers to the information web page at http://shib.cns.utoronto.ca/marketscore_redirect.htm Apache servers can be configured to do so using the rewite_mod module and the following configuration:

To redirect http requests (install in port 80 virtual host area of httpd.conf):

RewriteEngine on
#RewriteLogLevel 5
#RewriteLog logs/rewrite_log
RewriteCond %{HTTP:Via} marketscore
RewriteRule .* http://shib.cns.utoronto.ca/marketscore_redirect.htm [R]

To redirect https requests (install in port 443 virtual host area of ssl.conf):

RewriteEngine on
#RewriteLogLevel 5
#RewriteLog logs/rewrite_log
RewriteCond %{REMOTE_ADDR} ^66\.119\.33\..* [OR]
RewriteCond %{REMOTE_ADDR} ^66\.119\.34\..* [OR]
RewriteCond %{REMOTE_ADDR} ^170\.224\.224\..* [OR]
RewriteCond %{REMOTE_ADDR} ^216\.148\.244\..* [OR]
RewriteCond %{REMOTE_ADDR} ^216\.148\.246\..*
RewriteRule .* http://shib.cns.utoronto.ca/marketscore_redirect.htm [R]

Note that the above rules attempt to match the Marketscore server address with one of five 256 host subnets. Parsing of web server logs over a lengthy period shows 42 Marketscore servers spread over these subnets (see list below). The 'coarse' subnet matching was done to make configuration manageable. Attempts to connect to servers using these rules by non-Marketscore servers having an IP in this range will return the UTORnet Marketscore error page - this will be monitored.