Ultrasurf, quick'ish Test

Further to my previous one https://www.wilderssecurity.com/showthread.php?t=286100

All done whilst ShadowDefender was enabled

Allowed KL



Crappy SSL lock



WireShark log excerpt 1



Who the heck is 65.49.14.79 ?

Sophidea, Inc. = https://www.projecthoneypot.org/ip_65.49.2.27

Sophidea, Inc. = https://lists.dns-oarc.net/pipermail/dns-operations/2010-January/004835.html

WireShark log excerpt 2



3 Telnet attempts from my ISP to Ports 22 & 23 ?



*

I'm no Firewall etc expert, so i don't pretend to understand everything, but US definately does some "unusual" things !

 

Look's like you are being hit with a MITM attack (Change cipher spec). Also looks like US is setting up a telnet server probably for sending commands back from a C&C server. That looks very worrisome for two reasons:

1) It's looks like a trojan and a MITM attack against you.

2) telnet is inherently insecure; this means it's not just the trojan your should be worried about as it is relatively easy to break into a telnet server. (google will show plenty of results will post links upon request - on mobile right now).

 

@ x942

Hi, yes please post whatever info etc you can about it

I do have Telnet disabled on my comp

 

Source #1 - Wikipedia:

Source #2 - SSL Change Cipher Spec.

Source #3 - MITM Attack

Those are the sources I found to back what I said. (I could tell just by what you posted but proof is always good )

Hope it helps. I think I am going toss US into IDA Pro and see what I get.

 

I'm seeing 65.49.14.74 in the pic instead of 65.49.14.79

 

Well it is packed and or debug trapped. Anyways I posted the IDA Pro dump on my Drop box -http://dl.dropbox.com/u/3374394/u1008.idb.zip-. Hopefully someone with more experience can take a look at it. I am going to run it on a windows 7 box with no security but Wireshark and the like to see what it does. will post back. Also When running in OllyDbg it crashes - probably due to the anti-debug function. Originally (with default IDA Pro settings) it should function "execrypt_protected" so I modified IDA Pro's settings and got it to output that dump file. Before that there was NOTHING at all in the dump besides that and non-sense.

 

@ x942

Thanks for posting back Looking forward to whatever else you can find through testing etc

@ Konata Izumi

Well spotted Actually they both resolve to Sophidea, Inc. I must have just grabbed that IP from my FW whilst i was looking at the other Sophidea, Inc. ones.

 

Installed it on Win 7 Home - Same EXACT firewall report and Wireshark log; this is not a one time thing. I downloaded from the website and verified the MD5 hash.

I am going to monitor it by doing a MITM attack against my self to see all of the traffic it is sending. After that I will re-install windows and use an install monitoring tool to see what it does during install

So far this thing seems like a trojan and I do NOT trust it or recommend any one installing it on their machine.

 

@ x942

Brilliant Should be Very revealing

Thanks

 

I did some testing and ran into a problem (Windows crashed). After I set up again I will run it through the tests:
NOTE: I will FULLY uninstall it between EACH phase.

Phase I:
1) install with Buster Sandbox Analyzer

2) run it and monitor what it does with BSA and Wireshark ( running on another computer)


Phase II:

1) install and monitor using a Install Watching tool (not sure what one yet)

2) Check log and Regestry.

Phase III:

1) Have "testing Machine (TM)" connected to "sniffing Machine (SM)" and SM pass through to internet.

2) Run Wireshark on SM.

3) Also monitor at Untangle FW level

4) Run SSLStip and MITM attack TM (So I can see if UltraSurf is using SSL to send/recieve anything).


Also What I did find before my crash was similar to what was found over here: -http://(#)janusvm.com/Ultrasurf_audit.zip(#)- and https://www.wilderssecurity.com/showthread.php?t=237184&page=5&highlight=ultrasurf by SteveTX

I think Users should heed those warnings and NOT use UltraSurf. Above posts should be evidence enough but more will come shortly, The delay is because I am waiting out a DDOS attack and Banned all chinese based IP addresses for now. I will test when I unban them (so the results aren't saturated). This should only take a few days as I am in talks with my ISP.

EDIT: Removed direct download.

 

Please do it with the latest version from their site. Its 10.16. 0.95 has been released more than a year ago

This is Busters Log

 

I certainly didn't understand a thing

 

thank you for the update I am trying to piece together a win 7 box ( mine died) Will post back shortly (today or tomorrow). I will skip using Buster and go straight to the rest. If you are able to do any other testing that I mentioned please post back


Thanks again

 

See this
OUT,TCP - HTTPS,10.216.94.162,65.49.14.60:443,C:\downloads\u\u1016.exe
IN,TCP - HTTPS,65.49.14.60:443,10.216.94.162,C:\downloads\u\u1016.exe

10.216.94.162 my ip
65.49.14.60 proxy server of ultra surf

I was on the security list page which contained a lot of links when I used it thats why you see all the dns entries. It did not create any back doors or attached itself to any other ports.
Malwarebytes detects the old versions as malware but not later released versions like 10.16

 

Most antiVirus Report Ultrasurf as unwanted software

MalwareBytes Do that


kaspersky Reported Ultrasurf as internet Tool