I think your answer lies in the fact that UltraSurf itself is on the up and up but has possibly been compromised the by the government of the People's Republic of China. UltraSurf is one of 3 services that belong to the Global Internet Freedom Consortium. The other two being Dynaweb and Garden. Apparently one has been known to have been compromised and it's a constant hacking war to keep these three services providing a free-flow of information in and out of China. Just posted hours ago from a VERY long article in the Asia Times: ------------ The most widely-used facilities are Dynaweb, Garden and Ultra Surf. These services coordinate their offerings through the Global Internet Freedom Consortium (GIFC), a group that receives some US government funding and is apparently run by friends of Falungong, the outlawed and extremely tech-savvy Chinese religious group-cum-political movement. The three services gleefully run a never-ending Spy vs Spy war with the Chinese cybercops, continually flooding the zone with new Internet Protocol (IP) addresses - a computer's identification number on a network - that their users (and the Chinese security organizations that inevitably participate in the service) link to with a "tunnel discovery agent" in order to connect to proxy servers - a computer system or application program that acts as a go-between - before the Chinese government shuts them down. They count VOA and RFA as their clients and proudly state that the service has never been interrupted. But, in the case of gh0st RAT, maybe score this round to China. In its own analysis of the computer security travails of the Tibetan emigre community, "Snooping Dragon", the University of Cambridge reported  that the China hackers availed themselves of Dynaweb's facilities: However, after a while, we saw a number of accesses through Dynaweb - a set of anonymization proxy servers associated with the Falungong religious movement, which is also detested by the government of China. We are at a loss how to explain this. Perhaps the Chinese detected the start of our clean-up operation and decided to hint that they had compromised Dynaweb - whether to deter people from using it, or to deter the US government from funding it? We just have no idea. ---------------- I would suggest that after Steve and Kyle's discoveries, it appears that UltraSurf (as well as Dynaweb) has also been compromised. The above article, in its complete form can be found at The Asia Times here http://www.atimes.com/atimes/China/KD08Ad01.html Note there are two pages and you must go from page one - two, there is no "one page view". It is absolutely fascinating reading. The article makes it clear UltraSurf is one of the "good guys" (even partly funded by the U.S. government).