|
IT Security Office Cornell University security@cornell.edu 6 June 2005 |
Recent Changes in Comscore Proxy Capabilities
What follows is an addendum to a previously published paper that described the observed behavior of the Comscore proxy agent. Comscore's proxy software is distributed under the names Marketscore, OpinionSquare, Netsetter, and JD Council.
Internal references seen in the proxy we received refer to it as "ossproxy.exe" and are largely indistinguishable from the proxy discussed earlier. We believe any naming differences between the software discussed in our earlier paper and that evaluated on June 6th, 2005 are purely cosmetic and represent the same application.
As of April 7th, 2005 a new proxy agent has been observed in the wild. It exists as an upgrade to the proxy described in our earlier paper, but presents several new and intriguing capabilities:
- In our testing with the OpinionSquare site, the agent was named "opnsqr.exe" instead of "mksc.exe" and used different registry keys. The Layered Service Provider (LSP) was no longer named "osmim.dll". Otherwise, the basic architecture is unchanged from earlier releases.
- Between a different executable name, different associated DLLs, a different executable hash, and differing registry keys, the new proxy is undetectable by Spybot S&D, Ad-Aware, and Microsoft's Anti-Spyware beta.
- This new agent still communicates with the Web browser via a socket open on port 8254. Previously, port scanning for systems listening on that port was a reliable indicator of the presence of the software. It appears the new agent does not present itself on a public interface, so scans are no longer a reliable detection tool.
- Contained within the proxy agent are a large number of regular expressions. These are intended to match 8-11 digit numbers (presumably phone numbers or driver's license numbers), credit card numbers for both 15 and 16 digit formats, social security numbers, US phone numbers, phone numbers with extensions of variable length, ZIP +4, and various other patterns (see below).
- Word lists intended to match salutations in various languages, street address fragments (street, boulevard, road, etc, and their abbreviations).
Much speculation has been devoted to these last two addtions, as they could be delivered to the agent via a pre-existing XML update mechanism.
In view of the speed with which the agent can replace itself, altering its name and registry keys each time, it presents a difficult target for the anti-spyware authors. It appears that passive detection methods (netflow records of contacts to known Comscore IP ranges, snort signatures for proxy communications) may be the only way to reliably detect infected systems.
Regular expressions extracted from the opnsqr.exe binary:
([0-9]{8,11})
([0-9]{4})[-\s]*([0-9]{6})[-\s]*([0-9]{5})
([0-9]{4})[-\s]*([0-9]{4})[-\s]*([0-9]{4})[-\s]*([0-9]{4})([-\s]*[0-9]*)
([0-9]{3})[-\.\s]+([0-9]{2})[-\.\s]+([0-9]{4})
([0-9]{3})([0-9]{3})([0-9]{4})(.*)
1*[-\.\)\s]*\(*([0-9]{3})[-\.\)\s]+([0-9]{3})[-\.\s]*([0- 9]{4})(\s*[xX]*(ext\.)*\s*[0-9]*)
<input\s+[^>]*name\s*=\s*"([^>"]+)"[^>]*value\s*=\s*"([^>"]+)"[^>]*>
<!--(.*?)-->
([[:word:]\.]*)\s*([[:digit:]]+)\s*([[:word:]]*)
([[:word:]\.]+)@([[:word:]]+)\.([[:word:]\.]+)
([[:alpha:]\.]*),*\s*([[:alpha:]\.]*)\s*([[:alpha:]\.]*)
([0-9]{5})-*([0-9]{4})*
([[:alpha:][:blank:]]+),*\s+([[:alpha:]]{2}),*\s*([0-9]{5})-*([0-9]*),*\s*([[:alpha:]]*)
([[:alpha:][:blank:]]+),\s+([[:alpha:]]+\s*[[:alpha:]]*),*\s+([0-9]{5})-*([0-9]*),*\s*([[:alpha:]]*)
([0-9]+)\s+([[:alpha:]]{1,5})\.*\s+([0-9]+)\s+([[:alpha:]]{1,5})\.*(.*)
([0-9]+-*[0-9]*)[\s,]+([[:word:]\.]*)\s*([[:word:]\.]*)\s*([[:word:]\.]*),*(.*)
([0-9]+-*[0-9]*)\s+([[:alpha:][:blank:]\.]+)\s+([[:alpha:]\.]+)
>\s*([^<]+)\s*<
<\s*td[^>]*>((?:.(?!<td))*?)<\s*/td\s*>