Ultrasurf Is Malware

Discussion in 'privacy technology' started by SteveTX, Mar 25, 2009.

Thread Status:
Not open for further replies.
  1. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    566
    So "Chinese intel agency" uses an anti-cencorship software to spy on others? I think we were pretty sure it is actually a program made by Falun which is totally against Chinese govenment. Can someone elaborate this?
     
  2. Genady Prishnikov

    Genady Prishnikov Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    350
    Steve: It is no secret I have been very critical of you and your lack of candor at times. However, I must commend you and Kyle on the work you did with this exposé of UltraSurf. I have looked at it all and I am very impressed. You deserve all the kudos you receive. Good job.
     
  3. ePost

    ePost Registered Member

    Joined:
    Feb 23, 2009
    Posts:
    105
    We need that video on YouTube and similar sites so that we can spread the word via boards, blogs and other sites...
     
  4. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,328
    Location:
    Here, There and Everywhere
    Hell has truly frozen over. Classy post though.
     
  5. mekai

    mekai Registered Member

    Joined:
    Aug 1, 2009
    Posts:
    1
    It doesn't appear to install. It just seems to be a program that sits there until you activate it so is just deleting that enough? What can we do if we've used it?

    Oops, I didn't realize I'd been linked to the middle of the article. I still am wary of just deleting the .exe though. And I have an AV so adding the one you linked to will conflict, no? I'm sorry for the questions. I'm a bit of a novice. I've had some strange things happen with my computer though. (Incidentally, they started the night I downloaded Ultrasurf.) I posted some logs for help at a different security site but I've yet to receive a response. I happened across this thread quite accidentally.
     
    Last edited: Aug 1, 2009
  6. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    If someone Trustworthy enough o_O could clean up US, it would be a very good APP, for the reasons i mentioned earlier.

    There are still www's & forums etc promoting US, maybe they havn't heard yet, or don't care !

    I've included a screenie of Global Internet Freedoms Consortiums hxxp://www.internetfreedom.org/about that was mentioned further back in the thread. It shows all the players " seemingly " also involved in this whole charade.


    SteveTX

    I realised my VLC player wasn't the latest version, so i upgraded and Bingo the videos worked.

    wembleyy

    The logs and videos show Ultrasurf using someones PC to make lots of connections to numerous IP's they didn't choose to go to. This is all done surreptitiously WITHOUT the users knowledge.

    It also shows Ultrasurf inserting various files and Registry settings etc, that are questionable.

    In short very Devious.
     

    Attached Files:

    • GIFC.gif
      GIFC.gif
      File size:
      131.6 KB
      Views:
      56
  7. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,635
    Location:
    European Union
    I have the feeling that lots of people didn't look too closely at the audit logs. There aren't many files or registry entries created by Ultrasurf, and they aren't dangerous (feel free to prove me wrong, but with evidence).

    Indeed, some of the network activity of Ultrasurf is questionable, as Steve showed in the videos. But looking at the pcap files, I wasn't able to find clear evidence of an attack pattern (DOS or other kind).

    PS: I'm not suggesting that using Ultrasurf is safe, but I would like to see a more technical debate, rather than "OMG!!! It's a conspiracy against US!!"
     
  8. badjoey

    badjoey Registered Member

    Joined:
    Dec 9, 2008
    Posts:
    50
    well for starters maybe the rest of the security community isnt convinced that US is what steve says it is.those logs are not clear cut proof that the info is being logged or used maliciously.and the software acting deviously is more that likely in part do to the fact is is supposed to be bypassing chinas great wall so to speak.
    honestly are you people that foolish to believe that steve would find something that the fbi,cia or secret service with unlimited resources didnt notice.if it was as malicious as steve says it is trust me these agencies would be investigating and would have made an announcement to warn everybody.talk about devouted blind followers.you guys are like cult followers.
     
  9. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    For those of you who don't know what the audit means:

    1. UltraSurf scans military, financial, educational, and critical infrastructure sites, using your real home IP address, immediately flagging you personally to any firewall and alerting any surveillance. This is extreme anti-anonymity, the exact opposite of what the software is purported to do.

    2. UltraSurf turns off SSL Certificate Checking, which is an outrageously gross violation of security protocol and means your browser will accept any certificate, including forged ones, to make it possible to perform Man In The Middle attacks. If only someone had a proxy network where they could inject traffic they could slurp up all your credentials and watch your sessions... oh wait, that is exactly what Ultra Surf does.

    There are tons of questionable things about UltraSurf, such as that all past versions of them set off trojan virus alarms; but none of the above are questionable, possibly legitimate things. They are absolutely damning, with no room for contention or plausibility.
     
  10. traxx75

    traxx75 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    106
    I don't know about anyone else but I find it hard to believe that UltraSurf trying to connect to locations such as eservices.dor.nc.gov and access.usbank.com has anything to do with bypassing China's Internet filtering. It is these unnecessary attempts to connect to a wide range of IPs that should send alarm bells ringing.

    Also, who's to say that intelligence/security agencies haven't been aware of this but have chosen to quietly monitor its development and evolution? That said, when was the last time you heard one of those agencies go public about a particular piece of malware? I can't remember a single time, myself.
     
  11. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    You obviously haven't worked within the government. Unlimited resources? I'm actually smiling. Our country alone is over 11 trillion in debt, we've recently literally been writing IOUs to other countries, our programs are rapidly running out of money, and more resources go towards irrelevant scientific research than towards national security, that is fact. The state of national security financial resources and manpower would make you cringe if you bothered to research before you opened your mouth. I'm reminded of an old favorite TV show when I visit the privacy sections here: "The truth is out there"....and nobody bothers to give a damn and/or look for it.

    Edit: Traxx75, these agencies WOULDN'T go public with it. Why? Simple, it would blow up the national security scene worldwide like a nuke and right in front of a worldwide audience of people already somewhat untrusting of their own governments.
     
    Last edited: Aug 2, 2009
  12. badjoey

    badjoey Registered Member

    Joined:
    Dec 9, 2008
    Posts:
    50
    dw426 i dont work for the government but i know a lot about investigations and the discretionary funds that certain agencies have access to and us has been around long enuff that somebody somewhere would be ringing a bell.and again steve has not provided any solid proof that what us does is being using for malicious intent.also what evidence steve provided he could have provided 4 months ago when he first sounded the alert.the program was doing the same thing than that it is doing today.and if he had been monitoring it for the last 4 months he should have more evidence than he does.
    i think your talking crap about saying what kind of money is available for national security,just cause you pick up a newspaper or watch cnn does not make you an expert or give you inside knowledge about what the us government does with its tax dollars and if you believe everythin you read in the news and watch on tv than that would explain your blind faith in steve.
    seriously there are alot of experts in this world when it comes to computers including ones that work for the antivirus companies and until a couple of the big ones like either kaspersky or norton or eset come forward saying they have done their own extensive testing and have found absolute proof that us is malware or a back door and that they reccomend to stop using it than i wouldnt put much stock in this.

    because i have used it off and on for the last year and never had a problem with it or my computer running funny. and no men in suits have showed up to seize my computers either.
     
    Last edited by a moderator: Aug 2, 2009
  13. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Reasons why -

    All the data is in the videos and logs for people to inspect. Now they either choose to believe, or not, that it's all real and collected by those tests on US. Personally, i do believe.

    US have designed the App to appear as benign as possible to evade srutiny, and up till now have succeeded brilliantly !

    Now we come to, why are US, and probably the other ones from GIFC listed in my recent screenie above, doing what they do.

    Providing a free/fast, and ( supposedly ) SSL proxy service, is very attractive to all sorts of legitimate users, err and others, for all sorts of reasons. If as advertised by US, they are ( supposedly ) helping people in China & elsewhere circumvent those countries restrictions, then they ( appear ) to be good guys. But if the're not good guys, then the people behind US etc can spy on who's doing what, especially their own citizens. They might not pounce on them immediately, but instead could be building up a huge database of all their info/data/www's/contacts/passwords etc etc. This includes SSL www's like banking, hushmail etc etc. This could be used against them at some point if they chose too. I think it's more likely they will use all the info more deviously, rather than revealing their true modus operandi by prosecuting people right now.

    Which leads on to -

    They may also be planning at some stage in the future, to launch attacks, and/or infiltrate those users/accounts and/or www's they will have ALL the details of.

    Seems unreal, unlikely, fantasy etc etc. Well frankly i wouldn't put it past them, as it's well known the Chinese for one, have been probing and successfully infiltrating .gov etc www's for a number of years, even though they publically deny it.

    The USA gov depts. & others etc have undoubtably seen these probes etc coming from peoples PC's for some time. But unless a direct attempt to gain interior access is attempted, they don't have the resources/will to investigate etc. However they will be logged. And as the probes come from peoples PC's, the .gov etc have had no idea, up until now, they originated from Ultrasurf.

    Only now will they/we have to rethink what the implications of ALL this mean. The S**T hasn't really even started to hit the fan yet !
     
  14. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I'll make it short and simple, I have been a government employee and I have more than enough sources that will back up my statements should they ever need to regarding the very sad state of the U.S financial situation and lack of manpower. So, there's that, I needn't prove a thing, you simply need to log off of this forum and go looking for the information you want. If you would like to remain unknowing about what's going on around you, your founding fathers gave that right to you and you can enjoy it.

    As far as the Ultrasurf issue, he brought the information, it's up to you and the rest of us to determine whether we believe it or not and also what it means if it is true. I personally don't care myself, I simply joined in the conversation to get rid of these insane ideas people seem to have about ANY government having unlimited amounts of ANYTHING and the laughable suggestion that they have all-knowing, all-seeing "gods" in human and/or machine form. It's not only utterly pathetic, it's damned dangerous.
     
  15. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    What you see right now from UltraSurf behavior is landscape surveillance. This is the first step in cyber-warfare. You need to know your surroundings and establish surveillance over critical infrastructure.

    UltraSurf is equipped with a sort of remote auto-update feature. It gets it's targets from a sophisticated distribution system offloaded to Google. It uses an encrypted RSS feed in Google Reader. It appears that the Google Reader encrypted feed is for Google Docs URLs. The Google Docs documents are encrypted blocks that UltraSurf likely decodes and contains the new targets. Another operating procedure of cyber-warfare is the executive. Potentially, with the flip of a switch, it could go from "scan" to "attack".

    btw, dw246 is right about gov resources. They are very limited and inefficient to say the least. When we showed this to the FBI six months ago and asked when we could expect results, they told us they "Move at the speed of justice." Now let's differentiate... the FBI isn't the same caliber or field as DoD Cyber-warfare / DIA / NSA. FBI are just federal police, DoD is massive and disjointed, and the NSA et al are cloaky intelligence gathering orgs. And it is no secret that the US needs lots and lots of help and resources in cyber-warfare.
     
    Last edited: Aug 2, 2009
  16. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    I observed the same basic behavior as noted in the files provided, and noted as much above. Part of the issue is that you're implicitly assuming that malware = "doing bad stuff now". While a lot of malware works that way, it's not a requirement. You're also implicitly assuming that malware = "doing bad stuff to me at some point". Again, not a requirement.

    Information has been provided to you, you determine what to do with that information
    You're assuming a rather specific malware usage scenario.

    All I can say is that I saw the same on launch connection attempts to multiple banks, other financial institutions, government departments focused on financial and technical areas, and various educational sites that were reported above in addition to numerous connections to China and Eastern Europe. Given that this was on launch, without further action by me, I saw red flags waving. As I noted above - walk away.

    Perhaps it's just me.., but I feel uncomfortable with my machine making numerous connections to financial and government sites not initiated or controlled by me. I don't believe that's a piece of tinfoil talking, to me it is simply a prudent view of reality since ultimately I am responsible for the behavior of my machine.

    Blue
     
  17. CaixFang

    CaixFang Registered Member

    Joined:
    Mar 24, 2009
    Posts:
    72
    Funny, well not funny, but when I did my initial investigations, I left a lot out of my post on page one, when it came to people. One thing I had noticed was ALL of the people associated with US had asian names. Initially that didnt really spark much to me (hey, it would make sense for a group of Chinese people to be trying to help those oppressed in China - which is why I left it out of my findings here) but the more I dug, the more I wondered if this was a covert Chinese govt thing, or at the minimum a group of Chinese hackers running some fraud ring (personally I leaned on the Govt side due to the resources they have.)


    I think I still have all the results saved on whois's and all the tracing on names and such that I did if anyone wants/needs them in a blog or media story (I assume they have all been covered up now, but maybe not.)

    Most of the people involved seem to be in the Atlanta area, or at least thats where they report they live, etc.


    Very interesting whole ordeal. Long time in the making to hear the results, but I for one am not surprised at all after my research.

    Good jorb Stevie....Next time youre down in the Houston area, you should let me know so we can grab lunch.
     
  18. Genady Prishnikov

    Genady Prishnikov Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    350
    I am wondering why this didn't get more coverage. It's the one thing I think Steve and Kyle did very well. It's one reason why we really need an effective Office of Cybersecurity. It was announced with great fanfare in May of this year and the announcement so far has been the only highlight, apparently nobody wants the job of heading the agency.
    http://www.computerworld.com/s/article/9136306/The_cybersecurity_job_no_one_really_wants
     
  19. stap0510

    stap0510 Registered Member

    Joined:
    Aug 5, 2008
    Posts:
    104
    Say, wasn't Jeff Moss tapped for that job also?
    Or am I confused with another job within the Obama-administration Jeff Moss was asked for?

    As for the coverage of UltraSurf I agree.....partially.
    Perhaps Steve and company needed some improvement on the PR-part.
    Apparently it was conceived as a discussion or quick announcement by some visitors of Blackhat, as I read it back on some security-blogs.
    What also could've played a role is the unknown name of UltraSurf itself, that doesn't say much to most people...even within our IT security-community.

    Maybe they didn't care as much about this revelation as Kyle and Steve do.
    That on it self wouldn't be a shocker actually.
    I mailed a couple of my security-related friends...and guess what...they all raised their shoulder about it.
    I thought it was a bummer, because I felt this really is something to take notice of. And it could be a sign on the wall, for other things.

    So I think the unknown name, that UltraSurf is out there with the public, worked against them.......unfortunately.
     
  20. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Nah, we just didn't have enough time for Kyle to properly present it (I'm longwinded, sorry kyle!), nor could we disclose we were going to present it in order to avoid a potential gag-order. I'm thinking of putting out a paper or webpage on it, but the news stories are starting to pickup on it.
     
  21. Bensec

    Bensec Registered Member

    Joined:
    Aug 4, 2008
    Posts:
    177
    Location:
    China Changsha
    Steve, I have just read through all pages of this thread. (-- not all actually. Just skip and skim through all the pages)
    --sounds-personal-- just reveal your Wireshark logs. and tell us how ultra-surf send massive remote dns requests, just like Confiker, scanning for available proxy servers who's name matching certain paterns( so it is possible for ultra-surf to connect to some non-existent site.). --sounds-personal-- just provide some solid fact or hard evidence but just keep freaking people away.
    SHOW US your logs, GIVE US your explanations. Steve.

    I agree polymorphic packers seem to be a good reason to classify ultraf as malware, but not good enough for an expert --sounds-personal--. He needs to show some behavior analysis as concrete proof. Concerning uf's popularity and fame, the packer thing just can't explain anything. because both freegate and ultrasurf has long been been flagged as virus by Chinese domestic AV --for-the-sake-of-my-own-safety-i-dont-talk-about-chinese-product-any-more--

    -sounds-personal-
     
    Last edited: Aug 19, 2009
  22. traxx75

    traxx75 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    106
    There are two .pcap files in the audit archive that Steve posted a few pages back. Is this not what you are looking for? Or do you mean that Steve should maybe screenshot the relevant bits of those captures to make it easier for the less technical amongst us to see the proof?

    I agree that it would be nice to see everything presented in a PDF that everyone can read and see the interesting bits but Steve _has_ actually provided proof in the audit archive.
     
  23. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,238
    Location:
    Sydney, Australia
    Steve : well done: been waiting for the denouement. :thumb:
     
  24. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    BenSec, wireshark logs are included in the audit. :thumb:
     
  25. Bensec

    Bensec Registered Member

    Joined:
    Aug 4, 2008
    Posts:
    177
    Location:
    China Changsha
    thanks for the info, and sorry for the rants(I'll edit them. some really dont look nice).

    I set 15 posts/page so this thread is fairly long and I skipped some page as I usually do. thus obviously omitted some important info. But I have to say packing files into a 45M archive is not quite wise, especially when this site is blocked by a nation-wide firewall.

    I checked your evidence. Your major point is that uf connect to a list of commercial web sites. But actually this doesn't bother me. just try add "https" to all sites that is on the list (except the xxx.dynmic.xxx domain controller ). Half of them are blocked and half them works well. None of them say they don't support ssl.

    So, as 2-year-experienced proxy-hunter, my guess is that uf is trying them out to verify its proxy. This is better that launching a DDOS on certain ssl-enabled website, or just set-up a SSL-enabled website for test purpose yourself that could be blocked at any time by GFW. (if GFW block USbank. ok no Americans in China can access it. Could it be possible? It could be something international. So I actually do the same with paypal, ebay and other foreign bank patrol using Proxy Hunter, proxy superman, and ProxyThorn before i know hi-speed proxies like VPN and socks-enabled freegte and ultrasf. ) Ultra is just doing the same thing itself. The more people are using this software, the more SSL website should be included on this list to free the stress on certain sites.


    Uf has been out there for about 4-5 years(since m not its old user, am not sure about the real situation, but at least 4-5), I got it from a friend about 1 year ago. Let me guess, maybe a million Chinese has used it before? God knows. Comparing its history to your superior-xb theories. You know it is really hard for me to believe you, unless you can provide something really Concrete. Work harder, Steve, you looks promising.;)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.