Containing untrustable anonymity software

[Ulysses_]

Free anonymity software like utrasurf cannot be trusted, it can be part of a botnet that launches attacks from your computer. Would the following setup successfully contain such malware so it cannot do any harm but still provide anonymity at a high bandwidth?

Three virtual machines VM1, VM2 and VM3 connected in series like this:

internet---[VM1 running firewall]---[VM2 running ultrasurf]---[VM3 running firefox]

VM1: whitelisting firewall

VM2: a linux box with X where ultrasurf or other anonymity proxy is run under a restricted wine user account, and the box is set up to transparently route all traffic coming from VM3 into ultrasurf, and VM2 boots off a liveCD for non-persistency.

VΜ3: a linux box with X and firefox

In more detail, to protect the vmware host:

[adsl router]---[usb cable]---[VM1 (firewall)]---[vmnet6 cable]---[VM2 (ultrasurf)]---[vmnet7 cable]---[VM3 (firefox)]

Would this succeed in containing whatever malicious operations are done by ultrasurf or other anonymity client?

Can such malware still do harm in this setup?

[J_L]

Why cannot free anonymity software be trusted, but free OS and browser can?

Your host machine should be safe from malware, but malicious connections can still happen unless you got excellent firewalls.

[Ulysses_]

Quote:

Originally Posted by J_L

Why cannot free anonymity software be trusted, but free OS and browser can?

Free OS and browser are open-source.

Quote:

Your host machine should be safe from malware, but malicious connections can still happen unless you got excellent firewalls.

What are some iptables rules to make an excellent firewall in gateway VM1? Ideally maintaining a white list of sites that is initially empty and you manually edit it as you go along?

[Spooony]

https://www.sesawe.net/

That's a trusted Internet consortium.

But has any got prove about Ultrasurf collecting your info and hijacking your pc?

[Ulysses_]

Yes, SteveTX has:

http://www.wilderssecurity.com/showthread.php?t=237184

None of them should be trusted. But chaining them should limit the ability of each one selling wothwhile surveilance data because no one in the chain knows both your ip and sites visited.

[Spooony]

UltRa surf was created to bypass internet censorchip. When we talk about censorship we talk about severe to moderate. Your not going to bypass the a firewall with 3000 people dedicated looking after it with signed certificates from the conventional ,methods. It was made to run from behind a aggressive firewall. its going to do some things to try to disguise itself and to bypass filtering. Does it create a backdoor and sent info about your personal stuff to its creator? Does it inject itself into legal processes or encrypt its payload to disguise itself and collecting user info?
Its design wasn't meant for users trying to hide their ips from non censorship countries. The other I can't remember its name from Gardennetworks stop connections to the servers from people living in countries that does not active policies on internet censorchip. It was alleged doing the same things as ultrasurf does.

https://www.sesawe.net/Censorship-and-the-net.html

That's a good explanation in a non political way.

[CloneRanger]

I've used US a while back to test it, but due to SteveTX's thread that Ulysses_ has linked to i ONLY used it whilst in ShadowDefender mode Also i ONLY surfed to regular www's & NOT Anything that included logging in etc I wouldn't trust it for that

At the time, it seemed to me it was unclear if everything was HTTPS, or not, due to it's "unusual" padlock arrangement I might test it again sometime more thoroughly & see !

Apart from that, it worked fine & the NO install is a bonus

[Spooony]

For someone whose Internet access is restricted and who wants to do something about it, it may not matter whether the tools were developed by someone who wanted to chat with a girlfriend, write a political manifesto, or send spam.

They dont care what the application does as long as they have a freedom to choose for themselves whats appropiate content and whats not.

[J_L]

Quote:

Originally Posted by Ulysses_

What are some iptables rules to make an excellent firewall in gateway VM1? Ideally maintaining a white list of sites that is initially empty and you manually edit it as you go along?

Sorry, I'm not a firewall expert, especially on Linux. I may be wrong about malicious connections.

[Ulysses_]

Spooony either I do not understand you, or you are wrong in thinking that users in restricted countries would be happy with malicious software that:

1. sells their ip's and sites visited

2. sells their bank etc login credentials

3. port-scans western institutions causing records of abuse being stored in their firewalls

4. turns your pc into a cyberwarfare soldier that is part of a botnet that launches DDOS attacks on western institutions.

This is what utrasurf is accused of doing, or likely in the future will do. In yet another thread SteveTX gives the evidence for the above, such as wireshark logs etc in a zip file. Except number 4 is speculation, as a result of the shady Chinese that appear to be running it and its other observed behaviour.

[Ulysses_]

Quote:

I've used US a while back to test it, but due to SteveTX's thread that Ulysses_ has linked to i ONLY used it whilst in ShadowDefender mode

ShadowDefender mode must be for nonperstistence, which is also achieved with a liveCD (VM2 above).

[Ulysses_]

This thread is an attempt to outwit the Chinese developers and contain their malware. If only a few people do this, the Chinese won't mind and therefore won't install countermeasures.

Crucial: the browser is NOT running on the same VM where ultrasurf is running. So the browser's executables or configuration cannot be modified externally. Does this also prevent the malware from decrypting your browser's HTTPS connections (man-in-middle attack)? What about certificate checking being disabled, is it possible in this scheme?

[x942]

Quote:

Originally Posted by Ulysses_

This thread is an attempt to outwit the Chinese developers and contain their malware. If only a few people do this, the Chinese won't mind and therefore won't install countermeasures.

Crucial: the browser is NOT running on the same VM where ultrasurf is running. So the browser's executables or configuration cannot be modified externally. Does this also prevent the malware from decrypting your browser's HTTPS connections (man-in-middle attack)? What about certificate checking being disabled, is it possible in this scheme?

If the software its self is performing a MITM attack similar to SSL strip than what machine your on doesn't matter. Why not find a trusted and secure solution instead of using a known infected solution? TOR and i2p work great for anonimity and you could always set up your own VPN / SSH Tunnel for when you aren't at home.

[Ulysses_]

I thought SSL with its authentication was specifically invented to guarantee you are connecting to where you think you are connecting. Has SSL been defeated?

[x942]

Quote:

Originally Posted by Ulysses_

I thought SSL with its authentication was specifically invented to guarantee you are connecting to where you think you are connecting. Has SSL been defeated?

yes and no. Such a MITM would show as an "invalid" cert. but all malware has to do is plant their cert and it is now considered valid.

[Ulysses_]

Seen some info about this ssl strip attack and more and they all show an http:// URL instead of an https:// URL. So one defence is simply to block all ports on the browser machine except SSL's port.

But you are suggesting that if the attacker plants their certificate then it will be considered valid (by the browser?) How would they plant it in your browser if the malware has no access to the browser executable or configuration?

[Spooony]

Quote:

Originally Posted by Ulysses_

Spooony either I do not understand you, or you are wrong in thinking that users in restricted countries would be happy with malicious software that:

1. sells their ip's and sites visited

2. sells their bank etc login credentials

3. port-scans western institutions causing records of abuse being stored in their firewalls

4. turns your pc into a cyberwarfare soldier that is part of a botnet that launches DDOS attacks on western institutions.

This is what utrasurf is accused of doing, or likely in the future will do. In yet another thread SteveTX gives the evidence for the above, such as wireshark logs etc in a zip file. Except number 4 is speculation, as a result of the shady Chinese that appear to be running it and its other observed behaviour.

I'm not saying anything about steves findings. I'm saying is that people don't care how they get online as long as they can. So people must stop using the utilities that was designed for them except tor that is because it got creditable backing as well as yf.
Btw is proven that the application have some strange and rather malicious behaviour but not that it actually did all those things.

I never used never will because A tool to bypass internet censorship is openly visible to download on a chinese website.
If that doesn't tell you a story I don't know what will.

[Ulysses_]

Quote:

Originally Posted by Spooony

people don't care how they get online as long as they can

Don't they care that the regime that is censoring what they visit can find them and help them explore the limits of human pain?

For the record, I am not singling out ultrasurf, it is only an example. No free anonymity service should be trusted, period. This thread is about containing all of them.

[Spooony]

Quote:

Originally Posted by Ulysses_

Don't they care that the regime that is censoring what they visit can find them and help them explore the limits of human pain?

For the record, I am not singling out ultrasurf, it is only an example. No free anonymity service should be trusted, period. This thread is about containing all of them.

lol I'm not defending the application or anything. The no free anonymity should not be trusted you can't say that it would be unfair. Look at your-freedom also a Sesawe partner and got the Sesawe version of their client out. But you won't find any stuff like that with their service because they got free and paid services. people falling in the Sesawe countries get a bit better free service than those outside it would in matter of no time limits and a bit bigger bandwidth.
What I'm trying to tell the people is to stay away from the applications developed inside those countries because its going to do some funny things. I don't blame the people in those countries for using anything that can get them online. I mean some browse the internet via email! The webpages they request gets emailed to them. I mean if you had a choice to browse the internet like that or to use something that's doing all sorts of things your not going to care. So I advise the people to stay away from those apps that's produced in those countries. You will see all the trust worthy ones have a Sesawe version of their software and the normal version for people outside those countries. Their tor packages are different.

[Ulysses_]

Private information is sold in an international market, not just kept in the country running the malware. So censoring regimes can get intel on their people from malware used by other countries.

If one free anonymity service is innocent, we are not going to ask God which one that is but we will treat them all the same.

What is your problem with firewalls anyway? Or chains of virtual machines isolating software? You mind that they can't access the user's private data in the host? Or that a whitelisting firewall can't do dos attacks?

[Spooony]

Quote:

Originally Posted by Ulysses_

Private information is sold in an international market, not just kept in the country running the malware. So censoring regimes can get intel on their people from malware used by other countries.

If one free anonymity service is innocent, we are not going to ask God which one that is but we will treat them all the same.

What is your problem with firewalls anyway? Or chains of virtual machines isolating software? You mind that they can't access the user's private data in the host? Or that a whitelisting firewall can't do dos attacks?

there is nothing that can stop a dos attack. People seem to forget what a dos attack is. A mass pounding from a lot of pcs against a single server. The idea is not break in its to slow out down till it drops. The firewall can do whatever with it. Its still needs to use resources. Getting hundreds of thousands of jumbo frames per second I want to see a firewall that can keep up. The other thing it does it leads to the isp normally blacklisting the server as well which is real effort to remove that blacklisting

[Ulysses_]

Quote:

Originally Posted by Spooony

there is nothing that can stop a dos attack.

A firewall in a VM close to the attacker VM will stop a dos attack, containing it in the attacker hardware.

Even if an attempted dos attack overloads the host cpu, that's ok, we just lower the priority of VM2's process (renice) and everything else works fine.

You want to connect to a site using the all-blocking VM1-VM2-VM3 malware container, you add an exception rule for that site, access the site, work with it for a while, then remove that rule. Automatically with a script and a restricted link between the browser VM and the firewall VM.

[Spooony]

Quote:

Originally Posted by Ulysses_

A firewall in a VM close to the attacker VM will stop a dos attack, containing it in the attacker hardware.

Even if an attempted dos attack overloads the host cpu, that's ok, we just lower the priority of VM2's process (renice) and everything else works fine.

You want to connect to a site using the all-blocking VM1-VM2-VM3 malware container, you add an exception rule for that site, access the site, work with it for a while, then remove that rule. Automatically with a script and a restricted link between the browser VM and the firewall VM.

The purpose of a dos attack is to cut your bandwidth to pieces. A vm protects your servers but it doesn't stop your bandwidth being reduced to virtually nothing. What happens then is the isp will blacklist the ip and the server will be offline.

[Ulysses_]

Quote:

Originally Posted by Spooony

The purpose of a dos attack is to cut your bandwidth to pieces. A vm protects your servers but it doesn't stop your bandwidth being reduced to virtually nothing. What happens then is the isp will blacklist the ip and the server will be offline.

Sorry but you haven't understood what is going on in this thread. I am running malware that does dos attacks to others and I am trying to prevent this, I am not the target of the attack.

[DasFox]

Quote:

Originally Posted by Ulysses_

Sorry but you haven't understood what is going on in this thread. I am running malware that does dos attacks to others and I am trying to prevent this, I am not the target of the attack.

First off, if your goal is to simply be able to run a program safely in Windows using Linux through a VM you don't have to go to such extremes with several VMs all chained together.

A good hardware firewall, one VM setup running Linux and a good firewall in Linux will be all you need...

Also you say you have a box running DOS attacks you are trying to prevent, what are we talking about, a workstation or a server?

As they say in the Unix world you've been rooted and since you don't seem to be able to get this out, however it's being done, you should reformat the box and start afresh.

You don't try to fix the box with an infection, backdoor, some type of exploit running in it and then try to patch it with security layers, you're going about it all wrong.

Get a clean system then start all over again...