Earlier this month, after notification by several sources, TRUSTe undertook an investigation of a distributor installing comScore’s RelevantKnowledge on consumer machines through a security exploit. TRUSTe immediately launched an investigation, and with the help of Eric Howes and the team at SunBelt Software, and with the cooperation of comScore, was able to locate the exploit.

Understanding that installation via exploit is a prohibited activity in the Trusted Download Program, TRUSTe removed RelevantKnowledge from the TDP white list for three months. This action reflects the seriousness of the offense perpetuated by a distributor within the RelevantKnowledge distribution network, and provides comScore with time to implement and demonstrate the effectiveness of further controls

A Rogue Distributor Exploits Security Flaws:

The RelevantKnowledge application was observed being installed via a security exploit amongst several other applications. The following describes the series of events observed:

  • The user visited an unauthorized distribution web site.
  • A series of hidden frames were loaded containing links to dozens of other websites, including sites containing code designed to test and trigger security exploits on the user’s machine.
  • by way of these exploits, a cascade of maliciously installed software was downloaded/installed onto the user’s machine without any form of consent. This software included RelevantKnowledge.

The application which ultimately installed RelevantKnowledge contained a code which identified it as belonging to an authorized comScore distribution partner. This distributor was authorized to offer RelevantKnowledge as part of a software bundle available at a website that had been reviewed and tested by both TRUSTe and comScore, and confirmed to obtain positive user consent. Unfortunately, it appears that the distributor ‘went rogue’ by facilitating the installation of RelevantKnowledge on one or more unauthorized distribution sites, and by using unauthorized installers which circumvented consent mechanisms required by comScore and by the TDP Program Requirements.

While the course of events described contains several potential violations of TDP Program Requirements, it should be noted that the observed activity on the malicious sites was not directly tied to actions by comScore, and took place on web sites that were not controlled or associated with comScore. The malicious activity observed took advantage of exploits in the RelevantKnowledge distribution model in order to make it appear to comScore that a consensual installation had taken place.

comScore Took Decisive Action:

As soon as it was informed of the offense, comScore took immediate action which it promptly communicated to TRUSTe. Within 24 hours, comScore:

  • Terminated the distributor.
  • Disabled all installations associated with the distributor.
  • Activated a self-delete switch in the RelevantKnowledge software, that will automatically uninstall the software at the next reboot opportunity.
  • Began developing changes to its methods of distributor monitoring and control to correct weaknesses that allowed this exploit to take place.

In order to achieve tighter security in its distribution process, comScore implemented additional verification measures, including a review of distribution urls to check for authorized distribution points and a validation check for an authorized distribution installer “footprint”.

Re-Attaining Trusted Download Status:

TRUSTe and comScore will continue to work together through this period, and comScore will attempt to re-emerge with a substantially more robust anti-fraud systems. Over the next 90 days, TRUSTe is requiring comScore to roll out additional changes, and comScore has agreed to make whatever changes might be necessary. These changes will, at a minimum, include:

  • Termination of install unless the installation was initiated from a verified source (by url or installer).
  • Termination of the install in the event that it is detected that the install is triggered via a security exploit.
  • Move to a consent model directly controlled by comScore.
  • Improve consumer feedback/complaint channel.
  • Improve auditing process.

comScore will be subject to additional TRUSTe monitoring.

Community Cooperation on Standards and Policing

Without the cooperation of the anti-spyware community, the damage inflicted on users by this rogue affiliate could have been much greater. It is an admittedly difficult task to monitor the behavior of each and every distributor and affiliate by any single entity. Vigilance, cooperation, and mutual assistance by the entire online community — anti-spyware companies, third-party certification entities, government enforcement, consumer-complaint mechanisms, and self-policing by “good players” all have roles to play in making the internet a safer place for everyone.

Posted by Colin O’Malley