Analysis SecureStudies.com OSSProxy MarketScore OpinionSpy Adware/PUP/Trojan/Malware comScore vs Nielsen

A few days back one of our Virus/Malware file submission sites received close to a hundred executables from two IP addresses over an hour period for comScore, Inc related samples running AV detection scans against each file. This activity flagged some interest at first because the binary files were for various Operating Systems such as Linux ELF and MAC OSX and various Windows exectuables with different creation dates going all the way back to 2010. Was this comScore submitting its own files for analysis or security researchers?

The scan results for all the Windows variants conclusively pointing to Adware or clean with virtually no detection for the OSX or ELF binaries with the exception of a few clean and a few trojan/backdoor results. Macs and Linux users are usually not the targets of malware writers as their targets are usually just of the masses for monetary gain. A quick Internet search revealed that a few Mac security sites were linking the OSX files as an OpinionSpy trojan backdoor which meant it was time to fire up some VMs!

Immediately it was apparent what was happening, Mac users aren’t used to dealing with Adware and when they install a program there usually isn’t usually much of a user agreement they have to read and accept. The Mac community may think it is rather progressive but to a lot of PC users they come off as unjustifiably snobby and self righteous with a Virus and malware free Operating System hubris, they may have a case. Point of fact, Trojan.Spyware.OpinionSpy which PC users know as annoying Adware and gradually learned over time it isn’t a good idea to install suspect applications.

Upon loading one of the Mac binaries a user agreement was presented which detailed that this software will track your Internet behavior and send it back to its’ makers. This is essentially the same type of agreement that TV watchers enter into when chosen to be part of the Nielsen Ratings programs. Nielsen would be seen as more prestigious as they select only a limited amount of users to send their custom TV watching and tracking box to. The obvious difference being that if you decide you don’t want your watching habits going to Nielsen you can disconnect the box and walk away, uninstalling software on the other hand must be a tasking endeavor for someone.

 

After installation there is a toolbar on the browser and there is network traffic with a custom OSSProxy UA string sending and receiving data from PremierOpinion.com and SecureStudies.com. The software uninstalled rather easily and the network traffic stopped, this was the same for the Windows executables which had some annoying surveys and pop ups but nothing even remotely malicious in nature. This software strongly falls into the realm of adware/behavior tracking, the benefit of installing this software is that you may earn a few dollars or prizes for completely surveys.

The references to it being classified as spyware or a backdoor/trojan are false legally and Internet security wise. By accepting the user agreement you are allowing the software to update itself which can lead to more adware on your system. The company that pushes the various marketing and survey taking out is an A+ BBB rated billion dollar publicly traded corporation. They are not spawning reverse shells and taking over your Macs and PCs, one Mac site even claimed they found the hidden site publishing the size of their “botnet” which one can only find amusing. Wonder if the FBI knows how to work the Google, “largest malware botnets in the world.” Go get them! lol

There is something else that is rather amusing, Symantec did a write up in 2007 claiming that MarketScore (a Windows version of the software) was a type of Spyware and left it published apparently forgetting that they now support and scan the companies sites.

Maybe they should of pulled this before taking their money:

https://www.symantec.com/security_response/writeup.jsp?docid=2004-042117-5317-99

Money changes everything:

 

—————————-
Commercial Infrastructure
—————————-

comScore owns thousands of IP addresses that are rotated through the resolution for securestudies.com and premieropinion.com which they have owned and used for over ten years now. If comScore’s software was even remotely malicious or illegal you’d see something similar to this on their website overnight. The FBI can seize any commercial domain name pretty much at will now if there is any proof of illegal activity or warranting of an investigation.

 

 

TMRG and PremierOpinion are two of the larger pieces of comScore’s marketing solutions:

PremierOpinion is part of an online market research community with over 2 million members worldwide. PremierOpinion relies on its members to gain valuable insight into Internet trends and behavior. In exchange for participating in periodic surveys on topics of interest to the Internet community, and for having their Internet browsing and purchasing activity monitored, PremierOpinion sponsors select software that its members can enjoy for free. PremierOpinion DOES NOT sell personal information; nor do members receive any advertisements as a result of their participation in PremierOpinion. Responses to surveys are aggregated and the results help determine the content that members see when they surf. Member participation in PremierOpinion surveys is completely voluntary. We appreciate our members taking the time to answer the survey questions.

http://www.premieropinion.com

 

TMRG is a service of comScore, Inc., a leading Internet ratings system that provides insight into consumer behavior and attitudes. For assistance with your market research needs, please complete comScore’s Information Request form and someone will contact you shortly.
https://www.tmrginc.com/FAQ.aspx

The parent company:

ComScore Inc
Market Researcher
Address: 11950 Democracy Dr #600, Reston, VA 20190
Phone:(703) 438-2000
http://www.comscore.com/

comScore, Inc. (NASDAQ: SCOR) is a leading cross-platform measurement company that precisely measures audiences, brands and consumer behavior everywhere. comScore completed its merger with Rentrak Corporation in January 2016, to create the new model for a dynamic, cross-platform world. Built on precision and innovation, our unmatched data footprint combines proprietary digital, TV and movie intelligence with vast demographic details to quantify consumers’ multiscreen behavior at massive scale. This approach helps media companies monetize their complete audiences and allows marketers to reach these audiences more effectively. With more than 3,200 clients and global footprint in more than 75 countries, comScore is delivering the future of measurement.

 

ossproxy

 

Surprisingly there were only 5 complaints listed on the BBB.org, I would have thought a lot more people would be annoyed. All of the complaints were resolved with someone who got their first taste of some annoying adware but comScore actually responding on how to remove their software:

 

 

=======================================================
Here are some interesting binary strings pulled from one of the executables

You can note that it does install with a full uninstall package

You can also note that you will be getting a bundle of other adware loaded

There will be ads!

There are browser hooks!

=======================================================

Permission Research
The following value-added programs will also be uninstalled as part of
the %s uninstall process:
%1d. %s
Do you want to continue and uninstall all of the listed programs?
%s cannot be uninstalled until all value-added software
obtained through %s has been uninstalled.
Do you wish to continue uninstalling the value-added programs?
Uninstall Confirmation
OSSProxy not shutting down in a timely manner.
Removing StartMenu: Failed to get startup menu folder[%d]
Remove: Unconfiguring LSP.
Remove: Unconfigure LSP failed.
Removing OSSProxy.
AddRemovePost
https://post.securestudies.com/ossremove.aspx
Software\Mozilla\Firefox\Extensions
shfscp.dat
nscf.dat
ncncf.dat
egdcf.dat
asmcf.dat
cm.crx
Software\Google\Chrome\Extensions
Software\Google\Chrome
msvcp71.dll
msvcr71.dll
Software\RelevantKnowledge
Remove Successful
Software\Netsetter\OSSProxy\Settings
BundleInstallPost
Software\Netsetter
https://post.securestudies.com/ossreceive.aspx
?CAMPAIGN_ID=
&MACHINE_ID=
SOFTWARE\ScreenSaver.com\Relevant Knowledge
&%s=%s
&%s=%d
Software\SOFTWARE\ScreenSaver.com\Relevant Knowledge
OSSProxy::Initialize startmenuRuleContainer init failed[%d]
Install: OSSProxy failed to create BID[%08x].
Install: OSSProxy install failed, no Internet connection.
Install Failed
You will need to have an Internet connection in order to complete the installation, please try again later.
Installing OSSProxy.
Install: Bundleware installation for campaign: %s
Install: failed to configure bundle machines.
Install: OSSProxy installed successfully.
OSSINSTALL: Requesting country code and language….
OSSINSTALL: IPCountry=’%s’ languageID=%s
instLanguage
OSSINSTALL: Country code request failed!
Install Successful
OSSINSTALL: Retrieving previous 25 HTTP URLS….
CS_INSTALL(%s)
http://oss-content.securestudies.com/cidpost
C:\Documents and Settings\Public\install25urls.xml
C:\install25urls.xml
UninstallString
re you want to uninstall?
brandinfo
OSSProxy 1.3.336.331 (Build 336.331 Win32 en-us)(May 12 2016 11:22:41)
SystemVersion: %s
OSSProxy was installed with another user, aborting
DisplayName
Install Failed: You must have admin right to install
OSSProxy 1.3.336.331 (Build 336.331 Win32 en-us)(May 12 2016 11:22:41)
OSSProxy Console
Console Window should be visible
eyixayt.rkr
rk.exe
AutoUpgrade: Searching for the newest DLLs
OSSUPGRADE: Country code request failed!
StartUpgradedFile
(Startupgraded) Executing %s %s
Software\Microsoft\Windows\CurrentVersion\RunOnce
\sporder.dll
http://hawk.securestudies.com:80/ue.aspx
\ossproxy.exe
\osmim.dll
\ossservice.exe
service.exe
\dompilot.dll
\dompilot3.dll
\osspdf.dll
\ossproxy64.exe
\osmim64.dll
\osproxy64.exe
Initializing BrowserMonitor
BrowserMonitor
BrowserMonitor: Initializing BrowserMonitor
BrowserMonitor::Initialize: Waiting 1 Sec for shell to initialize
BrowserMonitor: Exception trying to connect to ShellWindowsEvent
BrowserMonitor: Failed to connect to ShellWindowsEvent
BrowserMonitor: Shutting Down BrowserMonitor
ConnectToBrowsers %x
BrowserMonitor: Connecting to browsers
ConnectToBrowsers Error(1) %x
ConnectToBrowsers Error(2) %x
BrowserMonitor: Already connected to new browser (disp:%08x)
ConnectToBrowsers(2) %x
DisconnectFromBrowsers
BrowserMonitor: Disconnecting from browsers
BrowserMonitor: Disconnecting from browsers (HWND)
BrowserMonitor: Disconnecting from browser %08x (hWnd=%x)
BrowserMonitor: Checking %s,%s for survey
BrowserMonitor: Checking Exit Survey
http://post.securestudies.com/upgraderesult.aspx?
http://proxycfg.securestudies.com/oss/aolnontlm.htm
aolopenride.exe
aolhelix.exe
aoldesktop.exe
chrome.exe
wcs2000.exe
https://adv.securestudies.com/ADVPost.aspx
AdViewPostURL
http://adv.securestudies.com/ADVQuery.aspx
AdViewQueryURL
http://rules.securestudies.com/oss/rule32.asp
DownloadTestRulesURL
http://rules.securestudies.com/oss/rule31.asp
AdViewRuleURL
http://rules.securestudies.com/oss/rule23.asp
VeriSign, Inc.10
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)101.0,
%VeriSign Class 3 Code Signing 2010 CA0
111222000000Z
131221235959Z0
Virginia1
Reston1
TMRG Inc.1>0<
VeriSign, Inc.10
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)101.0,
%VeriSign Class 3 Code Signing 2010 CA0
https://www.verisign.com/cps0*
https://www.verisign.com/rpa0
[0Y0W0U
image/gif0!00
#http://logo.verisign.com/vslogo.gif04
#http://crl.verisign.com/pca3-g5.crl04
http://ocsp.verisign.com0
VeriSignMPKI-2-80
VeriSign, Inc.10
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)101.0,
%VeriSign Class 3 Code Signing 2010 CA
Symantec Corporation100.
‘Symantec Time Stamping Services CA – G2

Please follow and like us: