Ultrasurf Is Malware

[Bensec]

Quote:

Half of them are blocked

When i say blocked, I mean "Connection Interrupted" or "Connection is Reset". Anyway, GFW is obviously contributing.

[MakePB]

Quote:

Originally Posted by Bensec

So, as 2-year-experienced proxy-hunter, my guess is that uf is trying them out to verify its proxy. This is better that launching a DDOS on certain ssl-enabled website, or just set-up a SSL-enabled website for test purpose yourself that could be blocked at any time by GFW. (if GFW block USbank. ok no Americans in China can access it. Could it be possible? It could be something international. So I actually do the same with paypal, ebay and other foreign bank patrol using Proxy Hunter, proxy superman, and ProxyThorn before i know hi-speed proxies like VPN and socks-enabled freegte and ultrasf. ) Ultra is just doing the same thing itself. The more people are using this software, the more SSL website should be included on this list to free the stress on certain sites.

Good point. I have completely overlooked testing of servers against SSL site and not SSL site for support of servers. (however i've pointed in similar way before http://www.wilderssecurity.com/showp...&postcount=102 )
The main reason that i do not like automated tools like UltraSurf is that they do everyything automatically leaving without any choice like rotating servers, testing servers and connecting against SSL and not SSL site etc...
There are always better tools in my opinion like ProxyHunter(testers and surfing tool), AAtools (testers), Charon (testers), Proxyrama(testers and surfing tool), multiproxy(testers and surfing tool), a4proxy(testers and surfing tool).

But i must say again that you have very good point with explaining bombastic title "Ultrasurf Is Malware" and evidence.

[SteveTX]

That isn't a plausible explanation. You don't create a highly sophisticated triangle-boy technology for fast http, then turn off https certificate checking for every domain except your own, and use encrypted compression on a tiny binary to obscure what the program is doing on the users' machine (which later turn out to be viruses). There are tons of standard sites you can use for reachability testing. Financial, military, and government login pages are not them, but I'll tell you why: if the user had such a login, it could trick the browser into providing the credentials, at which point UltraSurf can potentially capture the credentials or session cookie because https has been designed to be invisibly compromised. There is absolutely no legitimate reason for that, and it was purposely designed that way, it is not an accident.

I know a lot of people are in denial, and don't want to believe they've been tricked/compromised by what they thought was a good technology, but the facts are undeniable, and the proof is rock solid.

[Bensec]

Steve, if the behavior of connecting to ssl-enabled sites is just all you have got as "evidence". I have to say you are not persuasive at all. You dont even need wireshark, anyone who can use TCPView already know that. That's no secret.

I myself have done a similar test a year ago, weeks after i know uf. I use EQ, Process Explorer and WireShark just like you do. I dont think there are malware behavior (you are talking about Trojan, not vulnerability, just keep this in mind. so you need something concrete and solid ) The only thing I cant figure out is that how it can find its proxy servers. Further analysis suggests that the are connections between the proxy servers and these groups of dynamic domain controllers. I am still not quite sure until I read news about confiker. Surely there is a master algorithm. At first I thought it was used to generating a sequence of proxy address. but later it turned out to be groups of available domain controllers.
And this may explain why they use polymeric packers. Because if the master algorithm is reverse engineered, GFW will get a full set of patterns that be used to block all uf proxies as easily as anything.

Quote:

use encrypted compression on a tiny binary to obscure what the program is doing on the users' machine

I think you mean the packer thing, I have already explained my idea on that.

Quote:

then turn off https certificate checking for every domain except your own

this not true. if you mean the proxy checking process. I have to tell you a lot of https proxy verifying tools dont bother that. If you mean surfing with uf, you can see the ssl-cert in your browser, just like all proxies do. Please be as clear as possible.

Quote:

There are tons of standard sites you can use for reachability testing. Financial, military, and government login pages are not them, but I'll tell you why

Then you tell me what other sites the government would bother to close. what about your xb front-page? You cant simply update the list of site after they got blocked. You are responsible for the blockage.


Steve dont be blinded by your xb-supremacy and arrogance. If you have direct and solid facts, I would even spread your words on the mainland forums I usually visit. But ...they are just not good enough. Anyway work harder Steve. You look promising.

[Bensec]

Quote:

I know a lot of people are in denial, and don't want to believe they've been tricked/compromised by what they thought was a good technology, but the facts are undeniable, and the proof is rock solid.

hey Steve. I forget to mention that, good professors never say "Oh, my facts are undeniable, my proofs are solid rocks". That sounds like dumb bluffing stereotype (or bluff stereotype? please allow my bad English.)

[Fly]

I thought this was supposed to be published in the mainstream media.
I'm not an American, but I haven't read any stories about 'Ultrasurf is Malware'.

[Longboard]

Well, well; Softpedia was hosting U-S as recently as 3/7 ago: now gone.

[MakePB]

Quote:

Originally Posted by Longboard

Well, well; Softpedia was hosting U-S as recently as 3/7 ago: now gone.

Because someone claim that it is malware 2 days a go and should be removed:

http://board.softpedia.com/index.php?showtopic=10771

However as Bensec pointed it is not strong evidence.Speculation rather than strong evidence.

[elreteipos]

I fell for the Ultrasurf scan. I deleted the executable (avast! Home didn't notice anything suspicous about it) and scanned my PC with Malwarebytes Anti-Malware, but nothing bad was found. I can't install VBA32 Antivirus because avast! is already installed on my PC.

How do I get rid of the traces of Ultrasurf? And how do I fix that dangerous SSL vulnerability?

[mango]

Just stumbled upon this ultrasurf thread.
Would have thought it had garnered more attention after what been written in the thread.

Deleting the .exe should be enough?

[MakePB]

Quote:

Originally Posted by mango

Just stumbled upon this ultrasurf thread.
Would have thought it had garnered more attention after what been written in the thread.

Deleting the .exe should be enough?

I would suggest to better read this thread before doing anything:

http://www.wilderssecurity.com/showthread.php?t=252102

[SteveTX]

Quote:

Originally Posted by MakePB

I would suggest to better read this thread before doing anything:

http://www.wilderssecurity.com/showthread.php?t=252102

MakePB, I suggest you go speak with the Tor developers. They have more horror stories about Ultrasurf than I do. ~Snip - Blue~

And yes, deleting the EXE should be enough, but hard to say, since their encrypted viral payload and behaviors keep changing.

[I no more than U]

I'm willing to concede that there may be non-malicious behaviors exhibited by this program that may be interpreted as malicious. And I'm willing to postpone my final judgment about this program until we hear a rebuttal.

But where is the rebuttal? There was some half-assed interview, but that's not even close to enough. Steve's tearing them a new one, and we get nothing from them.

I sent them a message through their site in case they're on another planet and haven't noticed this thread. But I won't hold my breath. If they don't respond, why would anyone consider using Ultrasurf in the future? They just let someone use them for target practice and do nothing about it.

Steve, do you have links to comments by the Tor developers about Ultrasurf? Or were they private discussions?

[BlueZannetti]

A couple of politically oriented comments removed. Before going down that road again, please take a moment to review the site Terms of Service and please adhere to them.

Regards,

Blue

[SteveTX]

Quote:

Originally Posted by I no more than U

Steve, do you have links to comments by the Tor developers about Ultrasurf? Or were they private discussions?

My understanding is that these comments were made by a Roger Dingledine (Tor) to Kyle Williams (XeroBank) in regards to an Ultrasurf "employee".

[Mr Wolf]

Hi!

I found this discussion searching information about Ultrasurf
I discovered it recently and even to me it seems too good to be true!

I'll have a look to the material SteveTX posted

So, what about the other services present here: http://www.internetfreedom.org/
Can we trust them?

Or better, can we trust this Global Internet Freedom Consortium? Who are these guys?

[elreteipos]

I'd stick with the advice every grandmother would give you: if it looks to good to be true, it's a scam.

[lionboy44]

Quote:

Originally Posted by SteveTX

And yes, deleting the EXE should be enough, but hard to say, since their encrypted viral payload and behaviors keep changing.

Dear Steve,

Please! Please! Please! I need help. I have fallen prey to the UltraSurf sacm. It has taken over my PC to the extent that i now have only 4% disc space available on my hard drive. I have tried to search for the u98.exe file to no avail. I must admit i am not very computer savvy. I have used many AVs including VBa32 and all them have failed to find it on my PC. I use Internet explorer and my operating system is Vista. Can you tell me how to get rid of this UltraSurf? None of ur other recommendations is working.

Many Thanks

[I no more than U]

Quote:

Originally Posted by lionboy44

Dear Steve,

Please! Please! Please! I need help. I have fallen prey to the UltraSurf sacm. It has taken over my PC to the extent that i now have only 4% disc space available on my hard drive. I have tried to search for the u98.exe file to no avail. I must admit i am not very computer savvy. I have used many AVs including VBa32 and all them have failed to find it on my PC. I use Internet explorer and my operating system is Vista. Can you tell me how to get rid of this UltraSurf? None of ur other recommendations is working.

Many Thanks

How do you know that Ultrasurf is responsible for the problems you're experiencing? My guess is that something other than Ultrasurf is th problem. What do you mean by "taken over your PC"?

Regarding the 4% disk space, I don't believe Ultrasurf uses your hard drive to store data, although I might be wrong. How much disk space did you have before Ultrasurf? FYI, having low disk space isn't a usual symptom of malware.

[weilian]

So what is the alternative? Is there a free alternative solution to replace what 'us' offered without the alleged malware?

[SteveTX]

Yes. We are hard at work on it.

[SKA]

Is there a reliable detect/removal tool for US and its traces/remnants on WinXP, Vista, Windows 7 ?

Anyone has any cleaning/removal instructions ?

SKA

[hierophant]

I wonder whether there's any connection to current events?

[Nebulus]

Quote:

Originally Posted by hierophant

I wonder whether there's any connection to current events?

What do you mean by "current events" ?

[hierophant]

Quote:

Originally Posted by Nebulus

What do you mean by "current events" ? :)

Well, there have been threads on Wilders since early 2009 -- e.g., "ultrasurf proxy" (started 20090218) and "Dissecting Ultrasurf" (deleted 20090321).

Information Warfare Monitor published "Tracking GhostNet: Investigating a Cyber Espionage Network" on 20090329 re "alleged Chinese cyber spying against Tibetan institutions" (and various governments' foreign-affairs ministries and embassies) <www.f-secure.com/weblog/archives/ghostnet.pdf>.

Shishir Nagaraja and Ross Anderson (Cambridge) contemporaneously published a dissenting report that blamed the Chinese government more directly -- "The snooping dragon: social-malware surveillance of the Tibetan movement <www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf>.

On 20091009, Northrop Grumman published "Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation" <http://online.wsj.com/public/resourc...py20091022.pdf>.

On 20100114, Ryan Paul posted "Researchers identify command servers behind Google attack" on Ars Technica -- stating that "VeriSign's iDefense security lab has published a report with technical details about the recent cyberattack that hit Google and over 30 other companies." I don't see it yet on VeriSign iDefense <labs.idefense.com>.

That's what I mean.