Ultrasurf Is Malware

I remember someone told me about Ultrasurf. It is a software made by an anti-chinese govenment organization (or so-called religion?) named Falun. The software used to have ads about itsself. He said the server was in the USA. We were just talking about surfing forbidden sites.

I never touched it.

 

It'll be interesting to see if this is it:
http://www.independent.co.uk/news/world/asia/china-linked-to-cyber-spy-network-1657045.html

I'm not going to say yes or no - that the 2 are related, but I wouldnt be surprised. Interestingly enough, I did a LOT of research on this (ULtraSurf) Friday, and with the exception of the owner of ultrareach.com, all the names of involved people, and other domains related to ultrasurf all seem to be registered to people of Asian decent. THAT PROVES NOTHING, just interesting. Also interesting that the owner of ultrareach.com is regsitered to Alan Hill, but his cell phone number reverse look-ups to an Alan with an asian last name (dont have it handy.)

Also of note, or just general info, ultrareach.com is Hosted in TX (either Houston or Dallas), the company behind ultrareach.com/ultrasurf is "Located in San Jose" but 99% of the related people and businesses I found with ties to this group are based out of Atlanta. Again, that proves nothing, I just found it interesting that they are so spread out....

 

Steve, thaks for the info!
Wow! I'm a keen user of the software.
I know many AVs detect it as malware. But I didn't care about it.
Ultrasurf can bypass many tough filters and firewalls and so can legitimate software like SoftEather and many AVs used to falsely detect it as malware. So, I thought it must be a FP, too.
Anyway, I just deleted the software. I use it to surf websites as my real IP is static and I want to hide it. I've never surfed any forbidden sites with it, because I'm not sure about the legality of accessing such a site (especially a regional blocked site, which many users use it for).
So, Steve, will you please tell me if I still need to be worried about it and what bad thing I have to expect? Since you mentioned something like “when the truth comes out your jaw will drop”, I can't sleep well.

 

I wouldn't worry too much. Steve is not the only one analyzing this software (other AV/antimalware corp did) and while they did found malicious behaviour, I would say that by carefully removing Ultrasurf, you don't have anything to worry about.

 

Nebulus, thanks for the response.

BTW, I agree with what you said earlier. Steve works for XeroBank, doesn't he? Don't they also provide paid VPN services?

Actually, Ultrasurf is the reason why I've never turned to paid VPN services.
Unlike the other alternatives, it is the only program that gives stable VPN connection and doesn't slow my net speed down at all.
Thus, since Ultrasurf provides the best performance I would expect for VPN software, I don't really need other paid options. So, I really hate to say this, but Ultrasurf looks like a threat to his products and I'm not sure if I should trust him on this.

I know that it's too good to be true that software like Ultrasurf is freeware. I've also read people here talking about a "honey pot". I use Ultrasurf to just surf anonymously. I don't do P2P, don't access forbidden sites and I don't do anything to hide. So, I don't think that I have to worry about it very much.

I also agree that the company behind it seems fishy, but so do most VPN providers.

I know that many AVs have detected Ultrasurf as malware. But, some AVs classify any program that performs something extraordinary as
malware and has falsely given an alert to legitimate programs like AutoPatcher, Angry IP Scanner, HJT and some TCP patch to lift
XP's connection limit, which is frequently mentioned in this forum (Sorry, I forgot the name).
Ultrasurf gets past firewalls, which might be considered malicious by some AVs and, in fact, was the reason why SoftEather was classified as malware. However, this behavior is one of the legitimate purposes for VPN.

Anyway, Steve's comments on Ultrasurf has scared me a lot and I will halt using it until I finish assessing this, but, actually, he hasn't told us anything concrete about it. I'm new here and I don't know him very well. As far as I read his other posts, he seems trustworthy. However, I also found he has bashed his competitors many times here and I don't see why he is suggestive this time.

I'd really like Steve to give us something concrete about it. Ultrasurf is too great and useful to give up and ditch because of FUD.

 

Look at it this way, if I'm misleading you that would be very bad for my reputation and that of the company i work with, I have no incentive to harm myself in the long term for any short term gains, whatever they would be. I've clearly said use anything other than ultrasurf, i don't care if it is a xerobank product or not, so that should be allaying your concerns that it is commercially motivated. Just don't use ultrasurf, not for any reason, not even inside a virtual machine or sandbox.

 

No offense, but are you drunk? The info I have provided ALONE should be enough to worry you.

As for Steve trying to run off compitition, A) in the free market competition makes ALL products stronger, because you have to keep refining them to keep up and B) Steve could NEVER eradicate all the other options out there. There will ALWAYS be open proxies and other ways out. If he was trying to take someone down, Id think he'd go after the TOR/JAP arena, since they are the largest of the options. He really has nothing to gain here, because if people are using US because its FREE, then they will just switch to another FREE option, NOT turn to a paid service like XB.

It is VERIFIED that there are multiple virus types inside US. As I explained earlier, apps like AngryIP do NOT show as viruses, they show as possible hack tools. Those suspect apps NEVER have been reported to CONTAIN a virus, only to be trojan-esque when misused. And there are MULTIPLE verified reports of what viruses are inside US.

And let me make this clear, I DONT use XB, never have, and I have ZERO stake in Steve's business - in fact, I could care less about them, I have a solution.

Take just the article I posted yesterday and read it. Even it that is NOT US, think of the possibilities if it IS, or something similar was. The POINT of an app like US it to protect your identity and information, not to harvest/use/steal/infect it.

FACT: There is something dirty going on with US. We (public) dont know what yet, but get rid of it.

I am going to go out on a limb here and say that within a month, you will be seeing a story on the news regarding US, or on your favorite news site/blog.

Get rid of it, and use something else for the time being. If it comes to pass that US is safe (which it wont) then you can go back to it, no problem. But if it comes out that they are stealing info and monitoring your usage, then that is a problem.

This is straight cost/benefit.
Cost to not use US=0 / Benefit=Safe from their dirty doings
Cost to use US=possible info/id theft / Benefit=0
Cost to not use US for now, but if proven clean, going back to it later=0 / Benefit=No possible info/id theft now and none in the future

NO BRAINER

 

There are times when it is best to take the advice offered and step away. This is one of those times.

If you choose to ignore the prudent advice already offered in this thread by SteveTX and others, understand that you've consciously made an active decision to own any and all downside consequences which may be suffered.

Blue

 

Can you please (at least) tell us what is the nature of the threat (system access, DoS, identity theft, traffic monitoring by the proxies, etc.)?

 

Sorry, I didn't realize that my comments sounded that offensive.

As you can see, English is not my 1st language and I don't understand every nuance. I didn't expect and I'm very surprised and upset to receive such harsh responses to my last post.

Like I said, I just wanted to get Steve to tell something concrete about it because what Steve is implying here has scared me a lot.

I made them a little provocative to draw such a comment from him as, although it seemed like he had ignored my first post and so he must have some difficulty in speaking about it, I really wanted to know what the threat really was.

Of course, I knew he can't tell a lie here for the reason he mentioned in his last post.I always respect and appreciate advice from experts, especially from ones who have disclosed the company they belong to and that's why I deleted Ultrasurf immediately after reading Steve's post.

Anyway, I'm assuming that the threat Steve is implying here is far more harmful and dangerous than what CaixFang suggested, which is still within the level of risk we have to assume once we decide to use a VPN or proxy and is something Steve is able to discuss about without any hesitation. Remember that Steve said something like our jaw would drop when the truth comes out.(I can't sleep well after I read it ).

He must be suggesting something bigger... right, Steve? I would really appreciate it if you would give me something concrete on this, even just a hint. Does it something that I don't have to worry and can forget about after removing the program from my PC? Please give me an answer to this question at least so I can sleep!

P.S... Blue, I understand that my last comments were much more offensive than I thought. But, still, I think you should've also warned CaixFang. I've never seen someone who is this harsh in any forums. Does this forum allow a member to call the other "no brainier"? I'm very upset to get such a harsh remark.

 

lisavow,

What you need to understand is that accusing someone of FUD spans the whole range from simply sowing innocuous seeds of doubt to outright lying. In the context of the current discussion, you are much closer to the latter end of the spectrum.

As for "no brainer", that's casual English regarding the decision process, not the person making the decision - as in the decision to not use Ultrasurf is a "no brainer", i.e. does not require much analysis to make based on current information.

Actually, you have very little reason to be upset.

Regards,

Blue

 

I would like to register my appreciation for an administrator weighing in on issues like this one. I have nowhere near the technical expertise of the majority of Wilders' posters and mods (just the love of computers).
Someone in my position would have no idea what to think or do after SteveTX's posts.
I really have to say thanks.
Also to CaixFang's excellent posts.

Best Regards

 

As mentioned above, my no brainer was NOT directed at you, and I sincerely apologize if you took offense to that, or any part of my post. No brainer was only directed to the cost/benefit scenario I laid out, as in, it doesnt take my analysis of that C/B to decide it's best to stay away from US at this point.

Based on my personal research, I am going to venture out to say it is going to be a fairly large enterprise of "cyber-criminals" mining and stealing sensitive data, both on the consumer and business level, and using that data for fraudulent profits.

On the lower end, or in conjunction with, I would expect some type of "botnet" to emerge from this. In fact possibly the fraudulent re-use of the stolen information may have been used via these other machines to cover their tracks using a RC backdoor in US.

Again, just my speculations, but thats where this is all leading me, the more I dig into it. I cant see this just being a PITA virus, if so details would be out by now, and if it was a much more vast issue [read: US Govt] I doubt Steve would have made mention or would ever be able to, either from not knowing, or being required to keep quiet.

My GUESS is Steve doesnt want to draw any more attention to this than he already has, because someone is still investigating this threat and they dont want to jeopardize the investigation, nor release panic to the general public if the people at US have not yet acted on what they have. I'm sure he will come out with more info when he can, or he never would have brought it up. I'm sure we will hear it here the night before it hits the local news!

 

Blue,
Thanks for the English lesson.
Well, I have many Americans around and they also agree with me.
As you know, "no brainier" has another meaning.
People usually focus on the 1st and the last sentence of a long article the most and if you look at the 1st and last sentence of the post only, it would look like something like "Are you drunk? ... No brainer". Also, look at the way he presented the word “NO BRAINER”. So, ...
Either way, I wrote the post in light of what CaixFang suggested (and I drew a different conclusion). I meant to mention that I didn't worry about it in the post. I mean, I said things like most I knew VPN providers were fishy, I don't have anything to hide in my Internet activities and some AVs might falsely classify it as malware.
BTW, I added the last sentence ("... because of FUD") to express my frustration that Steve wouldn't give us anything concrete about it even though he had scared us this much. I didn't mean that Steve's advice is FUD. I just wanted to indicate that it would look like it unless he gave us something specific with his accusation against his competitor or it would hurt his reputation.

CaixFang,
Never mind. I was so upset at that time. It was my mistake. Sorry.

 

FYI, I just found an interesting article ( h**p://jonsnetwork.com/2009/02/virustotal-ultrasurf-results/).
Again, I'm not saying that I don't trust Steve or Ultrasuft is not malicious. He might found something different.
I also googled Falun. As a matter of fact, I was afraid that Steve is suggesting that Ultrasurf is a product made by an “evil cult.”
I don't think that Falun is an "evil cult". Many Americans, including Christians and human right groups, are supporting them. The CCP has banned them in China for the same reason why they banned Christianity.
I see their motive for distributing software like Ultrasurf for free, as it looks difficult to access info about them from China. They also seem to have enough money and resource to distribute it for free.
I seriously doubt if an organization like them would distribute malware. I mean, if they do, they will lose a lot of support from Christians, human right groups and Americans.
Anyway, it's just my opinion. I'm not supporting them or I'm not recommending Ultrasurf or anything. I'm no expert on this and I know so little about them. I got the above knowledge from a 10-minute Google search. I could be wrong.
They might be a real “evil cult”. Falun might be no Dalai Lama. The situation facing them might be far different from that facing Tibet. In fact, I saw the word “brainwash” during the search and Pat Robertson seems to be against them and call them a cult. Besides, I might be so brainwashed by the western media.
Also, I might just want to believe what I want to believe, as Ultrasurf is such excellent software that any free (and paid) alternatives, including Tor, JAP, I2P and Hotspot Shield, can't get anywhere near it performance wise.

Again, I'm not supporting or against them. Certainly I’m not recommending Ultrasurf. It's just my opinion based on my little research.

 

lisavow,

A couple of points....

• Let's stay focused on the technical and off other topics (Falun, etc.)
• Steve actually did provide really all the info a user needs at the top of this thread:
  Obviously, one can either believe or dismiss these comments. However, if you choose the latter, hopefully you would be able to develop your own detailed technical analysis of the situation and not simply rely on a google search.
• Finally, as someone who's a rather disinterested party on this topic, what do I see if I simply download and fire up Ultrasurf right now.... You know, anyone can do this, there is nothing special involved. Well, I see a bunch of connections made on launch (no surprise there). However, look closer. The sites connected to are, to be blunt, somewhat disconcerting. Numerous government sites (primarily US based) and some are clearly of a technically sensitive nature. Commercial sites, mainly telecoms. Banking sites in a number of different countries, lots of banks. Other financial institutions. More banks. Connections to China and eastern EU. Is any of this an issue? You tell me. My own read - walk away.

Blue

 

Thanks for the extra analysis. I was going to do the same, but I hadnt had a chance to yet, and I still may, and see if I can dig anything further up.

In light of the article I posted about the malware from China, what better way for china to find out what their people are doing than to provide a "proxy" service that actually monitors everything they do? Perfect trojan (in the historical sense) if Ive ever heard of one.

This is the new age we live in...the CIA, FBI, NSA, etc all have groups designated to fight cyber crime because it is so much harder to track, and its much more under the radar...

 

First, let me state that I haven't tried Ultrasurf. I've never tried any type of proxy server, so am fairly unfamiliar with how they work. I know people who use them and I've yet to run into any that use US Govt sites.

Having two and a half decades of Govt service, I can state with some authority that it wouldn't go unnoticed, or be allowed without Govt knowledge. That alone ought to be enough to make anybody suspicious.

Steve can answer this with more knowledge than me, but given that Govt knows a proxy is running through their site, can't they monitor it such as follow the user to various sites or, maybe use it for other things we aren't even aware of?

 

If there is an interest conflict for SteveTX, i post here only for the application of "my independent vision of security signature".
Seriously i have no motivation for doing a network forensic analysis of Ultrasurf (2 hours minimum) and then confirm or not what was said.
As far as i know there is virus researchers on this area, and its firstly the job of antimalwares vendors.
As a anti censorship proxy tool, U is designed to bypass web and firewall filtring, and then uses tunneling methods, perhaps via DNS but as said above i ve not verified.
More over this tool exists since 2006, does it mean that all antivirus vendors and analysts are totally incompetent?
The terminology malware is excessive, and the behavior impact on the local host is much more important than the claimed MITM client/server attacks.
Off course as a proxy tool, it is an unwanted or riskware program in any corporate environment (as a portable pgm, it can be stored on a non access restricted mail box).
But i have taken a quick look at it on a statical analysis way, and affirmation about Morphine are totally wrong for the three previous version (094/093/092).
By looking at the entry point section, i have noticed that it might be packed by VMProtect, a powerful antipiracy soft from Russia.
So i run firstly some detectors, and for a more accurate verdict, i have packed a safe tool to verify if it was not false positives.
Conclusion: Ultrasurf is certainly packed with VMProtect. But as i am not expert in reversing and disassembling, i also might be wrong...
It has been said that U devs play a cat and mouse game to make their pgm more effective and stealth.
And packing or the backdoor classification of one antivirus is not enough for claiming that this file is a malware.
There is a serious need of more substantial material.

A few googling results that might help:
Already included in Sophos filtering database
http://www.sophos.fr/security/analyses/controlled-applications/ultrasurf.html
Are online scan fully trusted...not always...let's check Hopster, another similar tool and Avira will detect it as a trojan...
http://jonsnetwork.com/2009/02/virustotal-ultrasurf-results/
Some vendor takes advantage of their anti Ultrasurf solutions
http://blog.zemana.com/2009/01/zemana-anti-ultrasurf.html
http://www.astaro.com/newsroom/press_releases/astaro_7_4_defeats_ultrasurf

That's all for my concern.
rgds

 

For the ones interested about the behavior of Ultrasurf, here is the Anubis analisys: http://anubis.iseclab.org/?action=result&task_id=116b9569dd96c27a4d9c4ae58c95be3e5

 

More posts, more questions.

 

well i am a student so expensive vpn are way beyond...tor,jap are way too slow and now freebies are proven to be malware...what can i use...?thanx

 

Sorry, probably nothing !

You may be able to find an obscure anonymity/privacy service, but how would you know if it's 'clean' ?

Nothing is truly for free.

 

Are you familiar with TINSTAAFL? It is something covered in first year accounting, finance, and business at universities. It means "There is no such thing as a free lunch" so someone is always paying for it. If it is free it sucks, if it is cheap, it is cheap, if it is costly there is a chance it is valuable. Seek your equilibrium. You may want a crap service like Relakks because it is $7/m. If you want something faster, you can use ShadowVPN for $10/month or perhaps Stunnel. For the strongest you could do kryptohippie ($300+?/yr) or xerobank ($35/m).

 

Ah man, now I gotta uninstall all the free software that provides a free service

Ultrasurf is a fast alternative to jap for people to get past the Internet Censorship they may have in their country, nothing more nothing less, No it wasn't designed to hide your activities, as a paid service does, but merely get you past the censorship, It sucks anyways because even Ultrasurf censors some of the sites you visit! Stupid thing doesn't even work with rapidshare either,EDIT: I call Ultrasurf FailWare when it comes to privacy!

I would choose ShadowVPN or Xerobank over Ultrasurf any day, that is if I didn't know what a proxy or a proxy judge was........ProxyFire..Plox.....