Ultrasurf Is Malware

Discussion in 'privacy technology' started by SteveTX, Mar 25, 2009.

Thread Status:
Not open for further replies.
  1. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    As many of you are aware, there was a thread about dissecting Ultrasurf. We found significant malware behavior, and worst of all we found that ultrasurf promotes man in the middle attacks by allowing any ssl cert, even mismatched and self-signed certs and preventing the user from seeing a popup about it.

    Ultrasurf is designed to be a free http proxy tool, and it is somewhat, but this is a cover for it to be a virus / malware that is nearly stealth and undetectable to normal virus scanners because of it's heuristic avoidance and encrypted payloads.

    At this time we recommend everyone to delete ultrasurf and download a free copy of VBA32 antivirus which will correctly identify it, as all other antivirus software does not.
     
    Last edited: Mar 26, 2009
  2. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,363
    Location:
    Oz
    What would be the purpose of creating a product like this? Identity theft or something like that?
     
  3. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Hi Steve, then why post about it yet - I'm not saying your right or wrong I'm just interested to know more.
    Okay, that's bad.
    I'd expect encryption but why do you state Ultra surf malware?

    Okay looking at Ultra surf briefly I would class it as riskware/generic.
     
  4. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    I would like to say much more, but what I think is responsible at this time is to say what I've said and urge everyone to get rid of the software. As soon as I can say more, I will, but it may be months or years.
     
  5. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,328
    Location:
    Here, There and Everywhere
    Steve, I noticed you deleted all your posts. You're not usually so careful choosing words concerning things that are garbage, which Ultrasurf obviously is. Were you contacted by the Ultrasurf people?
     
  6. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    No, and if I was that wouldn't stop me anyway.
     
  7. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,328
    Location:
    Here, There and Everywhere
    Why the reluctance to talk about it? You said it might be months or even years before you could. That doesn't sound like you. And I mean that in a good way. It's just like something has you spooked about speaking out. What is it?

    The other big freebie is another I can't stand. Anchorfree is adware deluxe. It may not technically be "malware" but I hate it.

    I introduced someone to Xerobank last week and they said they were going to sign-up. I showed them the speed and they were surprised a VPN could be so fast. The portability also impressed him. Keep up the good work!
     
  8. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Maybe Ultrasurf is a project of business agencies Steve's related to. A cousin so to speak.
     
  9. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Absolutely not.
     
  10. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,328
    Location:
    Here, There and Everywhere
    If it has anything to do with this (from their terms of service) - it's BS. Anybody can review a product, film, record, book, anything and it not be an infringement of copyright.

    "UltraSurfTM and UltraReach.comTM are proprietary marks of UltraReach.com. UltraReach's trademarks may not be used in connection with any product or service that is not provided by UltraReach, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits UltraReach."

    My guess is it's a government and/or hacker site that is legitimately doing what they say and Steve has learned that and can't write about it. If that's the case, I honor that. China is a horrible abuser of human rights and any way around the Great Firewall of China, I am all for. If it's not that, I am baffled as to the secrecy if it is indeed "malware". Who knows?
     
  11. crofttk

    crofttk Registered Member

    Joined:
    May 15, 2004
    Posts:
    1,979
    Location:
    Eastern PA, USA
    Well, maybe Steve conferred with Wilders admin/mods and this is where they ended up as the responsible place to be. His position makes sense to me, either way.
     
  12. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,328
    Location:
    Here, There and Everywhere
    Nobody is suggesting that Steve's done anything wrong. But what malware could possibly NOT be discussed at Wilders and the admins would agree it shouldn't be discussed? I mean, aren't they the bad guys? I don't see how, if it's malware, that there's any way that not talking about it could be "responsible". The other way around, yes. But not talking about malware is a position everyone has agreed is "responsible"? I don't think so. If Wilders were ever caught covering up or being in cahoots with malware makers (even bowing to threats), it would be their undoing as a legitimate and credible security site. That's not it.
     
  13. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Leo's tool for tracking deviants? How is he by the way?
     
  14. thathagat

    thathagat Guest

    well..........a bit was discussed here too..............https://www.wilderssecurity.com/showthread.php?t=230690&highlight=ultrasurf

     
    Last edited by a moderator: Mar 26, 2009
  15. CompMag

    CompMag Registered Member

    Joined:
    Mar 25, 2009
    Posts:
    2
    Only barely just caught this one. Is there a More Info link somewhere?

    I've looked on your blog and forum Steve, but, I couldn't find anything at either about this. Where's the rest of the information, other than this forum?
     
  16. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Forget the guessing games. Just trust me on this, i'll explain it all later. The best thing to do now is uninstall any ultrareach software.
     
  17. CaixFang

    CaixFang Registered Member

    Joined:
    Mar 24, 2009
    Posts:
    72
    I dont want to beat a dead horse here, but Steve, why would you even fuel peoples suspicions by throwing in an offhand "I cannot comment further at this time" and then going cold on the subject? Why not just give the basic alert, and recommendations in a benign way?

    Lets face it, there is a significant "tin hat" crowd that lurks here, and this thread is bound to become a conspiracy theory thread just based on the opening comments.

    Im not trying to be critical, nor pry and explination further out, just curious as to why even fuel the fire to start with, knowing the crowd here?
     
  18. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Because there are real and severe negative consequences from running the software in question, it is not a trivial and passive "vulnerability".
     
  19. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,635
    Location:
    European Union
    Steve, I do not like when someone throws accusations without proof, especially when the product in question is the competition. You should refrain from attacking a product until you can present the proof too. Please don't get me wrong, it's ok that you try to warn people, but at some point if no proof is presented, you will lose credibility.
     
  20. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    There is no shortage of proof. Lots and lots of it, video, wireshark logs, and more, and we'll release it when it is appropriate. They are not competition, they are a freeware non-commercial http proxy program that is actually malware. Even tor is better than using ultrasurf. I'm not concerned about credibility here, there is more at stake than that. Just stop using the software if you are using it, any alternative is better. Just sit tight, and have a little faith, I've never steered you wrong yet, and when the truth comes out your jaw will drop.
     
    Last edited: Mar 26, 2009
  21. CaixFang

    CaixFang Registered Member

    Joined:
    Mar 24, 2009
    Posts:
    72
    Just for giggles, in the last few minutes, I decided to go digging...here is what I found:

    The ultrasurf exe is said (by multiple vendors) to contain Backdoor.Win32.Agent.uwi

    Info on Backdoor.Win32.Agent.uwi

    The above is enough for me... I have played with morphine, and I know what it is capable of. Morphine has the abilty to hide any process, any reg key, any file/folder and can be attached to legit files. Basically once morphine is on your system, in conjuntion with other progs that it hides, it can do anything it wants. add in a few apps that hide their port conections from apps like tcpview, and you now have a good, hidden backdoor to a machine. Distributed on the level of ultrasurf, thats a hell of a lot of machines at someones disposal, to do as they please, be it steal info from the local machine, use the local machine for its own purposes, or create a hell of a botnet (all of which morphine helps facilitate nicely with the right tools and application.)

    But, if you want more info read along...

    A google search on the above address returns the following company:
    Rockfeller Group Business
    560 S Winchester Blvd Ste 500
    San Jose, CA 95128


    Same address, different phone number, but notice the suite numbers are the same...so a bit more digging returns this:

    So...this "organization" exists only in name, on the internet... Which alone, really isnt a big deal, but you would think a company/organization committed to anti-censorship would have a tangible address, and would have nothing to hide, at least not inside the US. This isnt China, where the govt will show up and shut you down for providing this service.

    So is it some govt conspiricay to capture all our traffic? Well, I'm doubting that, based on their website:

    I would think a govt front, would A use an address that isnt a known "front" address (my cousin works for the DEA and they dont exactly use virtual office space for stings) and B I would think the spelling and grammar would be correct. I dont exactly know what a "technique channel" is but if I find out, Ill let you know. Im assuming they meant technical, but maybe my english isnt as good as i think.

    Notice that last line I bolded. That seems like a CYA for court cases if I ever read one. Notice they only say they wont touch YOUR documents. They dont dispel the idea of anything else, such as using your PC via a backdoor, or monitoring what you are doing.

    So what's the bottom line?
    That I dont know. This I do know:
    This company is not legit, at least they arent who they say they are at the VERY least.
    The file(s) directly from ultrasurf's download have been classified as a legitimate virus, and existing virus tools have been found inside the files, including morphine, which I already spoke to having first hand experience with.
    Add those 2 components together, and something is very fishy. The fact that a company would dismiss major AV vendors by saying "theyre just mad we can get past monitoring tools" is beyond weak. I use AngryIP Scanner, which Symantec and McAfee classify as a risk, and their response is legit, and asks for help in the way of directly contacting the vendors to reclassify the app. I would expect similar if this app was legit. Furthermore, if you look at say the Symantec risk pages related to AngryIP, you will find they DO NOT show it to contain a virus, they classify it as a hacker tool, that potentially could be misused. I would expect similar classification wording regarding UltraSurf, saying it COULD be used as an open proxy, and therefore it is classified as a risk, however that is not the case, they are showing TRUE virus/trojan files within UltraSurf.

    Back to what is it really? Again I dont know, but my guess, and only my GUESS is this is a pretty elaborate scheme put together by a handful of hackers over the last few years. (I wouldnt be at all suprised to find out Holy Father is a part of this since he went underground and stopped development of HackerDefender in the same time frame, but again that is ONLY SPECULATION at best)

    That is only my guess, but let me lend some thought as to why, or why not.

    First, if this was a govt operation, I think it would be cleaner. I dont think it would have ever come up as a risk, I dont think they would use a virtual address, and I dont think the site would be as sloppy as it is. Thats only why I think it's not, but there are plenty of reasons it still could be.

    Second, I dont think this is the RIAA, or similar, for most of the same reasons. I could see the RIAA using a virtual address as a front, but I dont see the sloppyness in the site coming from them. That said, the disclaimer that they wont touch YOUR files, makes me suspicious, that it could be the RIAA or similar, only because they could say in prosecutions of copyright violation, "hey we never said it would report what you were doing, only that it wouldnt touch your files, and it didnt." But I just dont see this as an RIAA thing, but I could be very wrong. I see them further taking the route of working with p2p developers and ISP's to go after people. If you have kept up on that, the RIAA has made some tight pacts with ISP's as of late over monitoring p2p.

    Those are the only real 3 suspects I see here, and to ME all roads point to a group of hackers, especially considering they encourage the use of banking sites on their service since its "so secure." Also add to that, even tho this is purely conjecture, that if you google ultrasurf you will see HUNDREDS of blogs and forum posts of people who have suddenly found the answer to anonymous surfing. IMO those are all spam posts by the developer, because they all read almost dead on. Some of the blogs are written word for word the same, written in the first person, and by "different" people.

    So, I have poured my fuel on the fire... If Steve's reccomendation wasnt enough, maybe the suspect facts above will be. Or maybe it will just cause more guessing and speculation. But now you know, and knowing is half the battle...

    TIN HATS UNITE!
     
  22. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,201
    CaixFang, thank you for providing us with the above information.

    I have a question about 'morphine'.

    The ability to hide anything ? Attached to legit files ? (presumably also by drive-by downloads).

    That seems serious. How well are the AV companies able to handle this ? And other antimalware software ? The way you describe it suggests they can do little to nothing.
     
  23. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,635
    Location:
    European Union
    Morphine is nothing more than a polymorphic packer. It can be used to hide malicious code, so that AV can't recognize the signature. Also, Morphine is open source, so if anyone is interested he/she can see exactly what it does.

    A quote from Morphine docs:
    "Morphine is very unique application for PE files encryption. Unlike other PE encryptors and compressors Morphine includes own PE loader which enables it to put whole source image to the .text section of new PE file. This one is very powerful because you can compress source file with your favourite compressor like UPX and then encrypt its output with Morphine. Another powerful thing here is polymorphic engine which always creates absolutely different decryptor for the new PE file. This mean if your favourite trojan horse is detected by an antivirus you can encrypt it with Morphine. You will not get the virus alert again."
     
  24. CaixFang

    CaixFang Registered Member

    Joined:
    Mar 24, 2009
    Posts:
    72
    What nebulus said. (hey we agreed twice in one day!)

    Morphine is not the risk, per se, it is what morphine is capable of covering, and executing, along with other apps. If you do some searching (sorry, no pointing it out to the scriptkids) you can find lots of interesting info on morphine. In fact, I believe there is a recent article about morphine and its use in malware.

    There are plenty of components such as morphine out there, that when, bundled with an application, good or bad, can become VERY difficult to keep tabs on.

    Morphine, not bad - the uses and applications of morphine, usually bad.

    Morphine is to malware/virues kind of like a ski mask is to a robbery. On its own, its benign, but when you have a gloves to cover finger prints, a ski mask to hide your face, cammo clothes to blend in, sunglasses to cover your eyes, and a gun in your hand, it becomes dangerous. Morphine, and a ski mask, just help you cover up.

    Also, dont freak out because this is the first time youve heard of it, and it can alter things to be undetectable to an AV. Its been around, and there are lots and lots of other tools similar, that all can be used for similar purposes. My inclusion of mention of morphine was NOT to cast a bad name to it, only to call out the abilities, and the level to which these people are going.

    And in fairness, Nebulus gave a much better and precise rundown of morphine, I was actually thinking of morphine in conjunction with another app, that made a trojan nearly undetectable.
     
  25. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Well, I hope you "catch'em ridin dirty" in months and not years.

    The suspense is too much. [loud]sigh[/loud]

    Thanks for at least warning people who may have tried it.

    Have various jaw drop protection in place.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.