Limited Time!
Totally FREE Web Design!
Click here!

Parasite: MarketScore

This record last updated Tue Sep 20 2005 00:34:15

PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)

Description

MarketScore is an internet usage monitoring program, operating at a Windows networking level.

Variants

MarketScore/Netsetter: original version, marketed as a internet ‘accelerator’ service. Not known to be stealth-installed. Works as a connection to a compressing proxy (which could theoretically improve connection speed, though I didn’t notice anything in practice).

MarketScore/NS: marketed under the ‘MarketScore’ name. Includes an ActiveX configurer object; the only variant that can be detected by the script at this site.

MarketScore/OS: marketed as ‘Relevant Knowledge’ as a customer research tool; no longer includes the compressing proxy service.

MarketScore/MKSC: as MarketScore/OS, but with ossproxy.exe renamed to mksc.exe.

Distribution

The OS variant was bundled with iMesh mid-2004.

What it does

Advertising

Suspected in the OS and MKSC variants. According to the terms of use one must:

allow Relevant Knowledge, on a limited and infrequent basis, to make modifications to commercial communications received by you in e-mail or on websites you visit, and to monitor your responses to such modified commercial communications

which sounds like adding adverts to mail as well as web pages. However this has not yet been observed in practice.

Privacy violation

Yes. In the NS variant, every web connection goes through a remote proxy server where everything you send and fetch (include ‘secure’ HTTPS connections such and online banking) is stored and analysed.

The OS and MKSC variants are more picky about which data are interesting, only sending back data to its controlling servers when a targeted site or keyword is used.

Security issues

Yes. The software can silently download and install arbitrary unsigned code from its controlling server, as a self-update feature.

MarketScore also installs its own trusted root certificates, so that it can intercept secure (SSL) connections made by your machine. These certificates are left behind even when the software is uninstalled, allowing MarketScore servers to impersonate any other domain.

Stability problems

Because it works as a proxy itself, the NS variant won’t connect properly through other external proxies.

Removal

The OS variant may provide an entry in the Control Panel’s Add/Remove Programs feature, which should work. Otherwise, use the hidden uninstall feature. Either way, check below to remove the Root CA certificates.

Do not attempt to remove the LSP components of MarketScore by hand; failure to get it exactly right will result in a loss of internet connection. Also, you won’t be able to kill ossproxy.exe (OS variant) or mksc.exe (MKSC variant) from the Task Manager as normal, as the program hides itself when it sees the Task Manager open.

To use the hidden uninstaller, open a DOS command prompt window (from Start->Programs->Accessories) and enter, for the NS variant:

cd %WinDir%\System
nscheck /uninstall

Or, for the OS variant:

cd %WinDir%\System
ossproxy -bootremove -uninst:RelevantKnowledge

Or, for the MKSC variant:

cd %WinDir%\System
mksc -bootremove -uninst:RelevantKnowledge

Reboot the machine and you should be able to delete the ossproxy.exe or mksc.exe file from the System folder (which is inside the Windows folder, and called ‘System32’ under Windows NT/2000/XP/2003). You can also delete nscheck.exe and nsconfig.dll for the NS variant, or okshook.dll, osmim.dll and osconfig.dll for the OS variant.

Finally, open Internet Options (from the Control Panel or, in IE, Tools->Options) and click the ‘Certificates’ button on the ‘Content’ tab. Search for ‘Netsetter’ in the list in the Trusted Root Certification Authorities tab, select it and remove it. For the OS variant, do the same for the ‘MarketScore’ certificate.

Optionally, you can open the registry (Start->Run->regedit) and delete the key Software\Netsetter in both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER to clear up.