Ultrasurf Is Malware

[Nebulus]

I have some doubts that the attack is related to ultrasurf. Apparently it has something to do to a IE vulnerability: http://www.ghacks.net/2010/01/16/mic...ty/#more-22370
And on a different note, I don't really understand this fear of being cyber-attacked by China. It looks more like a "scare story" than real fact... But we are getting offtopic, so I will stop.

[hierophant]

Yes, I gather that attackers apparently compromised Google and other recent targets through a zero-day IE exploit. However, I gather that they provided poisoned URLs to key users in personalized phishing emails. That was apparently also the case in previous attacks last year. I'm guessing that they identified key users from targets' websites.

That reminds me of Ultrasurf behavior that Steve described (connecting in the background to various corporate and government sites). I'm not saying that they're connected. Correlations can be dangerous. And even if they are connected, I'm not saying whether Ultrasurf was in on the attack, or was just another victim. FWIW, some previous victims apparently kept quiet.

Anyway, this isn't about any political beliefs I might have re China. I'm just curious.

[chronomatic]

Hey Steve, where is your company's little application that can supposedly crack Tor wide open? You said you were going to "release it soon" and this was 6 months ago.

Tick tock, we're waiting.

[Nebulus]

Quote:

Originally Posted by chronomatic

Hey Steve, where is your company's little application that can supposedly crack Tor wide open? You said you were going to "release it soon" and this was 6 months ago.

LOL, Tor can't be "cracked" open. It's working principle is well known, and also it's design vulnerabilities. It's just Steve trying to scare Tor users, hoping they will start using XB...

[S.B.]

Quote:

Yes, I gather that attackers... However, I gather... That was apparently... I'm guessing...

That reminds me of Ultrasurf behavior that Steve described... Correlations can be dangerous...

Let me get this straight:

"gather" + "gather" + "apparently" + "guessing" = "reminds me" = "dangerous correlations"

Honestly, the thing that seems dangerous here is speculation; and that speculation founded only on other speculation founded in turn on more speculation... ad nauseam, is being used as a scare tactic to promote a product.

For my part, I wonder. If a product has true intrinsic value, and is priced close to that value, why would phony scare tactics be needed to promote the product?

__

[chronomatic]

I find it rather disconcerting that shills for various companies are allowed to use these forums to hawk their products. I have no problem with people wanting to make an honest buck, but this is not the place to do it. The advice given by Steve and people like him is never objective and we end up with threads such as this where a company shill accuses another of being malicious whilst using convenient excuses like "can't reveal how I know" or "you just have to take my word," etc.

And I find it humorous Steve would use a Tor developer as a source when he incessantly bashes Tor (with no basis, mind you).

[hierophant]

OK, OK. If there's no new evidence, there's nothing to discuss.

However, evidence for security software being tools of and/or compromised by attackers is always worth discussing, IMHO.

And BTW, S.B., if you read the articles and reports that I linked to, you'll see that my summary -- which you parodied as ''' "gather" + "gather" + "apparently" + "guessing" ''' -- is hardly at all speculative. What's speculative is any connection with Ultrasurf.

Also, I'm not promoting XeroBank. I posted to this thread because it's about Ultrasurf, not because Steve started it. If evidence for XeroBank being evil were posted, I'd be exploring that too, for sure.

Finally, chronomatic, I suspect that you're referring to <http://deanonymizer.com/>. FWIW, I believe that <http://decloak.net/> is more thorough.

[Nebulus]

Quote:

Originally Posted by hierophant

Finally, chronomatic, I suspect that you're referring to <http://deanonymizer.com/>. FWIW, I believe that <http://decloak.net/> is more thorough.

What about them? I tested Tor against them, and it was all OK. I don't know about other anonymity providers, so I can't speak for them. What I found amusing is that the test from deanonymizer.com doesn't even start with NoScript active in Firefox

[S.B.]

-> hierophant

That was no parody. "gather", "gather", "apparently", "guessing", and "reminds me", were your words. The repeated and amplified speculation you employed to arrive at your endpoint was downright scary. And with all of that, you arrive at an endpoint of "correlations" you deem to be "dangerous". This is nothing more than a pile of sand on a foundation of sand. Speculation. Nothing more. Nothing less.

[Edited] To clarify. You have a postulate, and only a postulate. Perhaps there is evidence for your postulate. Perhaps there is proof of your postulate. However, without proof, a postulate remains a postulate, i.e., an assumption without foundation, i.e., speculation. [end edit]

[hierophant]

Quote:

Originally Posted by Nebulus

What about them? I tested Tor against them, and it was all OK. I don't know about other anonymity providers, so I can't speak for them. What I found amusing is that the test from deanonymizer.com doesn't even start with NoScript active in Firefox

Congratulations! My XeroBank setup passes both too. If any y'all find one that's tougher, please share it. Re the deanonymizer.com test, did you click on "here" in "The scan will begin in 30 seconds. If it does not, click here to proceed"?

[hierophant]

@S.B.

What about my summary do you dispute? Has it not been reported that the attackers compromised Google and other recent targets through a zero-day IE exploit? Has it not been reported that they provided poisoned URLs to key users in personalized phishing emails? Was it not reported that previous attacks also employed personalized phishing emails?

None of that is speculation on my part. And although the sources that I cited may include speculation, I don't believe that any of what I've just recapitulated is speculative. And if it is, I'm open to correction.

I admit that I'm speculating that attackers identified key users from targets' websites. Or perhaps I read that somewhere. I don't recall. In any case, wouldn't that be a good strategy?

I also freely admit that any connection to Ultrasurf was pure speculation on my part. I had, and have, no intention of slandering Untrasurf, and I apologize for anything I've said that's come across that way. I was just asking whether anyone had heard anything. In particular, I was in part poking Steve to see whether recent events might permit him to provide additional evidence for his warnings.

Also, if any y'all can recommend a better anonymity provider than XeroBank, or point to defects in XeroBank other than spotty customer support, please do. I am actively looking, and you can count on me to share what I find.

[S.B.]

Quote:

Originally Posted by hierophant

@S.B.

What about my summary do you dispute? Has it not been reported that the attackers compromised Google and other recent targets through a zero-day IE exploit? Has it not been reported that they provided poisoned URLs to key users in personalized phishing emails? Was it not reported that previous attacks also employed personalized phishing emails?

None of that is speculation on my part. And although the sources that I cited may include speculation, I don't believe that any of what I've just recapitulated is speculative. And if it is, I'm open to correction.

I admit that I'm speculating that attackers identified key users from targets' websites. Or perhaps I read that somewhere. I don't recall. In any case, wouldn't that be a good strategy?

I also freely admit that any connection to Ultrasurf was pure speculation on my part. I had, and have, no intention of slandering Untrasurf, and I apologize for anything I've said that's come across that way. I was just asking whether anyone had heard anything. In particular, I was in part poking Steve to see whether recent events might permit him to provide additional evidence for his warnings.

Also, if any y'all can recommend a better anonymity provider than XeroBank, or point to defects in XeroBank other than spotty customer support, please do. I am actively looking, and you can count on me to share what I find.

Far as I'm concerned, we're good, and you're good+ (which btw I guess makes me "good-"; since ["good" - "good+" = "good-"] by my calculations). If it were up to me, I'd change the "To err is human..." saying to read, "To err is human, to admit error divine."

Best regards.

__

[hierophant]

@S.B.

Hey, we're all good. Thanks

[Sam Hell]

Hi. techsupportalertdotcom recently released an update of favorite security apps. Guess who has top bill on
(probably)-best-free-security-list-world in the Privacy/Anonymous Browsing Tools catagory?

Is Ultrasurf a communist botnet already poised to take down the West?
Or are the US gov and other institutional IPs noticed supporters of Chinese insurrection? And if so, are all users
caught up in a big indiscriminate net, all data retained for future misuse as a future bad legislation may allow?
Is "To Serve Man" really just a cookbook?

The answer to these and similar questions are as far above my pay-grade as some of the more technical explanations
in this thread are above my comprehension. I post this because while I do not always agree with Gizmo's fav
freeware picks, personal preferences often being subjective, I'll wager thousands more people go to Gizmo
for freeware than come here to spend bleary-eyed hours reading pages-long threads debating the finest
nuances of internet security sw. Waning activity on this thread indicates that the general expert consensus
on Ultrasurf remains to be "back away", unless I've missed something. If I have not, has Gizmo perhaps?
I know he has friends at Wilders, experts who might give him a heads up on a controversial sw if not a
possibly critical threat that is listed as highly recommended free sw on his site?

Just a random thought, such as I may someday learn are probably best kept to myself. But not today.

Regards, S.H.

[Lazuraz]

I apologize in advanced for a mini thread revive if this bothers anyone here.

I just registered here and I'm familiar with ultracrap and it's abilities to infiltrate anything it comes across. But what I'm wondering is (for those of us with personal at home firewalls) couldn't people have just signed in there, checked the ports/IPs accessing the network and figured out "Well that is NOT good!" Since what I'm understanding from what you are all explaining, you use ultrasurf, other computers who have used it collaborate with your computer and attack website X right?

So what I'm saying/asking is... Why not just check the personal firewall for unknown IPs? That's if you have one and know what you're doing.

[SteveTX]

Ultrasurf acts by spidering into your browser. If you have told your personal firewall to allow traffic from your browser application without bothering you about it, you will never see the attacks.

[SafetyFirst]

Quote:

Originally Posted by SteveTX

Ultrasurf acts by spidering into your browser. If you have told your personal firewall to allow traffic from your browser application without bothering you about it, you will never see the attacks.

Hypothetically speaking, if I ran Ultrasurf in the shadow mode by Shadow Defender, untrusted by DefenseWall, sandboxed by Sandboxie and with a realtime anti-keylogger on my system, would it still be able to do any damage?

[Lazuraz]

Quote:

Originally Posted by SteveTX

Ultrasurf acts by spidering into your browser. If you have told your personal firewall to allow traffic from your browser application without bothering you about it, you will never see the attacks.

Ah okay good, well I haven't used it at home at all so safe there too. I was just curious considering the amount of times it's been used at our school this year. Every student (or almost every Senior at my High School) had it on their account and I'm guessing that's probably why the PC computers in every room ran so slow.

Alright, that explains quite a lot to me then. Safe at home, but I don't think my school knows about it's actions.

Great work Steve and whoever else helped you. Fantastic investigation.

[SteveTX]

Quote:

Originally Posted by SafetyFirst

Hypothetically speaking, if I ran Ultrasurf in the shadow mode by Shadow Defender, untrusted by DefenseWall, sandboxed by Sandboxie and with a realtime anti-keylogger on my system, would it still be able to do any damage?

Absolutely. It turns off SSL certificate checking in your browser and because it makes you depend on its network, it could potentially redirect you to a fake paypal site, bank site, etc. or just simply man-in-the-middle your connection and steal the credentials, then phone home the credentials by way of a covert channel, such as the encrypted google RSS feeds it gets its attack targets from.

[CloneRanger]

@SteveTX

Quote:

It turns off SSL certificate checking

Wow didn't know that

Quote:

Ultrasurf acts by spidering into your browser.

How would/does this affect normal browsing if it was installed, but not running/active ?

[RoamMaster]

I don't understand how anyone can seriously make the statement that bank and military logins are just normal randomized traffic.

It would be like if someone grabbed my wallet out of my pocket while I'm passing by. Hey, maybe they aren't trying to rob me. Maybe he's just looking for a nice gift idea for his dad

Yeah I'm sure that's it guys

[stlolth]

Very poor and sparse rebuttal of ultrasurf being malware in my opinion, but a rebuttal none the less. At least it cites a developer name and his employment.
http://www.how-to-hide-ip.info/2009/...-is-malicious/

[livre]

And the package with evidence?


I found a site that goes to a zip file on this topic, clicking it over internet explorer can not open.



Wanted to see what is wrong ... Ultrasurf


While not using'm curious.

[LockBox]

Quote:

Originally Posted by stlolth

Very poor and sparse rebuttal of ultrasurf being malware in my opinion, but a rebuttal none the less. At least it cites a developer name and his employment.
http://www.how-to-hide-ip.info/2009/...-is-malicious/

It's either one of the most well-hidden scams ever with the accusations getting very little serious attention, or truly brilliant programming in circumventing the Great Firewall of China with all the misdirections. Which it is, who knows?

[lolerosx]

So ultrasurf is said to steal your IP and use it for bad stuff.....
Well Ultrasurf is a proxy, so what if i use a VPN and use ultraSurf?
Will ultrasurf steal the VPN's IP instead of mine?

Like proxy chaining or something but with a VPN?