As many of you are aware, there was a thread about dissecting Ultrasurf. We found significant malware behavior, and worst of all we found that ultrasurf promotes man in the middle attacks by allowing any ssl cert, even mismatched and self-signed certs and preventing the user from seeing a popup about it.

Ultrasurf is designed to be a free http proxy tool, and it is somewhat, but this is a cover for it to be a virus / malware that is nearly stealth and undetectable to normal virus scanners because of it's heuristic avoidance and encrypted payloads.

At this time we recommend everyone to delete ultrasurf and download a free copy of VBA32 antivirus (ftp://anti-virus.by/pub/links/vba32-personal-latest-english.msi) which will correctly identify it, as all other antivirus software does not.

What would be the purpose of creating a product like this? Identity theft or something like that?

{QUOTE-> I cannot comment further at this time. <-QUOTE}
Hi Steve, then why post about it yet - I'm not saying your right or wrong I'm just interested to know more.
{QUOTE-> allowing any ssl cert, even mismatched and self-signed certs and preventing the user from seeing a popup about it. <-QUOTE}
Okay, that's bad.
{QUOTE-> heuristic avoidance and encrypted payloads <-QUOTE}
I'd expect encryption but why do you state Ultra surf malware?

Okay looking at Ultra surf briefly I would class it as riskware/generic.

I would like to say much more, but what I think is responsible at this time is to say what I've said and urge everyone to get rid of the software. As soon as I can say more, I will, but it may be months or years.

{QUOTE-> I would like to say much more, but what I think is responsible at this time is to say what I've said and urge everyone to get rid of the software. As soon as I can say more, I will, but it may be months or years. <-QUOTE}

Steve, I noticed you deleted all your posts. You're not usually so careful choosing words concerning things that are garbage, which Ultrasurf obviously is. Were you contacted by the Ultrasurf people?

{QUOTE-> Were you contacted by the Ultrasurf people? <-QUOTE}

No, and if I was that wouldn't stop me anyway.

Why the reluctance to talk about it? You said it might be months or even years before you could. That doesn't sound like you. And I mean that in a good way. It's just like something has you spooked about speaking out. What is it?

The other big freebie is another I can't stand. Anchorfree is adware deluxe. It may not technically be "malware" but I hate it.

I introduced someone to Xerobank last week and they said they were going to sign-up. I showed them the speed and they were surprised a VPN could be so fast. The portability also impressed him. Keep up the good work!

Maybe Ultrasurf is a project of business agencies Steve's related to. A cousin so to speak.

{QUOTE-> Maybe Ultrasurf is a project of business agencies Steve's related to. <-QUOTE}

Absolutely not.

If it has anything to do with this (from their terms of service) - it's BS. Anybody can review a product, film, record, book, anything and it not be an infringement of copyright.

"UltraSurfTM and UltraReach.comTM are proprietary marks of UltraReach.com. UltraReach's trademarks may not be used in connection with any product or service that is not provided by UltraReach, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits UltraReach."

My guess is it's a government and/or hacker site that is legitimately doing what they say and Steve has learned that and can't write about it. If that's the case, I honor that. China is a horrible abuser of human rights and any way around the Great Firewall of China, I am all for. If it's not that, I am baffled as to the secrecy if it is indeed "malware". Who knows?

Well, maybe Steve conferred with Wilders admin/mods and this is where they ended up as the responsible place to be. His position makes sense to me, either way.

{QUOTE-> Well, maybe Steve conferred with Wilders admin/mods and this is where they ended up as the responsible place to be. His position makes sense to me, either way. <-QUOTE}

Nobody is suggesting that Steve's done anything wrong. But what malware could possibly NOT be discussed at Wilders and the admins would agree it shouldn't be discussed? I mean, aren't they the bad guys? I don't see how, if it's malware, that there's any way that not talking about it could be "responsible". The other way around, yes. But not talking about malware is a position everyone has agreed is "responsible"? I don't think so. If Wilders were ever caught covering up or being in cahoots with malware makers (even bowing to threats), it would be their undoing as a legitimate and credible security site. That's not it.

Leo's tool for tracking deviants? How is he by the way?

well..........a bit was discussed here too..............http://www.wilderssecurity.com/showthread.php?t=230690&highlight=ultrasurf

{QUOTE-> At this time we recommend everyone to delete ultrasurf and download a free copy of VBA32 antivirus which will correctly identify it, as all other antivirus software does not./QUOTE]

other av's too flag it............as trojan generic...backdoor......suspicious....see the link

Only barely just caught this one. Is there a More Info link somewhere?

I've looked on your blog and forum Steve, but, I couldn't find anything at either about this. Where's the rest of the information, other than this forum?

Forget the guessing games. Just trust me on this, i'll explain it all later. The best thing to do now is uninstall any ultrareach software.

I dont want to beat a dead horse here, but Steve, why would you even fuel peoples suspicions by throwing in an offhand "I cannot comment further at this time" and then going cold on the subject? Why not just give the basic alert, and recommendations in a benign way?

Lets face it, there is a significant "tin hat" crowd that lurks here, and this thread is bound to become a conspiracy theory thread just based on the opening comments.

Im not trying to be critical, nor pry and explination further out, just curious as to why even fuel the fire to start with, knowing the crowd here?

Because there are real and severe negative consequences from running the software in question, it is not a trivial and passive "vulnerability".

Steve, I do not like when someone throws accusations without proof, especially when the product in question is the competition. You should refrain from attacking a product until you can present the proof too. Please don't get me wrong, it's ok that you try to warn people, but at some point if no proof is presented, you will lose credibility.

There is no shortage of proof. Lots and lots of it, video, wireshark logs, and more, and we'll release it when it is appropriate. They are not competition, they are a freeware non-commercial http proxy program that is actually malware. Even tor is better than using ultrasurf. I'm not concerned about credibility here, there is more at stake than that. Just stop using the software if you are using it, any alternative is better. Just sit tight, and have a little faith, I've never steered you wrong yet, and when the truth comes out your jaw will drop.

Just for giggles, in the last few minutes, I decided to go digging...here is what I found:

The ultrasurf exe is said (by multiple vendors) to contain Backdoor.Win32.Agent.uwi

Info on Backdoor.Win32.Agent.uwi

{QUOTE-> Backdoor.Win32.Agent.b
Other versions: .ich, .jm, .lw, .nj

Aliases
Backdoor.Win32.Agent.b (Kaspersky Lab) is also known as: Backdoor.Agent.b (Kaspersky Lab), W32/Morph.worm (McAfee), W32.Randex.gen (Symantec), BackDoor.IRC.Fuxor (Doctor Web), Backdoor:Win32/Agent.G (RAV), TROJ_AGENT.B (Trend Micro), BackDoor.Agent.C (Grisoft), Backdoor.Agent.B (SOFTWIN), Backdoor Program (Panda), Win32/Agent.B (Eset)
Description added Aug 06 2004
Behavior Backdoor
Technical details

Agent.b is a classic Trojan backdoor that opens the infected machine to remote access. This backdoor is a Windows PE exe file written in Visual C.

Agent.b is packed with two packers: Morphine and UPX. The packed file size is 38 KB and unpacked - 104 KB.

Agent.b is controlled over IRC channels. The controller can download and execute files on the infected machine.
Payload

Agent.b opens a random port in the 1xxx range for about a second, and then continues opening the next port in ascending numerical order. The infected machine sees only ports 'blinking' in ascending order.
Removal

If you know the name of the file containing the Backdoor, you can delete it after you stop the active processes in RAM using the Windows Task Manager. Once you have deleted the process, you can then delete the file.

If you cannot identify the name of the active process, you need to install a firewall, such as Kaspersky Anti-Hacker, which will monitor open ports and provide a log.
<-QUOTE}

The above is enough for me... I have played with morphine, and I know what it is capable of. Morphine has the abilty to hide any process, any reg key, any file/folder and can be attached to legit files. Basically once morphine is on your system, in conjuntion with other progs that it hides, it can do anything it wants. add in a few apps that hide their port conections from apps like tcpview, and you now have a good, hidden backdoor to a machine. Distributed on the level of ultrasurf, thats a hell of a lot of machines at someones disposal, to do as they please, be it steal info from the local machine, use the local machine for its own purposes, or create a hell of a botnet (all of which morphine helps facilitate nicely with the right tools and application.)

But, if you want more info read along...

{QUOTE-> Registrant:
UltraReach Internet Corp

560 S Winchester Blvd
Suite 500
San Jose, California 95128
United States
My emphasis added

Registered through: GoDaddy.com, Inc.
Domain Name: ULTRAREACH.COM
Created on: 06-Oct-02
Expires on: 06-Oct-09
Last Updated on: 07-Oct-08


Domain servers in listed order:
NS1.EV1SERVERS.NET
NS2.EV1SERVERS.NET
<-QUOTE}

A google search on the above address returns the following company:
Rockfeller Group Business
560 S Winchester Blvd Ste 500
San Jose, CA 95128

Same address, different phone number, but notice the suite numbers are the same...so a bit more digging returns this:

{QUOTE->

Virtual Office

Whether you are a telecommuter that occasionally needs to use our office facilities or an out-of-town company looking to have a presence in the city, Rockefeller Group Business Centers® can support your needs.For those organizations that simply need occasional meeting space or the cachet of a premier business address, Rockefeller Group Business Centers® has your Manhattan, New York City or San Jose, California Virtual Office Solution. Our "Virtual Office" Plan supports your business model without a commitment to full-time office space.
The Rockefeller Group Business Centers®
Virtual Office Plan offers:
Virtual Office The prestigious addresses of any Rockefeller Group Business Center®, Midtown or Downtown in the financial district including 48 Wall Street, 45 Rockefeller Plaza and 630 Fifth Avenue
Virtual Office Building directory and 411 listing
Virtual Office Mail handling and forwarding
Virtual Office Complete telephone services, including a dedicated telephone number for your business
Virtual Office Fax services, including eFax
Virtual Office Unified messaging with VoIP platform
Virtual Office Personalized telephone answering by our professional staff during business hours
Virtual Office Private office space or conference center facilities on an as-needed basis
Virtual Office Receptionist services for your guests
Virtual Office Access codes for self-service copying and scanning
Virtual Office Beverage service and on-site dining area
Virtual Office Additional business support, including document design, desktop publishing, media presentations, and concierge services <-QUOTE}
{QUOTE->

560 S. Winchester Blvd

Rockefeller Group Business Centers at 560 S. Winchester Blvd. in California is located in the heart of the Silicon Valley technology industry. With beautiful views of Santa Clara Valley , we are conveniently located with access from the 17, 880, 280 and 101 freeways. Whether you need a Virtual Office Plan or an executive conference room, this location provides your company with a high profile and professional image. Our Drop-in Center and Day Office give you a comfortable, quiet place to meet with clients or co-workers. Simply stop in and connect to your voice mail and email for an hour, for the day, or for the week. We are adjacent to Santana Row with restaurants, shops, spas, and hotel readily accessible for lunch, dinner, and entertaining clients. Once you have established your business presence with Rockefeller Group Business Centers, it is an easy transition to convert from a Virtual Office Plan to a full-time office without changing your phone number or address.

Choose from our packages, or customize one for your company's needs.

a la Carte contains:
Winchester Blvd Virtual Office San Jose
Listing with the Building's Directory
Winchester Blvd Virtual Office San Jose
On-site Internet
Winchester Blvd Virtual Office San Jose
Photocopier Access Code
Winchester Blvd Virtual Office San Jose
Professionally Staffed Reception Area <-QUOTE}

So...this "organization" exists only in name, on the internet... Which alone, really isnt a big deal, but you would think a company/organization committed to anti-censorship would have a tangible address, and would have nothing to hide, at least not inside the US. This isnt China, where the govt will show up and shut you down for providing this service.

So is it some govt conspiricay to capture all our traffic? Well, I'm doubting that, based on their website:

{QUOTE->
4. Is UltraSurf a Trojan or virus?
A: Neither. UltraSurf provides users with state-of-the-art internet technology to break through firewall safely. It is a popular anti-censorship software, not a Trojan or virus. Some anti-virus software companies classify UltraSurf as a Trojan software simply because UltraSurf is able to break through firewalls. It is a mistake and a wrong classification. We are in the process of resolving this issue with these anti-virus companies through technique channels and legal channels. It is our mission to protect users' privacy when browsing the internet. Please rest assured that UltraSurf will not touch any of the documents on your PC. <-QUOTE}

I would think a govt front, would A use an address that isnt a known "front" address (my cousin works for the DEA and they dont exactly use virtual office space for stings) and B I would think the spelling and grammar would be correct. I dont exactly know what a "technique channel" is but if I find out, Ill let you know. Im assuming they meant technical, but maybe my english isnt as good as i think.

Notice that last line I bolded. That seems like a CYA for court cases if I ever read one. Notice they only say they wont touch YOUR documents. They dont dispel the idea of anything else, such as using your PC via a backdoor, or monitoring what you are doing.

So what's the bottom line?
That I dont know. This I do know:
This company is not legit, at least they arent who they say they are at the VERY least.
The file(s) directly from ultrasurf's download have been classified as a legitimate virus, and existing virus tools have been found inside the files, including morphine, which I already spoke to having first hand experience with.
Add those 2 components together, and something is very fishy. The fact that a company would dismiss major AV vendors by saying "theyre just mad we can get past monitoring tools" is beyond weak. I use AngryIP Scanner, which Symantec and McAfee classify as a risk, and their response is legit, and asks for help in the way of directly contacting the vendors to reclassify the app. I would expect similar if this app was legit. Furthermore, if you look at say the Symantec risk pages related to AngryIP, you will find they DO NOT show it to contain a virus, they classify it as a hacker tool, that potentially could be misused. I would expect similar classification wording regarding UltraSurf, saying it COULD be used as an open proxy, and therefore it is classified as a risk, however that is not the case, they are showing TRUE virus/trojan files within UltraSurf.

Back to what is it really? Again I dont know, but my guess, and only my GUESS is this is a pretty elaborate scheme put together by a handful of hackers over the last few years. (I wouldnt be at all suprised to find out Holy Father is a part of this since he went underground and stopped development of HackerDefender in the same time frame, but again that is ONLY SPECULATION at best)

That is only my guess, but let me lend some thought as to why, or why not.

First, if this was a govt operation, I think it would be cleaner. I dont think it would have ever come up as a risk, I dont think they would use a virtual address, and I dont think the site would be as sloppy as it is. Thats only why I think it's not, but there are plenty of reasons it still could be.

Second, I dont think this is the RIAA, or similar, for most of the same reasons. I could see the RIAA using a virtual address as a front, but I dont see the sloppyness in the site coming from them. That said, the disclaimer that they wont touch YOUR files, makes me suspicious, that it could be the RIAA or similar, only because they could say in prosecutions of copyright violation, "hey we never said it would report what you were doing, only that it wouldnt touch your files, and it didnt." But I just dont see this as an RIAA thing, but I could be very wrong. I see them further taking the route of working with p2p developers and ISP's to go after people. If you have kept up on that, the RIAA has made some tight pacts with ISP's as of late over monitoring p2p.

Those are the only real 3 suspects I see here, and to ME all roads point to a group of hackers, especially considering they encourage the use of banking sites on their service since its "so secure." Also add to that, even tho this is purely conjecture, that if you google ultrasurf you will see HUNDREDS of blogs and forum posts of people who have suddenly found the answer to anonymous surfing. IMO those are all spam posts by the developer, because they all read almost dead on. Some of the blogs are written word for word the same, written in the first person, and by "different" people.

So, I have poured my fuel on the fire... If Steve's reccomendation wasnt enough, maybe the suspect facts above will be. Or maybe it will just cause more guessing and speculation. But now you know, and knowing is half the battle...

TIN HATS UNITE!

CaixFang, thank you for providing us with the above information.

I have a question about 'morphine'.

The ability to hide anything ? Attached to legit files ? (presumably also by drive-by downloads).

That seems serious. How well are the AV companies able to handle this ? And other antimalware software ? The way you describe it suggests they can do little to nothing.

{QUOTE->
I have a question about 'morphine'.

The ability to hide anything ? Attached to legit files ? (presumably also by drive-by downloads).
<-QUOTE}

Morphine is nothing more than a polymorphic packer. It can be used to hide malicious code, so that AV can't recognize the signature. Also, Morphine is open source, so if anyone is interested he/she can see exactly what it does.

A quote from Morphine docs:
"Morphine is very unique application for PE files encryption. Unlike other PE encryptors and compressors Morphine includes own PE loader which enables it to put whole source image to the .text section of new PE file. This one is very powerful because you can compress source file with your favourite compressor like UPX and then encrypt its output with Morphine. Another powerful thing here is polymorphic engine which always creates absolutely different decryptor for the new PE file. This mean if your favourite trojan horse is detected by an antivirus you can encrypt it with Morphine. You will not get the virus alert again."

{QUOTE-> CaixFang, thank you for providing us with the above information.

I have a question about 'morphine'.

The ability to hide anything ? Attached to legit files ? (presumably also by drive-by downloads).

That seems serious. How well are the AV companies able to handle this ? And other antimalware software ? The way you describe it suggests they can do little to nothing. <-QUOTE}

What nebulus said. (hey we agreed twice in one day!)

Morphine is not the risk, per se, it is what morphine is capable of covering, and executing, along with other apps. If you do some searching (sorry, no pointing it out to the scriptkids) you can find lots of interesting info on morphine. In fact, I believe there is a recent article about morphine and its use in malware.

There are plenty of components such as morphine out there, that when, bundled with an application, good or bad, can become VERY difficult to keep tabs on.

Morphine, not bad - the uses and applications of morphine, usually bad.

Morphine is to malware/virues kind of like a ski mask is to a robbery. On its own, its benign, but when you have a gloves to cover finger prints, a ski mask to hide your face, cammo clothes to blend in, sunglasses to cover your eyes, and a gun in your hand, it becomes dangerous. Morphine, and a ski mask, just help you cover up.

Also, dont freak out because this is the first time youve heard of it, and it can alter things to be undetectable to an AV. Its been around, and there are lots and lots of other tools similar, that all can be used for similar purposes. My inclusion of mention of morphine was NOT to cast a bad name to it, only to call out the abilities, and the level to which these people are going.

And in fairness, Nebulus gave a much better and precise rundown of morphine, I was actually thinking of morphine in conjunction with another app, that made a trojan nearly undetectable.

Well, I hope you "catch'em ridin dirty" in months and not years.

The suspense is too much. sigh

Thanks for at least warning people who may have tried it.

Have various jaw drop protection in place.

I remember someone told me about Ultrasurf. It is a software made by an anti-chinese govenment organization (or so-called religion?) named Falun. The software used to have ads about itsself. He said the server was in the USA. We were just talking about surfing forbidden sites.

I never touched it.

It'll be interesting to see if this is it:
http://www.independent.co.uk/news/world/asia/china-linked-to-cyber-spy-network-1657045.html

I'm not going to say yes or no - that the 2 are related, but I wouldnt be surprised. Interestingly enough, I did a LOT of research on this (ULtraSurf) Friday, and with the exception of the owner of ultrareach.com, all the names of involved people, and other domains related to ultrasurf all seem to be registered to people of Asian decent. THAT PROVES NOTHING, just interesting. Also interesting that the owner of ultrareach.com is regsitered to Alan Hill, but his cell phone number reverse look-ups to an Alan with an asian last name (dont have it handy.)

Also of note, or just general info, ultrareach.com is Hosted in TX (either Houston or Dallas), the company behind ultrareach.com/ultrasurf is "Located in San Jose" but 99% of the related people and businesses I found with ties to this group are based out of Atlanta. Again, that proves nothing, I just found it interesting that they are so spread out....

Steve, thaks for the info!
Wow! I'm a keen user of the software.
I know many AVs detect it as malware. But I didn't care about it.
Ultrasurf can bypass many tough filters and firewalls and so can legitimate software like SoftEather and many AVs used to falsely detect it as malware. So, I thought it must be a FP, too.
Anyway, I just deleted the software. I use it to surf websites as my real IP is static and I want to hide it. I've never surfed any forbidden sites with it, because I'm not sure about the legality of accessing such a site (especially a regional blocked site, which many users use it for).
So, Steve, will you please tell me if I still need to be worried about it and what bad thing I have to expect? Since you mentioned something like “when the truth comes out your jaw will drop”, I can't sleep well.:'(

{QUOTE->
So, Steve, will you please tell me if I still need to be worried about it and what bad thing I have to expect? Since you mentioned something like “when the truth comes out your jaw will drop”, I can't sleep well.:'( <-QUOTE}
I wouldn't worry too much. Steve is not the only one analyzing this software (other AV/antimalware corp did) and while they did found malicious behaviour, I would say that by carefully removing Ultrasurf, you don't have anything to worry about.

Nebulus, thanks for the response.:)

BTW, I agree with what you said earlier. Steve works for XeroBank, doesn't he? Don't they also provide paid VPN services?

Actually, Ultrasurf is the reason why I've never turned to paid VPN services.
Unlike the other alternatives, it is the only program that gives stable VPN connection and doesn't slow my net speed down at all.
Thus, since Ultrasurf provides the best performance I would expect for VPN software, I don't really need other paid options. So, I really hate to say this, but Ultrasurf looks like a threat to his products and I'm not sure if I should trust him on this.

I know that it's too good to be true that software like Ultrasurf is freeware. I've also read people here talking about a "honey pot". I use Ultrasurf to just surf anonymously. I don't do P2P, don't access forbidden sites and I don't do anything to hide. So, I don't think that I have to worry about it very much.

I also agree that the company behind it seems fishy, but so do most VPN providers.

I know that many AVs have detected Ultrasurf as malware. But, some AVs classify any program that performs something extraordinary as
malware and has falsely given an alert to legitimate programs like AutoPatcher, Angry IP Scanner, HJT and some TCP patch to lift
XP's connection limit, which is frequently mentioned in this forum (Sorry, I forgot the name).
Ultrasurf gets past firewalls, which might be considered malicious by some AVs and, in fact, was the reason why SoftEather was classified as malware. However, this behavior is one of the legitimate purposes for VPN.

Anyway, Steve's comments on Ultrasurf has scared me a lot and I will halt using it until I finish assessing this, but, actually, he hasn't told us anything concrete about it. I'm new here and I don't know him very well. As far as I read his other posts, he seems trustworthy. However, I also found he has bashed his competitors many times here and I don't see why he is suggestive this time.

I'd really like Steve to give us something concrete about it. Ultrasurf is too great and useful to give up and ditch because of FUD.

Look at it this way, if I'm misleading you that would be very bad for my reputation and that of the company i work with, I have no incentive to harm myself in the long term for any short term gains, whatever they would be. I've clearly said use anything other than ultrasurf, i don't care if it is a xerobank product or not, so that should be allaying your concerns that it is commercially motivated. Just don't use ultrasurf, not for any reason, not even inside a virtual machine or sandbox.

{QUOTE-> Nebulus, thanks for the response.:)

BTW, I agree with what you said earlier. Steve works for XeroBank, doesn't he? Don't they also provide paid VPN services?

Actually, Ultrasurf is the reason why I've never turned to paid VPN services.
Unlike the other alternatives, it is the only program that gives stable VPN connection and doesn't slow my net speed down at all.
Thus, since Ultrasurf provides the best performance I would expect for VPN software, I don't really need other paid options. So, I really hate to say this, but Ultrasurf looks like a threat to his products and I'm not sure if I should trust him on this.

I know that it's too good to be true that software like Ultrasurf is freeware. I've also read people here talking about a "honey pot". I use Ultrasurf to just surf anonymously. I don't do P2P, don't access forbidden sites and I don't do anything to hide. So, I don't think that I have to worry about it very much.

I also agree that the company behind it seems fishy, but so do most VPN providers.

I know that many AVs have detected Ultrasurf as malware. But, some AVs classify any program that performs something extraordinary as
malware and has falsely given an alert to legitimate programs like AutoPatcher, Angry IP Scanner, HJT and some TCP patch to lift
XP's connection limit, which is frequently mentioned in this forum (Sorry, I forgot the name).
Ultrasurf gets past firewalls, which might be considered malicious by some AVs and, in fact, was the reason why SoftEather was classified as malware. However, this behavior is one of the legitimate purposes for VPN.

Anyway, Steve's comments on Ultrasurf has scared me a lot and I will halt using it until I finish assessing this, but, actually, he hasn't told us anything concrete about it. I'm new here and I don't know him very well. As far as I read his other posts, he seems trustworthy. However, I also found he has bashed his competitors many times here and I don't see why he is suggestive this time.

I'd really like Steve to give us something concrete about it. Ultrasurf is too great and useful to give up and ditch because of FUD. <-QUOTE}

No offense, but are you drunk? The info I have provided ALONE should be enough to worry you.

As for Steve trying to run off compitition, A) in the free market competition makes ALL products stronger, because you have to keep refining them to keep up and B) Steve could NEVER eradicate all the other options out there. There will ALWAYS be open proxies and other ways out. If he was trying to take someone down, Id think he'd go after the TOR/JAP arena, since they are the largest of the options. He really has nothing to gain here, because if people are using US because its FREE, then they will just switch to another FREE option, NOT turn to a paid service like XB.

It is VERIFIED that there are multiple virus types inside US. As I explained earlier, apps like AngryIP do NOT show as viruses, they show as possible hack tools. Those suspect apps NEVER have been reported to CONTAIN a virus, only to be trojan-esque when misused. And there are MULTIPLE verified reports of what viruses are inside US.

And let me make this clear, I DONT use XB, never have, and I have ZERO stake in Steve's business - in fact, I could care less about them, I have a solution.

Take just the article I posted yesterday and read it. Even it that is NOT US, think of the possibilities if it IS, or something similar was. The POINT of an app like US it to protect your identity and information, not to harvest/use/steal/infect it.

FACT: There is something dirty going on with US. We (public) dont know what yet, but get rid of it.

I am going to go out on a limb here and say that within a month, you will be seeing a story on the news regarding US, or on your favorite news site/blog.

Get rid of it, and use something else for the time being. If it comes to pass that US is safe (which it wont) then you can go back to it, no problem. But if it comes out that they are stealing info and monitoring your usage, then that is a problem.

This is straight cost/benefit.
Cost to not use US=0 / Benefit=Safe from their dirty doings
Cost to use US=possible info/id theft / Benefit=0
Cost to not use US for now, but if proven clean, going back to it later=0 / Benefit=No possible info/id theft now and none in the future

NO BRAINER

{QUOTE-> Ultrasurf is too great and useful to give up and ditch because of FUD. <-QUOTE}There are times when it is best to take the advice offered and step away. This is one of those times.

If you choose to ignore the prudent advice already offered in this thread by SteveTX and others, understand that you've consciously made an active decision to own any and all downside consequences which may be suffered.

Blue

{QUOTE-> Just don't use ultrasurf, not for any reason, not even inside a virtual machine or sandbox. <-QUOTE}
Can you please (at least) tell us what is the nature of the threat (system access, DoS, identity theft, traffic monitoring by the proxies, etc.)?

Sorry, I didn't realize that my comments sounded that offensive.:doubt:

As you can see, English is not my 1st language and I don't understand every nuance. I didn't expect and I'm very surprised and upset to receive such harsh responses to my last post. :'(

Like I said, I just wanted to get Steve to tell something concrete about it because what Steve is implying here has scared me a lot.

I made them a little provocative to draw such a comment from him as, although it seemed like he had ignored my first post and so he must have some difficulty in speaking about it, I really wanted to know what the threat really was.

Of course, I knew he can't tell a lie here for the reason he mentioned in his last post.I always respect and appreciate advice from experts, especially from ones who have disclosed the company they belong to and that's why I deleted Ultrasurf immediately after reading Steve's post.

Anyway, I'm assuming that the threat Steve is implying here is far more harmful and dangerous than what CaixFang suggested, which is still within the level of risk we have to assume once we decide to use a VPN or proxy and is something Steve is able to discuss about without any hesitation. Remember that Steve said something like our jaw would drop when the truth comes out.(I can't sleep well after I read it :'( ).

He must be suggesting something bigger... right, Steve? I would really appreciate it if you would give me something concrete on this, even just a hint. Does it something that I don't have to worry and can forget about after removing the program from my PC? Please give me an answer to this question at least so I can sleep!:)

P.S... Blue, I understand that my last comments were much more offensive than I thought. But, still, I think you should've also warned CaixFang. I've never seen someone who is this harsh in any forums. Does this forum allow a member to call the other "no brainier"? I'm very upset to get such a harsh remark.:'(

{QUOTE-> P.S... Blue, I understand that my last comments were much more offensive than I thought. But, still, I think you should've also warned CaixFang. I've never seen someone who is this harsh in any forums. Does this forum allow a member to call the other "no brainier"? I'm very upset to get such a harsh remark.:'( <-QUOTE}lisavow,

What you need to understand is that accusing someone of FUD spans the whole range from simply sowing innocuous seeds of doubt to outright lying. In the context of the current discussion, you are much closer to the latter end of the spectrum.

As for "no brainer", that's casual English regarding the decision process, not the person making the decision - as in the decision to not use Ultrasurf is a "no brainer", i.e. does not require much analysis to make based on current information.

Actually, you have very little reason to be upset.

Regards,

Blue

I would like to register my appreciation for an administrator weighing in on issues like this one. I have nowhere near the technical expertise of the majority of Wilders' posters and mods (just the love of computers).
Someone in my position would have no idea what to think or do after SteveTX's posts.
I really have to say thanks.
Also to CaixFang's excellent posts.

Best Regards

{QUOTE->

P.S... Blue, I understand that my last comments were much more offensive than I thought. But, still, I think you should've also warned CaixFang. I've never seen someone who is this harsh in any forums. Does this forum allow a member to call the other "no brainier"? I'm very upset to get such a harsh remark.:'( <-QUOTE}

As mentioned above, my no brainer was NOT directed at you, and I sincerely apologize if you took offense to that, or any part of my post. No brainer was only directed to the cost/benefit scenario I laid out, as in, it doesnt take my analysis of that C/B to decide it's best to stay away from US at this point.

{QUOTE->
Can you please (at least) tell us what is the nature of the threat (system access, DoS, identity theft, traffic monitoring by the proxies, etc.)? <-QUOTE}

Based on my personal research, I am going to venture out to say it is going to be a fairly large enterprise of "cyber-criminals" mining and stealing sensitive data, both on the consumer and business level, and using that data for fraudulent profits.

On the lower end, or in conjunction with, I would expect some type of "botnet" to emerge from this. In fact possibly the fraudulent re-use of the stolen information may have been used via these other machines to cover their tracks using a RC backdoor in US.

Again, just my speculations, but thats where this is all leading me, the more I dig into it. I cant see this just being a PITA virus, if so details would be out by now, and if it was a much more vast issue [read: US Govt] I doubt Steve would have made mention or would ever be able to, either from not knowing, or being required to keep quiet.

My GUESS is Steve doesnt want to draw any more attention to this than he already has, because someone is still investigating this threat and they dont want to jeopardize the investigation, nor release panic to the general public if the people at US have not yet acted on what they have. I'm sure he will come out with more info when he can, or he never would have brought it up. I'm sure we will hear it here the night before it hits the local news! :argh:

Blue,
Thanks for the English lesson.:)
Well, I have many Americans around and they also agree with me.
As you know, "no brainier" has another meaning.
People usually focus on the 1st and the last sentence of a long article the most and if you look at the 1st and last sentence of the post only, it would look like something like "Are you drunk? ... No brainer". Also, look at the way he presented the word “NO BRAINER”. So, ...
Either way, I wrote the post in light of what CaixFang suggested (and I drew a different conclusion). I meant to mention that I didn't worry about it in the post. I mean, I said things like most I knew VPN providers were fishy, I don't have anything to hide in my Internet activities and some AVs might falsely classify it as malware.
BTW, I added the last sentence ("... because of FUD") to express my frustration that Steve wouldn't give us anything concrete about it even though he had scared us this much. I didn't mean that Steve's advice is FUD. I just wanted to indicate that it would look like it unless he gave us something specific with his accusation against his competitor or it would hurt his reputation.

CaixFang,
Never mind.:) I was so upset at that time. It was my mistake. Sorry.

FYI, I just found an interesting article ( h**p://jonsnetwork.com/2009/02/virustotal-ultrasurf-results/).
Again, I'm not saying that I don't trust Steve or Ultrasuft is not malicious. He might found something different.
I also googled Falun. As a matter of fact, I was afraid that Steve is suggesting that Ultrasurf is a product made by an “evil cult.”
I don't think that Falun is an "evil cult". Many Americans, including Christians and human right groups, are supporting them. The CCP has banned them in China for the same reason why they banned Christianity.
I see their motive for distributing software like Ultrasurf for free, as it looks difficult to access info about them from China. They also seem to have enough money and resource to distribute it for free.
I seriously doubt if an organization like them would distribute malware. I mean, if they do, they will lose a lot of support from Christians, human right groups and Americans.
Anyway, it's just my opinion. I'm not supporting them or I'm not recommending Ultrasurf or anything. I'm no expert on this and I know so little about them. I got the above knowledge from a 10-minute Google search. I could be wrong.
They might be a real “evil cult”. Falun might be no Dalai Lama. The situation facing them might be far different from that facing Tibet. In fact, I saw the word “brainwash” during the search and Pat Robertson seems to be against them and call them a cult. Besides, I might be so brainwashed by the western media.::)
Also, I might just want to believe what I want to believe, as Ultrasurf is such excellent software that any free (and paid) alternatives, including Tor, JAP, I2P and Hotspot Shield, can't get anywhere near it performance wise.

Again, I'm not supporting or against them. Certainly I’m not recommending Ultrasurf. It's just my opinion based on my little research.

{QUOTE-> BTW, I added the last sentence ("... because of FUD") to express my frustration that Steve wouldn't give us anything concrete about it even though he had scared us this much. I didn't mean that Steve's advice is FUD. I just wanted to indicate that it would look like it unless he gave us something specific with his accusation against his competitor or it would hurt his reputation. <-QUOTE}lisavow,

A couple of points.... Let's stay focused on the technical and off other topics (Falun, etc.)
Steve actually did provide really all the info a user needs at the top of this thread:{QUOTE-> As many of you are aware, there was a thread about dissecting Ultrasurf. We found significant malware behavior, and worst of all we found that ultrasurf promotes man in the middle attacks by allowing any ssl cert, even mismatched and self-signed certs and preventing the user from seeing a popup about it.

Ultrasurf is designed to be a free http proxy tool, and it is somewhat, but this is a cover for it to be a virus / malware that is nearly stealth and undetectable to normal virus scanners because of it's heuristic avoidance and encrypted payloads. <-QUOTE}Obviously, one can either believe or dismiss these comments. However, if you choose the latter, hopefully you would be able to develop your own detailed technical analysis of the situation and not simply rely on a google search.
Finally, as someone who's a rather disinterested party on this topic, what do I see if I simply download and fire up Ultrasurf right now.... You know, anyone can do this, there is nothing special involved. Well, I see a bunch of connections made on launch (no surprise there). However, look closer. The sites connected to are, to be blunt, somewhat disconcerting. Numerous government sites (primarily US based) and some are clearly of a technically sensitive nature. Commercial sites, mainly telecoms. Banking sites in a number of different countries, lots of banks. Other financial institutions. More banks. Connections to China and eastern EU. Is any of this an issue? You tell me. My own read - walk away.
Blue

{QUOTE-> lisavow,

Finally, as someone who's a rather disinterested party on this topic, what do I see if I simply download and fire up Ultrasurf right now.... You know, anyone can do this, there is nothing special involved. Well, I see a bunch of connections made on launch (no surprise there). However, look closer. The sites connected to are, to be blunt, somewhat disconcerting. Numerous government sites (primarily US based) and some are clearly of a technically sensitive nature. Commercial sites, mainly telecoms. Banking sites in a number of different countries, lots of banks. Other financial institutions. More banks. Connections to China and eastern EU. Is any of this an issue? You tell me. My own read - walk away.[/list]
Blue <-QUOTE}

Thanks for the extra analysis. I was going to do the same, but I hadnt had a chance to yet, and I still may, and see if I can dig anything further up.

In light of the article I posted about the malware from China, what better way for china to find out what their people are doing than to provide a "proxy" service that actually monitors everything they do? Perfect trojan (in the historical sense) if Ive ever heard of one.

This is the new age we live in...the CIA, FBI, NSA, etc all have groups designated to fight cyber crime because it is so much harder to track, and its much more under the radar...

{QUOTE-> lisavow,

A couple of points.... Let's stay focused on the technical and off other topics (Falun, etc.)
Steve actually did provide really all the info a user needs at the top of this thread:Obviously, one can either believe or dismiss these comments. However, if you choose the latter, hopefully you would be able to develop your own detailed technical analysis of the situation and not simply rely on a google search.
Finally, as someone who's a rather disinterested party on this topic, what do I see if I simply download and fire up Ultrasurf right now.... You know, anyone can do this, there is nothing special involved. Well, I see a bunch of connections made on launch (no surprise there). However, look closer. The sites connected to are, to be blunt, somewhat disconcerting. Numerous government sites (primarily US based) and some are clearly of a technically sensitive nature. Commercial sites, mainly telecoms. Banking sites in a number of different countries, lots of banks. Other financial institutions. More banks. Connections to China and eastern EU. Is any of this an issue? You tell me. My own read - walk away.
Blue <-QUOTE}

First, let me state that I haven't tried Ultrasurf. I've never tried any type of proxy server, so am fairly unfamiliar with how they work. I know people who use them and I've yet to run into any that use US Govt sites.

Having two and a half decades of Govt service, I can state with some authority that it wouldn't go unnoticed, or be allowed without Govt knowledge. That alone ought to be enough to make anybody suspicious.

Steve can answer this with more knowledge than me, but given that Govt knows a proxy is running through their site, can't they monitor it such as follow the user to various sites or, maybe use it for other things we aren't even aware of?

If there is an interest conflict for SteveTX, i post here only for the application of "my independent vision of security signature".
Seriously i have no motivation for doing a network forensic analysis of Ultrasurf (2 hours minimum) and then confirm or not what was said.
As far as i know there is virus researchers on this area, and its firstly the job of antimalwares vendors.
As a anti censorship proxy tool, U is designed to bypass web and firewall filtring, and then uses tunneling methods, perhaps via DNS but as said above i ve not verified.
More over this tool exists since 2006, does it mean that all antivirus vendors and analysts are totally incompetent?
The terminology malware is excessive, and the behavior impact on the local host is much more important than the claimed MITM client/server attacks.
Off course as a proxy tool, it is an unwanted or riskware program in any corporate environment (as a portable pgm, it can be stored on a non access restricted mail box).
But i have taken a quick look at it on a statical analysis way, and affirmation about Morphine are totally wrong for the three previous version (094/093/092).
By looking at the entry point section, i have noticed that it might be packed by VMProtect, a powerful antipiracy soft from Russia.
So i run firstly some detectors, and for a more accurate verdict, i have packed a safe tool to verify if it was not false positives.
Conclusion: Ultrasurf is certainly packed with VMProtect. But as i am not expert in reversing and disassembling, i also might be wrong...
It has been said that U devs play a cat and mouse game to make their pgm more effective and stealth.
And packing or the backdoor classification of one antivirus is not enough for claiming that this file is a malware.
There is a serious need of more substantial material.

A few googling results that might help:
Already included in Sophos filtering database
http://www.sophos.fr/security/analyses/controlled-applications/ultrasurf.html
Are online scan fully trusted...not always...let's check Hopster, another similar tool and Avira will detect it as a trojan...
http://jonsnetwork.com/2009/02/virustotal-ultrasurf-results/
Some vendor takes advantage of their anti Ultrasurf solutions
http://blog.zemana.com/2009/01/zemana-anti-ultrasurf.html
http://www.astaro.com/newsroom/press_releases/astaro_7_4_defeats_ultrasurf

That's all for my concern.
rgds

For the ones interested about the behavior of Ultrasurf, here is the Anubis analisys: http://anubis.iseclab.org/?action=result&task_id=116b9569dd96c27a4d9c4ae58c95be3e5

More posts, more questions.

well i am a student so expensive vpn are way beyond...tor,jap are way too slow and now freebies are proven to be malware...what can i use...?thanx

{QUOTE-> well i am a student so expensive vpn are way beyond...tor,jap are way too slow and now freebies are proven to be malware...what can i use...?thanx <-QUOTE}

Sorry, probably nothing !

You may be able to find an obscure anonymity/privacy service, but how would you know if it's 'clean' ?

Nothing is truly for free.

Are you familiar with TINSTAAFL? It is something covered in first year accounting, finance, and business at universities. It means "There is no such thing as a free lunch" so someone is always paying for it. If it is free it sucks, if it is cheap, it is cheap, if it is costly there is a chance it is valuable. Seek your equilibrium. You may want a crap service like Relakks because it is $7/m. If you want something faster, you can use ShadowVPN for $10/month or perhaps Stunnel. For the strongest you could do kryptohippie ($300+?/yr) or xerobank ($35/m).

{QUOTE-> If it is free it sucks <-QUOTE}
Ah man, now I gotta uninstall all the free software that provides a free service ;)

Ultrasurf is a fast alternative to jap for people to get past the Internet Censorship they may have in their country, nothing more nothing less, No it wasn't designed to hide your activities, as a paid service does, but merely get you past the censorship, It sucks anyways because even Ultrasurf censors some of the sites you visit! Stupid thing doesn't even work with rapidshare either,EDIT: I call Ultrasurf FailWare when it comes to privacy!

I would choose ShadowVPN or Xerobank over Ultrasurf any day, that is if I didn't know what a proxy or a proxy judge was........ProxyFire..Plox.....

Blue,

I don't understand why you are always so mean to me. Why do you give me a warning whenever I say something here? Why do you give it to me only? I can't see any difference b/w my research and CaixFang's investigation to identify the guys behind Ultrasurf (CaixFang, sorry to bring it up, but no offense plz ;) ).

Also, I wonder why you think “Fulan” stuff is OT here? Did you read bonedriven's post? Accord to the post, “Fulan” ARE the guys behind Ultrasurf.

OK, you might be right. Although I still don't agree that it's OT, it seems like I shouldn't have brought “Fulan” stuff up. It just obscured my point.

What I really wanted to say as follows:

I'm very interested in why Steve is being so quiet on this. Since he is always vocal about this kind of topic, I don't think that the threat he is implying here is as trivial as some have indicated here. It must be something bigger, like a organized crime or terrorist conspiracy level of threat. You may laugh at me, but remember: he said it would be jaw-dropping horrible, and, since his company provides VPN service, he should know how paranoid legit VPN users like me, who use a VPN to just surf anonymously,are.

IMO, it's very irresponsible that an expert like him just scared a novice user like me this much (I haven't slept well since I first saw this thread. How may times do I have to say this?), but he wouldn't give anything specific about the threat and has ignored our questions like whether or not we should still be worried even after removing it from our PC or what the nature of the threat is. In case you have missed them, here they are:
{QUOTE-> He must be suggesting something bigger... right, Steve? I would really appreciate it if you would give me something concrete on this, even just a hint. Does it something that I don't have to worry and can forget about after removing the program from my PC? Please give me an answer to this question at least so I can sleep!:) <-QUOTE}
{QUOTE-> Can you please (at least) tell us what is the nature of the threat (system access, DoS, identity theft, traffic monitoring by the proxies, etc.)? <-QUOTE}
Thus, I believe we made our questions as easy to answer as possible.
I don't understand why he keeps ignoring those questions. I’m beginning to suspect that …

kareldjag,
Thanks for your post. That's exactly what I wanted to mention but forgot to.
Like you said, this software has been around quite a while, now. AV vendors has been aware of it for a long time. In fact, many of them used to identify it as malware. However, most of them have removed it from their DBs now, which seems to me that they modified the FPs.
Behavior trying to bypass security restrictions could be a nightmare for network admins and so could be classified malicious but it is beneficial for legit anti-censorship/anonymous web users like those in China.

Nebulus,
Thanks for the info. The report seems to indicate Ultrasurf as malware. But, I'm no expert and I don't know how to read it. Is this result so terrifying that we would drop our jaw? Do you see why Steve cannot discuss it here? How about the results of Tor or JAP? I wish it would be what Steve is suggesting. :-\ But, I have a feeling that Steve is suggesting something bigger and I don't think Av vendors are not so incompetent.

Steve,
Are you promoting your products after all?:argh:
If you care about your and your company's reputation, you had better give us something specific about the threat, Really.
You implied something to scare us off your competitor's product and didn't say anything specific about it.
Plus, you are usually very vocal (even overtalk and don't mind trashing them) when you blast your competitors. Why not this time?
You said you have a lot of proofs, and you said he can't say anything about them for now, months, or even years... Maybe forever, right? Seems like you have nothing!

If you hadn't disclosed the company he belongs to, I wouldn't have taken your accusation against Ultrasurf seriously at all. But, it is the only reason why I'm concerned about Ultrasurf.

Unlike some other users, I care little about things already pointed out here. I use Ultrasulf only because I want to be “nobody” while browsing my frequently visited websites. I care less about gov't agencies as I don't have anything to hide. I don't care very much if they are gathering user's info as I don't store any personal info on my PC, don't do online banking and I use Live CD Linux whenever I need to shop online.
BTW, wasn't Tor originally developed by the US Navy? Wasn't JAP backdoored by the German Police? Have you let WGA stay on your PC while suspecting that it might be sending your personal info back to MS?
Anyway, I don't care if a small number of (minor?) AVs have STILL detected it as malware for the reason I mentioned above.

So, your accusation is the only thing indicating that Ultrasrf might be a threat to me. It is all I have. I think it is very weak. Since you wouldn't give us anything to support the accusation, wouldn't tell us anything specific about what the threat really is,and wouldn't answer our questions at all(We made them really easy to answer. I can imagine not a single reason why you can't), I'm beginning to feel that I might actually nothing and I might fear something that doesn't really exist. It's too weak to ditch such software that has worked great for me for a long time(AFAIC, Ultrasurf works excellent performance wise. I hate to say this, but I'm assuming that it must be better than your product), while I know little about you. Besides, the thing I am relying on to decide to ditch the excellent tool is this week and now you are promoting your products, it looks to me like total … (Oops, I'd better stop here, since a mod seems to have it in for me:gack: ).

….....

I want to thank Steve and those responding to my posts in advance (I'm sure that Steve will answer our questions this time;) ), in case I don't come back and post here again.

I guess this is my last visit here, because, firstly, I realized that I had repeated myself over and over and over again, which has wasted a lot of my (and your?) time and resources of this forum.

The second ,and bigger reason, is because a mod here seems to have it in for me. It's very difficult to stay their forum, if a forum admin or mod hate you(when you are newbie there in particular).
Also,I'm sick and tired of getting a warning whenever I post something here. I don't understand why I'm the only one in this thread who has received a warning. I'm not saying that I think that somebody else also should've gotten a warning. I just feel it's unfair that I've gotten many warnings while anyone else hasn't(, especially when someone has called his competitor “crap”). I don't see any difference b/w my posts and the others.
Plus, It seems that the mod and I cannot communicate with and understand each other well. I really didn't understand why the mod was making such a big deal out of just an additional sentence to express how I was frustrated that Steve was ignoring our questions(, even though he had scared us a lot). The reason why I had to repeat myself over and over again here came from the fear that the mod would misunderstand me again.

I've also seen the word “FUD”used in this forum many times(Actually, I learned the word here), but I had never seen a warning issued for it. So, why can't I use the word as everyone else in this forum does? Why did the mod blame me for using the word in first place. Look at what Steve has done and hasn't done here. Doesn't that exactly fit the definition of the word? Yet, I didn't say that Steve's accusation is “FUD”. I just pointed out to Steve that it would look like it unless he did what I had requested.

I think that's all I wanted to say. I doubt this post will stay up long:doubt: . I have a feeling that I will be banned soon. So, if I want to come back and post something here again, I might need Ultrasurf.:P

PS: In case you misunderstand me, I'm not trying to convince you guys that Ultrasurf is not malware or Steve is wrong or anything. In fact, Ultrasurf looks like real malware (I still might want it, as I love to use Chrome, though). I'd just like Steve to give us something concrete about his accusation against Ultrasurf, particularly about what the threat really is, and to answer our questions.

{QUOTE-> he should know how paranoid legit VPN users like me, who use a VPN to just surf anonymously,are.

IMO, it's very irresponsible that an expert like him just scared a novice user like me this much (I haven't slept well since I first saw this thread. How may times do I have to say this?), <-QUOTE}

Theirs no need to be all paranoid about anything if you used it how your implying in your posts, I think if they were going to steal your passwords they would have already done it, theirs probably 10s of thousands of people using it, but as with any VPN provider, if your using it for illegal purposes, yes you should be paranoid!

But your just a legit user so you shouldn't have anything to worry about!
{QUOTE->
Ultrasurf looks like real malware <-QUOTE}

And no Ultrasurf is not Malware! It simply comes up as a false positive in retarded AV software that always calls False positives!

{Edit - Virustotal snapshot removed as per site policy (http://www.wilderssecurity.com/showthread.php?t=180057). Suffice it to note that currently a minority of AV products flag Ultrasurf as malicious and half of those flags are of an "unwanted program" nature - Blue}

I saw Warlockz's post before logging off. This is really my last post, sorry;).

Warlockz,
Thanks for your reply.
{QUOTE-> Theirs no need to be all paranoid about anything if you used it how your implying in your posts, I think if they were going to steal your passwords they would have already done it, theirs probably 10s of thousands of people using it, but as with any VPN provider, if your using it for illegal purposes, yes you should be paranoid!
But your just a legit user so you shouldn't have anything to worry about!
...
And no Ultrasurf is not Malware! It simply comes up as a false positive in retarded AV software that always calls False positives! <-QUOTE}
This is exactly what I was trying to say! That's why I still want to use it if the threat Steve is suggesting is what other people have already pointed out here.

{QUOTE-> There is no shortage of proof. Lots and lots of it, video, wireshark logs, and more, and we'll release it when it is appropriate. They are not competition, they are a freeware non-commercial http proxy program that is actually malware. Even tor is better than using ultrasurf. I'm not concerned about credibility here, there is more at stake than that. Just stop using the software if you are using it, any alternative is better. Just sit tight, and have a little faith, I've never steered you wrong yet, and when the truth comes out your jaw will drop. <-QUOTE}

He said he will post this proof "There is no shortage of proof" is what he said? when it is appropriate, as you see in his quoted message, I wonder whats taking so long?

If you are going to continue using it, just don't use it to log into your important accounts, if the accounts even let you log in wile using it? But you may want to wait, just because nothing happened before, doesn't mean nothing will happen in the future, so just hold your horses, and have a little patients, as he said he was going to post the proof of his accusations when it is appropriate!

Plus he didn't say stop using Ultrasurf and get Xerobank now, he said any alternative is better, so no he is not dissing Ultrasurf to advertise Xerobank!

I apologize that I am unable to provide you more information at this time, especially since I am a full-disclosure kind of guy. I continue to stand by what I've said, 100%: uninstall, erase it, do not run it even in a virtual machine. If you know anyone else using it, tell them to do the same. I cannot stress the severity enough. Suitable free substitutes are tor browser, xb browser, jondo browser, torvm, janusvm, xb machine, and you should always use https.

{QUOTE-> I apologize that I am unable to provide you more information at this time, especially since I am a full-disclosure kind of guy. I continue to stand by what I've said, 100%: uninstall, erase it, do not run it even in a virtual machine. If you know anyone else using it, tell them to do the same. I cannot stress the severity enough. Suitable free substitutes are tor browser, xb browser, jondo browser, torvm, janusvm, xb machine, and you should always use https. <-QUOTE}

When people say things like this, it tends to reinforce my suspicion that there's something else going on than just some little ol' malware that might wreck your drive.

As I said, I've never used a proxy. Comments like the above make me want to just to see what might happen. Maybe I'll be visited by a couple of guys all dressed in black. Steve, no explanation necessary, but if I'm even close to being on the right track, how about just a 'nope' or 'maybe.'

{QUOTE-> When people say things like this, it tends to reinforce my suspicion that there's something else going on than just some little ol' malware that might wreck your drive. <-QUOTE}

Seriously, it seems as though some kind of gag order has come into play in this matter, whats the big secret people don't want us to know about Ultrasurf?

I don't use Ultrasurf, but yes I'm very interested in where this conversation is heading!

You and me both, Warlockz. I admit to maybe being too suspicious at times and a conspiracy theorist in some areas.

The fact that SteveTX comes here and says he cannot tell us why Ultrasurf needs to be removed, but it's imperative that anyone using ultrasurf needs to get rid of it like, yesterday. It says (to me) that there probably isn't malware in it. I think you and others have found that to be true.

Well, if there's no malware attached, what's the danger?

{QUOTE-> I continue to stand by what I've said, 100%: uninstall, erase it, do not run it even in a virtual machine. <-QUOTE}
If this information is accurate (I'm not saying Steve is not telling the truth, just that he might be wrong - we are humans, after all :) ), then the danger of Ultrasurf is not that it contains malware. From what I saw, and from Anubis analysis, there is no behaviour that would pose any problem when running inside a VM. All that remains is the software's communication with the outside, which can give away information about you, connect with dangerous sites, report your browsing, and so on. That in itself should be reason enough to stop using Ultrasurf, but to be blunt, I don't like when somebody comes and says you shouldn't run a piece of software because (unknown) bad things will happen.

Is the Device access, Physical drive 0, NetBios, AFD indicative of malware activity?

{QUOTE-> Is the Device access, Physical drive 0, NetBios, AFD indicative of malware activity? <-QUOTE}
Physical drive access is somehow related to SMART HDD parameters. Beats me why a piece of software would query a disk for it's SMART params, but I wouldn't qualify it as malware behaviour without more information. NetBIOS and AFD are normal for a program that is accessing and manipulating network params like Ultrasurf if doing. That alone can't be a definitive proof of malware intent.

As far as I'm concerned, just the fact that Ultrasurf is hopping through a lot of banks and govt sites is enough to keep me away from it.

It isn't that I don't trust my govt, but I don't trust my government.

Secondly, I don't want some agents of that entity knocking on my door and asking what I was doing snooping around this or that bank, or prowling through this or that Government site.

Finally, no government can be happy with the Internet. There is too much freedom. Part of every govt's function is control. When a billion people can talk and interact, it causes problems. It's similar to fraternizing with the enemy in time of war, and why soldiers are forbidden to do so. If you get to know your enemy, you might not want to fight him. You might realize it's the governments, not the people, who are the real enemies.

So, is there something in Ultrasurf that let's them watch, if they choose, where you go and what you do or say while in proxy? The makers of Ultrasurf seem pretty well funded. Where does the money come from?

Just Search UltraSurf is malware on Google. There are now 3 references to the behavior of this proxy. Prevx describes it as a trojan downloader , it obscures , makes changes to your cache & disk. It seems to be extremely dangerous. Trend Micro & Sophos also are calling it out as malware. Do what steve is urging GET RID OF IT. One description is telling it establishes it self as a HoneyPot and seems to transmit what it finds to Governments.

Who can you trust if you can't trust Softpedia!

{QUOTE-> Softpedia guarantees that UltraSurf 9.4 is 100% CLEAN, which means it does not contain any form of malware, including spyware, viruses, trojans and backdoors. <-QUOTE}

Ha! If they are guaranteeing it, I would definitely like to know what you get if they are wrong. :)

{QUOTE-> Who can you trust if you can't trust Softpedia! <-QUOTE}

Softpedia guarantees just about every software known to the Internets, their nothing but a large Free Downloads Encyclopedia of over 500,000 free and free-to-try software, they base their guarantee on a simple scan with a virus scanner, No they do not go into deep investigation like the users here do!

i have been sitting back and watching as you guys argue over whether or not this software is malware or something worse and i personally think it is very reckless and unprofessional for someone like steve to claim that this software is really bad and everyone should stop using it,especially without any proof.and to tell everyone to trust him and give it time and all will be revealed is a load of BS as far as i am concerned cause i have used US off and on for the last 6 months and monitored its behaviour and have never had a problem with it.mind you i would never use a free proxy to access my bank or credit card info but for just basic surfing needs i think it is more than fine.also if you realy want to hide yourself i have found you can run US thru either a pptp vpn or open vpn which would give you further protection in case some govt or group of hackers was trying to use you as part of a botnet or some clandestine conspiracy.who ever runs US would only see the ip of the vpn you are connecting to and to trace that would take a gargantuan effort that most people would not even bother,same goes for most govt's unless they have tied you to terrorism or a massive kiddie porn ring you have nothing to worry about people.and if you are using a free product like US to do illegal things well than you should be worried.honestly if you are going to do illegal stuff on the internet be smarter and always be running multiple proxies and vpn's together.this way it will be very hard for any one person or agency to track you down.

{QUOTE-> Leo's tool for tracking deviants? How is he by the way? <-QUOTE}

Can someone elaborate on this please?

{QUOTE-> i have been sitting back and watching as you guys argue over whether or not this software is malware or something worse and i personally think it is very reckless and unprofessional for someone like steve to claim that this software is really bad and everyone should stop using it,especially without any proof.and to tell everyone to trust him and give it time and all will be revealed is a load of BS as far as i am concerned cause i have used US off and on for the last 6 months and monitored its behaviour and have never had a problem with it.mind you i would never use a free proxy to access my bank or credit card info but for just basic surfing needs i think it is more than fine.also if you realy want to hide yourself i have found you can run US thru either a pptp vpn or open vpn which would give you further protection in case some govt or group of hackers was trying to use you as part of a botnet or some clandestine conspiracy.who ever runs US would only see the ip of the vpn you are connecting to and to trace that would take a gargantuan effort that most people would not even bother,same goes for most govt's unless they have tied you to terrorism or a massive kiddie porn ring you have nothing to worry about people.and if you are using a free product like US to do illegal things well than you should be worried.honestly if you are going to do illegal stuff on the internet be smarter and always be running multiple proxies and vpn's together.this way it will be very hard for any one person or agency to track you down. <-QUOTE}

That's a mantra I've heard too many times in my life. "If you aren't doing anything wrong, you have nothing to worry about." Usually, it's the Govt saying it, but I'm seeing it used by a lot of people these days.

I don't use proxies. If I did, I'd be using them for a reason, and I wouldn't want anybody seeing where I went - whether a warez site to steal software or music, to harass some person I don't like on a site, or something else.

It's kind of like sitting in your home talking on the phone, but suspecting somebody could be listening in. "Well, as long as you don't talk about anything bad, why should you care.........

It's called the Right to Privacy. It's why governments all over hate things like PGP and similar software. They can't break it. They don't like you, me or anybody else being able to talk to someone else without them being able to know what is said.

Enough freaking bickering already people. There are clearly 2 sides here, those who think its dangerous and think everyone should stay away, and those who, without concrete proof, in hand, will continue to believe it's not bad, or cant be any worse, or have nothing to lose.

Draw your lines where you want people, thats fine. But we dont need to argue about it. Providing [incidental] proof to either side makes for a good thread, but the ad nasuem bickering about the same proxy debates really have no value.

Independent of Steve's statement you have some information to look at, and make your own choice. At the least, take his statement out, do some research, and decide for yourself, but dont come back later crying if something does go wrong.

To me it is very clear why Steve will not or cannot say anything, either he is under order not too, or there is an ongoing investigation to which he is a part of or has inside knowledge of, and cannot speak details to jeopardize that.

Ironically, THAT is what bothers me the most, is if Steve has all these details, logs, etc, then how much monitoring is XB doing on their service to see these details...maybe, because of his companies standing, and knowledge in this area he was asked to help and analyze stuff, hopefully outside his network, but my biggest concern is did XB discover something about US via their system, and if so, how much data are the keeping/watching to have found out what US was up to.

I wanted to wait until all the info came out on US to pose that question, but at this point, I'm getting more and more curious, esp if XB is now working in cooperation with LE on this subject, and how are they cooperating in relation to XB's services.....

No worries. This issue with ultrasurf is unrelated and doesn't pose the slightest threat to the integrity of xb or it's clients; and nothing could dissuade me from taking action if that were the case. ;)

well you see that is of a big concern to me and should be for anyone using xerobank.if you look at the website steve and his company specifally state that they deal 3 alot of 3 letter govt agencies and these contracts with these 3 letter govt agencies are probably worth millions of dolllars and that is why they can afford to offer one month for 1 to all us joeblows.but if one of these 3 leeter agencies goese to steve or xerobank and wants info on some joeblow paying 35/month who do you honestly think xerobank is going to side with.you or a a 3 letter govt agency paying them millions of dollars. i dont know about the rest of you but this is a little too much to just dismiss as coincidence that he and xerobank work so closely with the us govt.
and back to the US thing i myself have been part of several major investigations and if any major investigation into US was going on steve would not even be able to warn us because by doing so he would also be warning the people involved in the investigation and that could seriously jeopardize the feds investigation.they would strictly forbid him or anyone involved in the investigation from talking until charges were laid or they themselves made an anouncement.common sense people, think about it.

Steve has talent, knowledge and access. Who wouldn't in his situation, leverage their position to offer a service that fulfills a need for a profit.

Get in where you fit in!

Did they fill in the missing large primes yet?

Would this perhaps relate to this Ultrasurf issue ?

http://www.nydailynews.com/news/2009/04/07/2009-04-07_iranian_nuke_plot_vaporized_in_the_city_-2.html

My jaw didn't drop, btw. ;)

I think your answer lies in the fact that UltraSurf itself is on the up and up but has possibly been compromised the by the government of the People's Republic of China. UltraSurf is one of 3 services that belong to the Global Internet Freedom Consortium. The other two being Dynaweb and Garden. Apparently one has been known to have been compromised and it's a constant hacking war to keep these three services providing a free-flow of information in and out of China.

Just posted hours ago from a VERY long article in the Asia Times:

------------

The most widely-used facilities are Dynaweb, Garden and Ultra Surf. These services coordinate their offerings through the Global Internet Freedom Consortium (GIFC), a group that receives some US government funding and is apparently run by friends of Falungong, the outlawed and extremely tech-savvy Chinese religious group-cum-political movement.

The three services gleefully run a never-ending Spy vs Spy war with the Chinese cybercops, continually flooding the zone with new Internet Protocol (IP) addresses - a computer's identification number on a network - that their users (and the Chinese security organizations that inevitably participate in the service) link to with a "tunnel discovery agent" in order to connect to proxy servers - a computer system or application program that acts as a go-between - before the Chinese government shuts them down.

They count VOA and RFA as their clients and proudly state that the service has never been interrupted.

But, in the case of gh0st RAT, maybe score this round to China. In its own analysis of the computer security travails of the Tibetan emigre community, "Snooping Dragon", the University of Cambridge reported [3] that the China hackers availed themselves of Dynaweb's facilities:

However, after a while, we saw a number of accesses through Dynaweb - a set of anonymization proxy servers associated with the Falungong religious movement, which is also detested by the government of China. We are at a loss how to explain this. Perhaps the Chinese detected the start of our clean-up operation and decided to hint that they had compromised Dynaweb - whether to deter people from using it, or to deter the US government from funding it? We just have no idea.

----------------

I would suggest that after Steve and Kyle's discoveries, it appears that UltraSurf (as well as Dynaweb) has also been compromised. The above article, in its complete form can be found at The Asia Times here http://www.atimes.com/atimes/China/KD08Ad01.html Note there are two pages and you must go from page one - two, there is no "one page view". It is absolutely fascinating reading.

The article makes it clear UltraSurf is one of the "good guys" (even partly funded by the U.S. government).

{QUOTE-> That's a mantra I've heard too many times in my life. "If you aren't doing anything wrong, you have nothing to worry about." <-QUOTE}

Here is my response to them. "If you aren't up to anything illegal or malicious or un-American, then you won't mind showing me a little respect and not invading my personal space without cause".

{QUOTE-> if you look at the website steve and his company specifally state that they deal 3 alot of 3 letter govt agencies and these contracts with these 3 letter govt agencies are probably worth millions of dolllars <-QUOTE}

Hell if I had a superior product to offer, I would be more than happy to take their money. It doesn't bother me in the least that Xerbank offers protection for government agencies. I care about my country. And although I disapprove of some of the things that are going on, I am thankful to live in the country that I live in, and I am more than a little determined to create change from within....in my own humble way..

And as far as Steve's integrity as a human being? I honestly believe that he (and many of his friends, Hacktivismo, CDC etc) care about human rights and basic human decency. And I think that they definitely value diversity and individuality. That weighs VERY heavily with me. and I also think that he is very serious about promoting freedom of speech, freedom of the press, freedom of religion, and a right to privacy.

If you haven't seen his presentation at Defcon, I think you should.

http://video.google.com/videoplay?docid=-5021435977346308867&ei=8w_cSf6aCMSD-Aad3Kwq&q=steve+topletz&hl=en

{QUOTE-> but if one of these 3 leeter agencies goese to steve or xerobank and wants info on some joeblow paying 35/month who do you honestly think xerobank is going to side with. <-QUOTE}

Why do you think that he would do something like that? You think he's a whore?...LOL!:P I have never thought of him as having a "money talks but bullshit walks" type of mentality. He is far too enlightened for that.

Plus, and this is a very BIG PLUS....Do you honestly think that a government agency would trust him with their security if they thought that he would sell them out to the highest bidder?

The answer to all this about UltraSurf is in my post #74 and a very well-written investigative piece by Peter Lee of the Asia Times. It's a long article but you'll hang on every word.

{QUOTE-> And as far as Steve's integrity as a human being? I honestly believe that he (and many of his friends, Hacktivismo, CDC etc) care about human rights and basic human decency. And I think that they definitely value diversity and individuality. That weighs VERY heavily with me. and I also think that he is very serious about promoting freedom of speech, freedom of the press, freedom of religion, and a right to privacy. <-QUOTE}

Absolutely. If you want to talk associations, Steve's says it all with his activism with Hacktivismo, Cult Of The Dead Cow, etc. His commitment to privacy for freedom's sake and his work for these goals cannot be disputed.

well for starters anyone who starts a panic without giving any proof what so ever loses all credibility as far as i am concerned.and steve has been known to say stuff that just isnt true or doesnt stant up to scrutiny.for starters back in december he first mentions he and his team were working on a project that would blow alot of these anonymizing services out of the water and here we are 5 months later and he still hasnt produced.and the whole ultrasurf thing was just not cool.he started a panic for no reason and got some people really worried.that is not someone i would be trusting.also either you are very nieve or are in cahoots with steve if you think its not about money.and the us govt can pretty much make anyone person or company do what they want.they are the most powerful govt on the planet so to sit there and say steve's not like that or that the us govt would not go into business with someone who would sell out to the highest bidder is laughable.the us govt will go into business with anyone because they are so powerful and arrogant that they believe they can control anyone and anything.you need to wake up people.

{QUOTE-> The answer to all this about UltraSurf is in my post #74 and a very well-written investigative piece by Peter Lee of the Asia Times. It's a long article but you'll hang on every word. <-QUOTE}

Thanks for providing the link - good reading. I am a little wary of Falungong myself, at least as far as their spiritual claims go - they look like a very bizarre hoax. US government and Falungong, huh?

http://www.nytimes.com/library/review/043000falun-gong-review.html

Maybe there is some truth in the Chinese allegations of a cold war.

{QUOTE-> Hell if I had a superior product to offer, I would be more than happy to take their money. It doesn't bother me in the least that Xerbank offers protection for government agencies. I care about my country. And although I disapprove of some of the things that are going on, I am thankful to live in the country that I live in, and I am more than a little determined to create change from within....in my own humble way..

And as far as Steve's integrity as a human being? I honestly believe that he (and many of his friends, Hacktivismo, CDC etc) care about human rights and basic human decency. And I think that they definitely value diversity and individuality. That weighs VERY heavily with me. and I also think that he is very serious about promoting freedom of speech, freedom of the press, freedom of religion, and a right to privacy.

If you haven't seen his presentation at Defcon, I think you should.

http://video.google.com/videoplay?docid=-5021435977346308867&ei=8w_cSf6aCMSD-Aad3Kwq&q=steve+topletz&hl=en



Why do you think that he would do something like that? You think he's a whore?...LOL!:P I have never thought of him as having a "money talks but bullshit walks" type of mentality. He is far too enlightened for that.

Plus, and this is a very BIG PLUS....Do you honestly think that a government agency would trust him with their security if they thought that he would sell them out to the highest bidder? <-QUOTE}

Xerobank, as most of the companies, exist with the target of making money. A company needs a lot of many even only in order to exist. I don't know what commercial power American Agencies have with respect to Xerobank, but if a good percentage of Xerobank's income came from a three letter agency, such agency would have a good basis for getting information from Xerobank. This is natural, and should be expected by ANY company.

On the other hand, I believe that American Government is not such a big client for Xerobank.

{QUOTE-> well for starters anyone who starts a panic without giving any proof what so ever loses all credibility as far as i am concerned.and steve has been known to say stuff that just isnt true or doesnt stant up to scrutiny. <-QUOTE}
You haven't exactly wowed me with your proofs either. At least BlueZannetti, who's been with this forum since 2003, had something concrete to give us. At least CaixFang had something concrete to give us. You only give us paragraphs full of innuendo.
I'm at this forum because I trust the owners, and I believe they are very capable of choosing the best and the most honest people as administrators and moderators. When they give advice, backed with what proof is there, I choose to believe them, not ranters.

lets not let this stat to become yet another xerobank flame war, this is about ultrasurf and whether or not its a good anonymizer. This is really about helping people get around totalitarian governments, but what i'm most disappointed in these products is that they focus too much on china not on equally oppressive governments like iran, thailand, north korea, UEA, etc. Freegate and gtunnel are now only access by chinese ip addresses and that really means equally opposed people are being cut off.

Joey, your patently false libel against me will not cause me to reveal more information. Prior to your existence here, there were many other threads where claims were made. While they don't often move as fast as I or you desire, as projects do have delays, mine all turn out to be true. I still stand by what I've said 100%: Ultrasurf is malware. Erase it. Do not run it. Don't even run it inside a virtual machine or sandbox. Any alternative is better than running Ultrasurf, it's severity of risk cannot be overstated. ... And stay tuned for deanonymizer :D

KIS 09 reports ultrasurf connects to many u.s government, bank, and educational institutes. It also uses low-level disk access for some reason.

Looks like malware to me.

{QUOTE-> KIS 09 reports ultrasurf connects to many u.s government, bank, and educational institutes. It also uses low-level disk access for some reason.

Looks like malware to me. <-QUOTE}

Can you be more specific about what KIS reports ? When/how do you get that report ?

Btw, I googled Ultrasurf and KIS and noticed a result that offered free keys for Kaspersky ! ::)

{QUOTE-> Can you be more specific about what KIS reports ? When/how do you get that report ?

Btw, I googled Ultrasurf and KIS and noticed a result that offered free keys for Kaspersky ! ::) <-QUOTE}
You could of googled "kaspersky internet security 2009" and still got keys lol. :dry:
I'll post screenshots later.

Here's shots.
The I.P's are sometimes different, and some aren't even website servers.

pics continued

pics continued 2

Over a month, and nothing further, huh Steve?

I'm with the "Why bring it up" people now. If you were going to go this long, all you should have said was "US has been confirmed as malware by us and / or other people, I would strongly recommend removing this product asap."

My jaw hurts from waiting so long for it to drop...

I don't want to be an ass, but I am losing faith in Steve by the day (not because of this thread, just in general, and this supplements it.)

I would think if it was "jaw-dropping" something public would have come out by now, or this is so serious that the public will never know about it, in which case, back to "Why bring it up...."

Next time you put your $.02 in, I'll make sure to give you change.

{QUOTE-> Over a month, and nothing further, huh Steve?

I'm with the "Why bring it up" people now. If you were going to go this long, all you should have said was "US has been confirmed as malware by us and / or other people, I would strongly recommend removing this product asap."

My jaw hurts from waiting so long for it to drop...

I don't want to be an ass, but I am losing faith in Steve by the day (not because of this thread, just in general, and this supplements it.)

I would think if it was "jaw-dropping" something public would have come out by now, or this is so serious that the public will never know about it, in which case, back to "Why bring it up...."

Next time you put your $.02 in, I'll make sure to give you change. <-QUOTE}

Maybe it has something to do with 'deanonymizer' (1st of August), see Xerobank vs. ShadowVPN thread ? Yeah, I'm just curious too.

No, totally independent secrecy agreement.

{QUOTE-> No, totally independent secrecy agreement. <-QUOTE}

Agreement with who? The same people you promise to stand up to when push comes to shove? Sounds like a lack of stones to me.

Hi,

What happened to the information that should be provided

It will be included in my Blackhat talk in vegas.

Just read the whole thread, boy this is better than the late night movie, except it's for real ! Looking forward to the full indepth details when they arrive. And yes i do believe SteveTX is honest, and gives reliable advice/info etc, even though he is part of XB.

Just some of the links/info listed in - http://www.robtex.com/dns/ultrareach.com.html -> http://www.robtex.com/dns/beastf**king.com.html#a6 -> http://www.robtex.com/dns/a**lflick.com.html

What's the connection between Ultra and those porn www's ???

Nebulus provided a great link, which links to - http://anubis.iseclab.org/?action=result&task_id=116b9569dd96c27a4d9c4ae58c95be3e5&format=html

In there you'll see, amongst a stack of other data, the proof of Unknown TCP Traffic to various places including DHS as in my screeny.

Read Cyber-skirmish at the top of the world by Peter Lee, interesting.

CaixFang

Holy Father of HackerDefender fame, died in a car crash a couple of years ago, so it can't be anything to do with him. Plus i'm convinced he would NOT have got mixed up in stuff like that.

Some good links and info by other posters too

bestf**king.com??:doubt: WTF?.. :argh:

It's Blackhat time. I've been waiting to see what Steve is going to say about Ultrasurf.

I found this thread about a month ago after I did a google search of "Ultrasurf" and "malware". The reason I did that search was because Ultrasurf seemed too good to be true. Everyone was singing its praises, yet I couldn't find any useful information on the product, either from the Ultrasurf site or anywhere on the net. And I questioned why or how they could/would provide such a snappy service to everyone for free. Initially, I thought it was just a man-in-the-middle attack, which doesn't bother me too much, since I don't give out personal info with proxies. If it were just a MITM attack, I would probably still use it because I don't think it would affect me.

But Steve made it seem like there was more to it than that. So, I guess we should know in a few days.

It seems that NOD32 has analyzed this file in past in found first well and then not to be Trojan:

http://www.wilderssecurity.com/showthread.php?t=232326

Without any evidence it is hard to make any conclusion here. I'm not aware how Ultrasurf works and do not have time to test it and gonna deep into but if program use open proxy servers and if there is internal testing and if they are filtered then are terms or site like sex, ****, porn just used to filter out proxies that are set to not works on such a terms.

Such a way works some other proxy programs and testers to get rid of not fully working proxies.

btw

Their chinese site is http://www.wujie.net/
By their FAQ http://www.ultrareach.com/usercenter_en.htm

4. Is UltraSurf a Trojan or virus?
A: Neither. UltraSurf provides users with state-of-the-art internet technology to break through firewall safely. It is a popular anti-censorship software, not a Trojan or virus. Some anti-virus software companies classify UltraSurf as a Trojan software simply because UltraSurf is able to break through firewalls. It is a mistake and a wrong classification. We are in the process of resolving this issue with these anti-virus companies through technique channels and legal channels. It is our mission to protect users' privacy when browsing the internet. Please rest assured that UltraSurf will not touch any of the documents on your PC.

{QUOTE-> It seems that NOD32 has analyzed this file in past in found first well and then not to be Trojan:...
4. Is UltraSurf a Trojan or virus?
A: Neither. UltraSurf provides users with state-of-the-art internet technology to break through firewall safely. It is a popular anti-censorship software, not a Trojan or virus. Some anti-virus software companies classify UltraSurf as a Trojan software simply because UltraSurf is able to break through firewalls. <-QUOTE}

this is not the behavior in question. and a white list by some company at one point in time does not indemnify for the future.

they're changing the behavior of this software at will, and without user notification or consent. this is bad.

(hopefully many more details to come to light soon...)

best regards,

Steve,
What was this really all about?
Swing Flu Virus?
The only national newspaper article on UltraSurf I came across for the past four months is one in NY times and it was very positive.
Now the blackhat conference is over, would you please tell us about the "jaw dropping" truth about UltraSurf?

{QUOTE-> this is not the behavior in question. and a white list by some company at one point in time does not indemnify for the future.

they're changing the behavior of this software at will, and without user notification or consent. this is bad.

(hopefully many more details to come to light soon...)

best regards, <-QUOTE}

And what is behavior in question?
Titled this topic as "Ultrasurf Is Malware" and then do not provide any evidence!????

We gave the talk so here is the answer:

UltraSurf and Gtunnel and likely all products put out by the Global Internet Freedom Consortium / Internet Freedom.org, are infact secret trojans. They give you a 1-hop proxy but use your system to launch attacks against financial institutions, government and energy websites, education, etc. Now here is the scary thing, if you are logged into one of these domains, like your bank, then they can get access to your authenticated session / cookie and potentially break right into your account, THROUGH YOUR OWN COMPUTER.

Imagine if someone with a sensitive US position used ultrasurf. Suddenly their military login has been compromised. Not likely? They've been around twice as long as tor, and this exact thing happened on tor last year (see dan egerstadt).

It gets better, any site you visit using the program, the turn off SSL cert checking so they can perform MITM and watch your entire session and logins. It is also capable of auto-updating, and spiders into your system when you install it, capturing not only IE but now Firefox and DNS and most other traffic. So everything you are doing, they have access to and may be logging and using against you.

GIFC / Internet Freedom org are a huge scam. They are likely run by by a private chinese intelligence firm to monitor dissidents and us citizens while attacking critical infrastructure in the USA and Taiwan. They have fooled everyone for nearly a decade, and are seeking a $40m grant as an internet anti-censorship software.

We have proof, wireshark logs, video, live audit, and a list of their attack patterns (http://janusvm.com/Ultrasurf_audit.zip). Special thanks to Moxie Marlinspike for assistance.

{QUOTE-> We gave the talk so here is the answer:

UltraSurf and Gtunnel and likely all products put out by the Global Internet Freedom Consortium / Internet Freedom.org, are infact secret trojans. They give you a 1-hop proxy but use your system to launch attacks against financial institutions, government and energy websites, education, etc. Now here is the scary thing, if you are logged into one of these domains, like your bank, then they can get access to your authenticated session / cookie and potentially break right into your account, THROUGH YOUR OWN COMPUTER.

Imagine if someone with a sensitive US position used ultrasurf. Suddenly their military login has been compromised. Not likely? They've been around twice as long as tor, and this exact thing happened on tor last year (see dan egerstadt).

It gets better, any site you visit using the program, the turn off SSL cert checking so they can perform MITM and watch your entire session and logins. It is also capable of auto-updating, and spiders into your system when you install it, capturing not only IE but now Firefox and DNS and most other traffic. So everything you are doing, they have access to and may be logging and using against you.

GIFC / Internet Freedom org are a huge scam. They are likely run by by a private chinese intelligence firm to monitor dissidents and us citizens while attacking critical infrastructure in the USA and Taiwan. They have fooled everyone for nearly a decade, and are seeking a $40m grant as an internet anti-censorship software.

We have proof, wireshark logs, video, live audit, and a list of their attack patterns (http://janusvm.com/Ultrasurf_audit.zip). Special thanks to Moxie Marlinspike for assistance. <-QUOTE}

This is huge. But I found it strange because "the private intelligence" which is related to an anti-chinese-govenment religion( or organization) also attacks america and taiwan. That's not logical. Only if it is not a software provided by Falun?

SteveTX et al

Well this seems pretty conclusive, so i hope there will be some retracts from previous negative posters !

Thanx for all the time doing the research and gathering the data etc. And also for keeping your head, and tongue, when given a hard time from some, i know what it's like !

Las Vegas is better than i thought it would be, so much so i stayed 2 nights a few years ago. So hope you enjoy !


DL'd the PROOF folder and tried to watch the AVI's with both VLC & WinMedPlayer, no joy ?

RE -

" It is also capable of auto-updating, and spiders into your system when you install it, capturing not only IE but now Firefox and DNS and most other traffic. So everything you are doing, they have access to and may be logging and using against you. "

Even if you aren't actively using it at the time ?


Looking forward to the global fallout on all this, which should be both interesting, and funny in a way.

Regards,

S

Thank you for updating this Steve, you've not only silenced the impatient overly critical people here (I hope at least), but cast a huge spotlight on a shady and dangerous organization.

Steve,
Thanks for your reply.
I'm sorry I was skeptical about this.
Since I was a user of the software, this is really scary.
Thanks.

Thank you for listening; I hope I've made believers out of some of you.

Some things I can't talk about right away, but know that I am doing what I can. In this case covert study of it was being done, and we didn't want them to get too much wind of it, but didn't want people to keep using it. Now the cat is out of the bag.

If you are having trouble viewing the video, try download a codec pack or two here (http://www.free-codecs.com/Codec_Packs.htm) (no warranties naturally).

{QUOTE->
Even if you aren't actively using it at the time ?
<-QUOTE}

I don't know about the particular behavior, but from what we have seen it is insidious: when you move, it moves. When you don't, it doesn't. That way it's evil behaviors go undetected and you only get notices that would coincide with things you are already doing on your computer. fun fact: when you run Ultrasurf it spiders into your system; check your reg settings, when you close the program it removes the evil traffic-capturing entries it made, leaving no trace. evil evil. very well written.

Thanks Steve! This just made my day ;)

Thank you for time to collect evidence and share all your finding with us.

Interestingly, as i was beginning to write this Prevx was scanning and detected 1 out of the 6 different Ultrasurf program versions included in SteveTx's report folder i'd DL'd earlier. A few minutes later Prevx was off scanning again as i reopened the folder, and this time detected a further 3. How about that for fast, on the fly, in the cloud, in your face updates ! I'm sure the other 2 won't be far behind.

Only 1 was classed as a High risk worm though ?

So even further Proof that vendors are now beginning to take this seriously.

Funny thing is, out of curiousity i actually tried US recently lol, and it worked just fine, no install,SSL,fast'ish. So i'll be keeping a close eye on things now, even though i've uninstalled it.



Here's the SH1's on the 6 above files to show the differences.

2 x different U.exe =

6DB58E3BD0B964A65A65BB5342ABE67BBE25961C

BA088B3F66944BB8F47C9E23EA46ACF59A4CB029

u92.exe = 7429A0B46B5C3D9763C4B1B88E76307A3046678B

u93.exe = 72FFC21B065830232B4961EA8AD7176C2022D5B5

u94.exe = B3E4DCFB4A2E6E0F15286B9D5664E1A3F2E89DFA

UltraSurf62.exe = 260ABFB7C703C75228145323A1B3322BECA0BAFE

As yet, Avira,a2,SAS,MBAM don't detect any of them. But i wonder how long before they do now, not too long i imagine !

In the report are 2 videos of the live investigation, and amongst other Apps, InstallWAtch was used to monitor installation, but i was surprised to see SpybotS&D being used to capture changes in the Reg too. Nothing wrong with that of course, but it's a few years since i've had it on my PC's.


So once again, top marks to Steve & the crew, and Prevx.

I can confirm that ESET Nod32 marks Ultrasurf files in the .zip as viruses.

{QUOTE-> Thank you for listening; I hope I've made believers out of some of you.

Some things I can't talk about right away, but know that I am doing what I can. In this case covert study of it was being done, and we didn't want them to get too much wind of it, but didn't want people to keep using it. Now the cat is out of the bag.

If you are having trouble viewing the video, try download a codec pack or two here (http://www.free-codecs.com/Codec_Packs.htm) (no warranties naturally). <-QUOTE}

Amazing work Steve! I was finally able to watch the videos, although I don't yet understand what they show, But anyway, if you use Gom player, you can download this codec and it works. http://www.gomlab.com/codec/success.html?intCodec=67

That is amazing. Ultrasurf users become pawns in a global chess game. Thanks for bring this into the open.

I'd also hope that users get a couple more lessons from this.

Software can do exactly what the user expects, a 1 hop proxy in this instance, and still be much more than it appears.
Some conspiracy theories are real! Botnet owners have long known the value of using others computers. Now we see an instance of our PCs being used as weapons. Don't bet on this being the only instance in this global internet war zone or that governments may be doing things very similar.
Without outbound traffic monitoring, something like this would have escaped detection. There is security value in monitoring and controlling outbound traffic, especially when you look at the big picture and not just your own equipment.

This is nothing short of a bombshell investigation. I think the security community is being slow to recognize what XeroBank presented at Blackhat. This isn't just security community news though. This will be frontpage NY Times as soon as somebody gets a clue as to the ramifications of this report and the breaches of U.S. security.

Well done, Steve and Kyle. The evidence is damning and thanks for the zip file, which contains the evidence very clearly.

Simply unbelievable.

One other thing, the current reports of certain anti-spyware vendors not reporting this as Spyware should not be a surprise. This is much more than a simple file which can be flagged as "spyware." As sophisticated as they come. This is dynamite wrapped in candy paper. A grave security breach and the ramifications? Unknown and downright frightening to even think about.

ON EDIT: It will take a day or two (heading into a weekend) for this to hit the security media, not to mention the mainstream media, but NetWorld has picked up the research report.
http://www.networkworld.com/news/2009/073109-blackhat-ultrasurf.html

{QUOTE-> GIFC / Internet Freedom org are a huge scam. They are likely run by by a private chinese intelligence firm to monitor dissidents and us citizens while attacking critical infrastructure in the USA and Taiwan. They have fooled everyone for nearly a decade, and are seeking a $40m grant as an internet anti-censorship software.
We have proof, wireshark logs, video, live audit, and a list of their attack patterns (http://janusvm.com/Ultrasurf_audit.zip). Special thanks to Moxie Marlinspike for assistance. <-QUOTE}

Steve, If the above highlighted portion is true (and the evidence sure looks that way), your and Kyle's research has uncovered something nothing short of a Tom Clancy novel on steroids.

This is a police matter. Or the FBI/CIA even. Have they been give the material? What about the press?

And it's also a matter for us. We should start writing about this on other boards, blogs, websites and our homepages. In Wikipedia and other strategic places.

And: MAKE WOT SHINING HOT RED for the Global Internet Freedom Consortium / Internet Freedom.org

Google them and vote them dead! >:( Vote from Googles search page at the red circle. Don't give them a click for their counter. They don't deserve traffic.

There's also SiteAdvisor and others of the same kind...

Never trusted that ultrasurft crap anyway. But by the look of the evidence it's indeed something far more evil than just the next door piece of spyware. So if this stuff is for real than i can't imagine that the agencies over the world didn't know anything about it. It sure does raise questions;

It's on a huge scale and not one agency or even a commercial organisation ever investigated or raised an eyebrow ? Perhaps indeed the Chinese or collaboration of foreign agencies to gather intel this way ? Perhaps their agents who infiltrate certain organisations recommend out of the blue to use ultrasurf ? The sky is the limit or is it just a big criminal enterprise ? Maybe not Madoff style but a serious impact on many lives if this is that big.

Nice work :-)

can any on tell me what this logs show?

So "Chinese intel agency" uses an anti-cencorship software to spy on others? I think we were pretty sure it is actually a program made by Falun which is totally against Chinese govenment. Can someone elaborate this?

Steve: It is no secret I have been very critical of you and your lack of candor at times. However, I must commend you and Kyle on the work you did with this exposé of UltraSurf. I have looked at it all and I am very impressed. You deserve all the kudos you receive. Good job.

We need that video on YouTube and similar sites so that we can spread the word via boards, blogs and other sites...

{QUOTE-> Steve: It is no secret I have been very critical of you and your lack of candor at times. However, I must commend you and Kyle on the work you did with this exposé of UltraSurf. I have looked at it all and I am very impressed. You deserve all the kudos you receive. Good job. <-QUOTE}

Hell has truly frozen over. Classy post though.

It doesn't appear to install. It just seems to be a program that sits there until you activate it so is just deleting that enough? What can we do if we've used it?

Oops, I didn't realize I'd been linked to the middle of the article. I still am wary of just deleting the .exe though. And I have an AV so adding the one you linked to will conflict, no? I'm sorry for the questions. I'm a bit of a novice. I've had some strange things happen with my computer though. (Incidentally, they started the night I downloaded Ultrasurf.) I posted some logs for help at a different security site but I've yet to receive a response. I happened across this thread quite accidentally.

If someone Trustworthy enough ??? could clean up US, it would be a very good APP, for the reasons i mentioned earlier.

There are still www's & forums etc promoting US, maybe they havn't heard yet, or don't care !

I've included a screenie of Global Internet Freedoms Consortiums hxxp://www.internetfreedom.org/about that was mentioned further back in the thread. It shows all the players " seemingly " also involved in this whole charade.


SteveTX

I realised my VLC player wasn't the latest version, so i upgraded and Bingo the videos worked.

wembleyy

The logs and videos show Ultrasurf using someones PC to make lots of connections to numerous IP's they didn't choose to go to. This is all done surreptitiously WITHOUT the users knowledge.

It also shows Ultrasurf inserting various files and Registry settings etc, that are questionable.

In short very Devious.

{QUOTE->
It also shows Ultrasurf inserting various files and Registry settings etc, that are questionable.
<-QUOTE}
I have the feeling that lots of people didn't look too closely at the audit logs. There aren't many files or registry entries created by Ultrasurf, and they aren't dangerous (feel free to prove me wrong, but with evidence).

{QUOTE->
The logs and videos show Ultrasurf using someones PC to make lots of connections to numerous IP's they didn't choose to go to. This is all done surreptitiously WITHOUT the users knowledge.
<-QUOTE}
Indeed, some of the network activity of Ultrasurf is questionable, as Steve showed in the videos. But looking at the pcap files, I wasn't able to find clear evidence of an attack pattern (DOS or other kind).

PS: I'm not suggesting that using Ultrasurf is safe, but I would like to see a more technical debate, rather than "OMG!!! It's a conspiracy against US!!"

well for starters maybe the rest of the security community isnt convinced that US is what steve says it is.those logs are not clear cut proof that the info is being logged or used maliciously.and the software acting deviously is more that likely in part do to the fact is is supposed to be bypassing chinas great wall so to speak.
honestly are you people that foolish to believe that steve would find something that the fbi,cia or secret service with unlimited resources didnt notice.if it was as malicious as steve says it is trust me these agencies would be investigating and would have made an announcement to warn everybody.talk about devouted blind followers.you guys are like cult followers.

For those of you who don't know what the audit means:

1. UltraSurf scans military, financial, educational, and critical infrastructure sites, using your real home IP address, immediately flagging you personally to any firewall and alerting any surveillance. This is extreme anti-anonymity, the exact opposite of what the software is purported to do.

2. UltraSurf turns off SSL Certificate Checking, which is an outrageously gross violation of security protocol and means your browser will accept any certificate, including forged ones, to make it possible to perform Man In The Middle attacks. If only someone had a proxy network where they could inject traffic they could slurp up all your credentials and watch your sessions... oh wait, that is exactly what Ultra Surf does.

There are tons of questionable things about UltraSurf, such as that all past versions of them set off trojan virus alarms; but none of the above are questionable, possibly legitimate things. They are absolutely damning, with no room for contention or plausibility.

I don't know about anyone else but I find it hard to believe that UltraSurf trying to connect to locations such as eservices.dor.nc.gov and access.usbank.com has anything to do with bypassing China's Internet filtering. It is these unnecessary attempts to connect to a wide range of IPs that should send alarm bells ringing.

Also, who's to say that intelligence/security agencies haven't been aware of this but have chosen to quietly monitor its development and evolution? That said, when was the last time you heard one of those agencies go public about a particular piece of malware? I can't remember a single time, myself.

{QUOTE-> well for starters maybe the rest of the security community isnt convinced that US is what steve says it is.those logs are not clear cut proof that the info is being logged or used maliciously.and the software acting deviously is more that likely in part do to the fact is is supposed to be bypassing chinas great wall so to speak.
honestly are you people that foolish to believe that steve would find something that the fbi,cia or secret service with unlimited resources didnt notice.if it was as malicious as steve says it is trust me these agencies would be investigating and would have made an announcement to warn everybody.talk about devouted blind followers.you guys are like cult followers. <-QUOTE}

You obviously haven't worked within the government. Unlimited resources? I'm actually smiling. Our country alone is over 11 trillion in debt, we've recently literally been writing IOUs to other countries, our programs are rapidly running out of money, and more resources go towards irrelevant scientific research than towards national security, that is fact. The state of national security financial resources and manpower would make you cringe if you bothered to research before you opened your mouth. I'm reminded of an old favorite TV show when I visit the privacy sections here: "The truth is out there"....and nobody bothers to give a damn and/or look for it.

Edit: Traxx75, these agencies WOULDN'T go public with it. Why? Simple, it would blow up the national security scene worldwide like a nuke and right in front of a worldwide audience of people already somewhat untrusting of their own governments.

{QUOTE-> You obviously haven't worked within the government. Unlimited resources? I'm actually smiling. Our country alone is over 11 trillion in debt, we've recently literally been writing IOUs to other countries, our programs are rapidly running out of money, and more resources go towards irrelevant scientific research than towards national security, that is fact. The state of national security financial resources and manpower would make you cringe if you bothered to research before you opened your mouth. I'm reminded of an old favorite TV show when I visit the privacy sections here: "The truth is out there"....and nobody bothers to give a damn and/or look for it. <-QUOTE}

dw426 i dont work for the government but i know a lot about investigations and the discretionary funds that certain agencies have access to and us has been around long enuff that somebody somewhere would be ringing a bell.and again steve has not provided any solid proof that what us does is being using for malicious intent.also what evidence steve provided he could have provided 4 months ago when he first sounded the alert.the program was doing the same thing than that it is doing today.and if he had been monitoring it for the last 4 months he should have more evidence than he does.
i think your talking crap about saying what kind of money is available for national security,just cause you pick up a newspaper or watch cnn does not make you an expert or give you inside knowledge about what the us government does with its tax dollars and if you believe everythin you read in the news and watch on tv than that would explain your blind faith in steve.
seriously there are alot of experts in this world when it comes to computers including ones that work for the antivirus companies and until a couple of the big ones like either kaspersky or norton or eset come forward saying they have done their own extensive testing and have found absolute proof that us is malware or a back door and that they reccomend to stop using it than i wouldnt put much stock in this.

because i have used it off and on for the last year and never had a problem with it or my computer running funny. and no men in suits have showed up to seize my computers either.

Reasons why -

All the data is in the videos and logs for people to inspect. Now they either choose to believe, or not, that it's all real and collected by those tests on US. Personally, i do believe.

US have designed the App to appear as benign as possible to evade srutiny, and up till now have succeeded brilliantly !

Now we come to, why are US, and probably the other ones from GIFC listed in my recent screenie above, doing what they do.

Providing a free/fast, and ( supposedly ) SSL proxy service, is very attractive to all sorts of legitimate users, err and others, for all sorts of reasons. If as advertised by US, they are ( supposedly ) helping people in China & elsewhere circumvent those countries restrictions, then they ( appear ) to be good guys. But if the're not good guys, then the people behind US etc can spy on who's doing what, especially their own citizens. They might not pounce on them immediately, but instead could be building up a huge database of all their info/data/www's/contacts/passwords etc etc. This includes SSL www's like banking, hushmail etc etc. This could be used against them at some point if they chose too. I think it's more likely they will use all the info more deviously, rather than revealing their true modus operandi by prosecuting people right now.

Which leads on to -

They may also be planning at some stage in the future, to launch attacks, and/or infiltrate those users/accounts and/or www's they will have ALL the details of.

Seems unreal, unlikely, fantasy etc etc. Well frankly i wouldn't put it past them, as it's well known the Chinese for one, have been probing and successfully infiltrating .gov etc www's for a number of years, even though they publically deny it.

The USA gov depts. & others etc have undoubtably seen these probes etc coming from peoples PC's for some time. But unless a direct attempt to gain interior access is attempted, they don't have the resources/will to investigate etc. However they will be logged. And as the probes come from peoples PC's, the .gov etc have had no idea, up until now, they originated from Ultrasurf.

Only now will they/we have to rethink what the implications of ALL this mean. The S**T hasn't really even started to hit the fan yet !

{QUOTE-> dw426 i dont work for the government but i know a lot about investigations and the discretionary funds that certain agencies have access to and us has been around long enuff that somebody somewhere would be ringing a bell.and again steve has not provided any solid proof that what us does is being using for malicious intent.also what evidence steve provided he could have provided 4 months ago when he first sounded the alert.the program was doing the same thing than that it is doing today.and if he had been monitoring it for the last 4 months he should have more evidence than he does.
i think your talking crap about saying what kind of money is available for national security,just cause you pick up a newspaper or watch cnn does not make you an expert or give you inside knowledge about what the us government does with its tax dollars and if you believe everythin you read in the news and watch on tv than that would explain your blind faith in steve.
seriously there are alot of experts in this world when it comes to computers including ones that work for the antivirus companies and until a couple of the big ones like either kaspersky or norton or eset come forward saying they have done their own extensive testing and have found absolute proof that us is malware or a back door and that they reccomend to stop using it than i wouldnt put much stock in this.

because i have used it off and on for the last year and never had a problem with it or my computer running funny. and no men in suits have showed up to seize my computers either. <-QUOTE}

I'll make it short and simple, I have been a government employee and I have more than enough sources that will back up my statements should they ever need to regarding the very sad state of the U.S financial situation and lack of manpower. So, there's that, I needn't prove a thing, you simply need to log off of this forum and go looking for the information you want. If you would like to remain unknowing about what's going on around you, your founding fathers gave that right to you and you can enjoy it.

As far as the Ultrasurf issue, he brought the information, it's up to you and the rest of us to determine whether we believe it or not and also what it means if it is true. I personally don't care myself, I simply joined in the conversation to get rid of these insane ideas people seem to have about ANY government having unlimited amounts of ANYTHING and the laughable suggestion that they have all-knowing, all-seeing "gods" in human and/or machine form. It's not only utterly pathetic, it's damned dangerous.

What you see right now from UltraSurf behavior is landscape surveillance. This is the first step in cyber-warfare. You need to know your surroundings and establish surveillance over critical infrastructure.

UltraSurf is equipped with a sort of remote auto-update feature. It gets it's targets from a sophisticated distribution system offloaded to Google. It uses an encrypted RSS feed in Google Reader. It appears that the Google Reader encrypted feed is for Google Docs URLs. The Google Docs documents are encrypted blocks that UltraSurf likely decodes and contains the new targets. Another operating procedure of cyber-warfare is the executive. Potentially, with the flip of a switch, it could go from "scan" to "attack".

btw, dw246 is right about gov resources. They are very limited and inefficient to say the least. When we showed this to the FBI six months ago and asked when we could expect results, they told us they "Move at the speed of justice." Now let's differentiate... the FBI isn't the same caliber or field as DoD Cyber-warfare / DIA / NSA. FBI are just federal police, DoD is massive and disjointed, and the NSA et al are cloaky intelligence gathering orgs. And it is no secret that the US needs lots and lots of help and resources in cyber-warfare.

{QUOTE-> dw426 i dont work for the government but i know a lot about investigations and the discretionary funds that certain agencies have access to and us has been around long enuff that somebody somewhere would be ringing a bell.and again steve has not provided any solid proof that what us does is being using for malicious intent.also what evidence steve provided he could have provided 4 months ago when he first sounded the alert.the program was doing the same thing than that it is doing today.and if he had been monitoring it for the last 4 months he should have more evidence than he does. <-QUOTE}I observed the same basic behavior as noted in the files provided, and noted as much above. Part of the issue is that you're implicitly assuming that malware = "doing bad stuff now". While a lot of malware works that way, it's not a requirement. You're also implicitly assuming that malware = "doing bad stuff to me at some point". Again, not a requirement.

{QUOTE-> i think your talking crap about saying what kind of money is available for national security,just cause you pick up a newspaper or watch cnn does not make you an expert or give you inside knowledge about what the us government does with its tax dollars and if you believe everythin you read in the news and watch on tv than that would explain your blind faith in steve.
seriously there are alot of experts in this world when it comes to computers including ones that work for the antivirus companies and until a couple of the big ones like either kaspersky or norton or eset come forward saying they have done their own extensive testing and have found absolute proof that us is malware or a back door and that they reccomend to stop using it than i wouldnt put much stock in this. <-QUOTE}Information has been provided to you, you determine what to do with that information
{QUOTE-> because i have used it off and on for the last year and never had a problem with it or my computer running funny. and no men in suits have showed up to seize my computers either. <-QUOTE}You're assuming a rather specific malware usage scenario.

All I can say is that I saw the same on launch connection attempts to multiple banks, other financial institutions, government departments focused on financial and technical areas, and various educational sites that were reported above in addition to numerous connections to China and Eastern Europe. Given that this was on launch, without further action by me, I saw red flags waving. As I noted above - walk away.

Perhaps it's just me.., but I feel uncomfortable with my machine making numerous connections to financial and government sites not initiated or controlled by me. I don't believe that's a piece of tinfoil talking, to me it is simply a prudent view of reality since ultimately I am responsible for the behavior of my machine.

Blue

Funny, well not funny, but when I did my initial investigations, I left a lot out of my post on page one, when it came to people. One thing I had noticed was ALL of the people associated with US had asian names. Initially that didnt really spark much to me (hey, it would make sense for a group of Chinese people to be trying to help those oppressed in China - which is why I left it out of my findings here) but the more I dug, the more I wondered if this was a covert Chinese govt thing, or at the minimum a group of Chinese hackers running some fraud ring (personally I leaned on the Govt side due to the resources they have.)


I think I still have all the results saved on whois's and all the tracing on names and such that I did if anyone wants/needs them in a blog or media story (I assume they have all been covered up now, but maybe not.)

Most of the people involved seem to be in the Atlanta area, or at least thats where they report they live, etc.


Very interesting whole ordeal. Long time in the making to hear the results, but I for one am not surprised at all after my research.

Good jorb Stevie....Next time youre down in the Houston area, you should let me know so we can grab lunch.

I am wondering why this didn't get more coverage. It's the one thing I think Steve and Kyle did very well. It's one reason why we really need an effective Office of Cybersecurity. It was announced with great fanfare in May of this year and the announcement so far has been the only highlight, apparently nobody wants the job of heading the agency.
http://www.computerworld.com/s/article/9136306/The_cybersecurity_job_no_one_really_wants

{QUOTE-> I am wondering why this didn't get more coverage. It's the one thing I think Steve and Kyle did very well. It's one reason why we really need an effective Office of Cybersecurity. It was announced with great fanfare in May of this year and the announcement so far has been the only highlight, apparently nobody wants the job of heading the agency.
http://www.computerworld.com/s/article/9136306/The_cybersecurity_job_no_one_really_wants <-QUOTE}

Say, wasn't Jeff Moss tapped for that job also?
Or am I confused with another job within the Obama-administration Jeff Moss was asked for?

As for the coverage of UltraSurf I agree.....partially.
Perhaps Steve and company needed some improvement on the PR-part.
Apparently it was conceived as a discussion or quick announcement by some visitors of Blackhat, as I read it back on some security-blogs.
What also could've played a role is the unknown name of UltraSurf itself, that doesn't say much to most people...even within our IT security-community.

Maybe they didn't care as much about this revelation as Kyle and Steve do.
That on it self wouldn't be a shocker actually.
I mailed a couple of my security-related friends...and guess what...they all raised their shoulder about it.
I thought it was a bummer, because I felt this really is something to take notice of. And it could be a sign on the wall, for other things.

So I think the unknown name, that UltraSurf is out there with the public, worked against them.......unfortunately.

Nah, we just didn't have enough time for Kyle to properly present it (I'm longwinded, sorry kyle!), nor could we disclose we were going to present it in order to avoid a potential gag-order. I'm thinking of putting out a paper or webpage on it, but the news stories are starting to pickup on it.

{QUOTE-> Joey, your patently false libel against me will not cause me to reveal more information. Prior to your existence here, there were many other threads where claims were made. While they don't often move as fast as I or you desire, as projects do have delays, mine all turn out to be true. I still stand by what I've said 100%: Ultrasurf is malware. Erase it. Do not run it. Don't even run it inside a virtual machine or sandbox. Any alternative is better than running Ultrasurf, it's severity of risk cannot be overstated. ... And stay tuned for deanonymizer :D <-QUOTE}

Steve, I have just read through all pages of this thread. (-- not all actually. Just skip and skim through all the pages)
--sounds-personal-- just reveal your Wireshark logs. and tell us how ultra-surf send massive remote dns requests, just like Confiker, scanning for available proxy servers who's name matching certain paterns( so it is possible for ultra-surf to connect to some non-existent site.). --sounds-personal-- just provide some solid fact or hard evidence but just keep freaking people away.
SHOW US your logs, GIVE US your explanations. Steve.

I agree polymorphic packers seem to be a good reason to classify ultraf as malware, but not good enough for an expert --sounds-personal--. He needs to show some behavior analysis as concrete proof. Concerning uf's popularity and fame, the packer thing just can't explain anything. because both freegate and ultrasurf has long been been flagged as virus by Chinese domestic AV --for-the-sake-of-my-own-safety-i-dont-talk-about-chinese-product-any-more--

-sounds-personal-

{QUOTE-> why dont you just reveal your Wireshark logs <-QUOTE}There are two .pcap files in the audit archive that Steve posted a few pages back. Is this not what you are looking for? Or do you mean that Steve should maybe screenshot the relevant bits of those captures to make it easier for the less technical amongst us to see the proof?

I agree that it would be nice to see everything presented in a PDF that everyone can read and see the interesting bits but Steve _has_ actually provided proof in the audit archive.

Steve : well done: been waiting for the denouement. :thumb:

BenSec, wireshark logs are included in the audit. :thumb:

{QUOTE-> BenSec, wireshark logs are included in the audit. :thumb: <-QUOTE}

thanks for the info, and sorry for the rants(I'll edit them. some really dont look nice).

I set 15 posts/page so this thread is fairly long and I skipped some page as I usually do. thus obviously omitted some important info. But I have to say packing files into a 45M archive is not quite wise, especially when this site is blocked by a nation-wide firewall.

I checked your evidence. Your major point is that uf connect to a list of commercial web sites. But actually this doesn't bother me. just try add "https" to all sites that is on the list (except the xxx.dynmic.xxx domain controller ). Half of them are blocked and half them works well. None of them say they don't support ssl.

So, as 2-year-experienced proxy-hunter, my guess is that uf is trying them out to verify its proxy. This is better that launching a DDOS on certain ssl-enabled website, or just set-up a SSL-enabled website for test purpose yourself that could be blocked at any time by GFW. (if GFW block USbank. ok no Americans in China can access it. Could it be possible? It could be something international. So I actually do the same with paypal, ebay and other foreign bank patrol using Proxy Hunter, proxy superman, and ProxyThorn before i know hi-speed proxies like VPN and socks-enabled freegte and ultrasf. ) Ultra is just doing the same thing itself. The more people are using this software, the more SSL website should be included on this list to free the stress on certain sites.


Uf has been out there for about 4-5 years(since m not its old user, am not sure about the real situation, but at least 4-5), I got it from a friend about 1 year ago. Let me guess, maybe a million Chinese has used it before? God knows. Comparing its history to your superior-xb theories. You know it is really hard for me to believe you, unless you can provide something really Concrete. Work harder, Steve, you looks promising.;)

{QUOTE-> Half of them are blocked <-QUOTE}

When i say blocked, I mean "Connection Interrupted" or "Connection is Reset". Anyway, GFW is obviously contributing.

{QUOTE->
So, as 2-year-experienced proxy-hunter, my guess is that uf is trying them out to verify its proxy. This is better that launching a DDOS on certain ssl-enabled website, or just set-up a SSL-enabled website for test purpose yourself that could be blocked at any time by GFW. (if GFW block USbank. ok no Americans in China can access it. Could it be possible? It could be something international. So I actually do the same with paypal, ebay and other foreign bank patrol using Proxy Hunter, proxy superman, and ProxyThorn before i know hi-speed proxies like VPN and socks-enabled freegte and ultrasf. ) Ultra is just doing the same thing itself. The more people are using this software, the more SSL website should be included on this list to free the stress on certain sites.
<-QUOTE}

Good point. I have completely overlooked testing of servers against SSL site and not SSL site for support of servers. (however i've pointed in similar way before http://www.wilderssecurity.com/showpost.php?p=1512997&postcount=102 )
The main reason that i do not like automated tools like UltraSurf is that they do everyything automatically leaving without any choice like rotating servers, testing servers and connecting against SSL and not SSL site etc...
There are always better tools in my opinion like ProxyHunter(testers and surfing tool), AAtools (testers), Charon (testers), Proxyrama(testers and surfing tool), multiproxy(testers and surfing tool), a4proxy(testers and surfing tool).

But i must say again that you have very good point with explaining bombastic title "Ultrasurf Is Malware" and evidence.

That isn't a plausible explanation. You don't create a highly sophisticated triangle-boy technology for fast http, then turn off https certificate checking for every domain except your own, and use encrypted compression on a tiny binary to obscure what the program is doing on the users' machine (which later turn out to be viruses). There are tons of standard sites you can use for reachability testing. Financial, military, and government login pages are not them, but I'll tell you why: if the user had such a login, it could trick the browser into providing the credentials, at which point UltraSurf can potentially capture the credentials or session cookie because https has been designed to be invisibly compromised. There is absolutely no legitimate reason for that, and it was purposely designed that way, it is not an accident.

I know a lot of people are in denial, and don't want to believe they've been tricked/compromised by what they thought was a good technology, but the facts are undeniable, and the proof is rock solid.

Steve, if the behavior of connecting to ssl-enabled sites is just all you have got as "evidence". I have to say you are not persuasive at all. You dont even need wireshark, anyone who can use TCPView already know that. That's no secret.

I myself have done a similar test a year ago, weeks after i know uf. I use EQ, Process Explorer and WireShark just like you do. I dont think there are malware behavior (you are talking about Trojan, not vulnerability, just keep this in mind. so you need something concrete and solid ) The only thing I cant figure out is that how it can find its proxy servers. Further analysis suggests that the are connections between the proxy servers and these groups of dynamic domain controllers. I am still not quite sure until I read news about confiker. Surely there is a master algorithm. At first I thought it was used to generating a sequence of proxy address. but later it turned out to be groups of available domain controllers.
And this may explain why they use polymeric packers. Because if the master algorithm is reverse engineered, GFW will get a full set of patterns that be used to block all uf proxies as easily as anything.

{QUOTE-> use encrypted compression on a tiny binary to obscure what the program is doing on the users' machine <-QUOTE}
I think you mean the packer thing, I have already explained my idea on that.

{QUOTE-> then turn off https certificate checking for every domain except your own <-QUOTE}
this not true. if you mean the proxy checking process. I have to tell you a lot of https proxy verifying tools dont bother that. If you mean surfing with uf, you can see the ssl-cert in your browser, just like all proxies do. Please be as clear as possible.

{QUOTE-> There are tons of standard sites you can use for reachability testing. Financial, military, and government login pages are not them, but I'll tell you why <-QUOTE}
Then you tell me what other sites the government would bother to close. what about your xb front-page? You cant simply update the list of site after they got blocked. You are responsible for the blockage.


Steve dont be blinded by your xb-supremacy and arrogance. If you have direct and solid facts, I would even spread your words on the mainland forums I usually visit. But ...they are just not good enough. Anyway work harder Steve. You look promising.;)

{QUOTE-> I know a lot of people are in denial, and don't want to believe they've been tricked/compromised by what they thought was a good technology, but the facts are undeniable, and the proof is rock solid. <-QUOTE}

hey Steve. I forget to mention that, good professors never say "Oh, my facts are undeniable, my proofs are solid rocks". That sounds like dumb bluffing stereotype (or bluff stereotype? please allow my bad English.)

I thought this was supposed to be published in the mainstream media.
I'm not an American, but I haven't read any stories about 'Ultrasurf is Malware'.

Well, well; Softpedia was hosting U-S as recently as 3/7 ago: now gone.

{QUOTE-> Well, well; Softpedia was hosting U-S as recently as 3/7 ago: now gone. <-QUOTE}

Because someone claim that it is malware 2 days a go and should be removed:

http://board.softpedia.com/index.php?showtopic=10771

However as Bensec pointed it is not strong evidence.Speculation rather than strong evidence.

I fell for the Ultrasurf scan. I deleted the executable (avast! Home didn't notice anything suspicous about it) and scanned my PC with Malwarebytes Anti-Malware, but nothing bad was found. I can't install VBA32 Antivirus because avast! is already installed on my PC.

How do I get rid of the traces of Ultrasurf? And how do I fix that dangerous SSL vulnerability?

Just stumbled upon this ultrasurf thread.
Would have thought it had garnered more attention after what been written in the thread.

Deleting the .exe should be enough?

{QUOTE-> Just stumbled upon this ultrasurf thread.
Would have thought it had garnered more attention after what been written in the thread.

Deleting the .exe should be enough? <-QUOTE}

I would suggest to better read this thread before doing anything:

http://www.wilderssecurity.com/showthread.php?t=252102

{QUOTE-> I would suggest to better read this thread before doing anything:

http://www.wilderssecurity.com/showthread.php?t=252102 <-QUOTE}

MakePB, I suggest you go speak with the Tor developers. They have more horror stories about Ultrasurf than I do. ~Snip - Blue~

And yes, deleting the EXE should be enough, but hard to say, since their encrypted viral payload and behaviors keep changing.

I'm willing to concede that there may be non-malicious behaviors exhibited by this program that may be interpreted as malicious. And I'm willing to postpone my final judgment about this program until we hear a rebuttal.

But where is the rebuttal? There was some half-assed interview, but that's not even close to enough. Steve's tearing them a new one, and we get nothing from them.

I sent them a message through their site in case they're on another planet and haven't noticed this thread. But I won't hold my breath. If they don't respond, why would anyone consider using Ultrasurf in the future? They just let someone use them for target practice and do nothing about it.

Steve, do you have links to comments by the Tor developers about Ultrasurf? Or were they private discussions?

A couple of politically oriented comments removed. Before going down that road again, please take a moment to review the site Terms of Service (http://www.wilderssecurity.com/tos.php) and please adhere to them.

Regards,

Blue

{QUOTE-> Steve, do you have links to comments by the Tor developers about Ultrasurf? Or were they private discussions? <-QUOTE}

My understanding is that these comments were made by a Roger Dingledine (Tor) to Kyle Williams (XeroBank) in regards to an Ultrasurf "employee".

Hi!

I found this discussion searching information about Ultrasurf
I discovered it recently and even to me it seems too good to be true!

I'll have a look to the material SteveTX posted

So, what about the other services present here: http://www.internetfreedom.org/
Can we trust them?

Or better, can we trust this Global Internet Freedom Consortium? Who are these guys?

I'd stick with the advice every grandmother would give you: if it looks to good to be true, it's a scam.