Ultrasurf Is Malware

Discussion in 'privacy technology' started by SteveTX, Mar 25, 2009.

Thread Status:
Not open for further replies.
  1. Bensec

    Bensec Registered Member

    Joined:
    Aug 4, 2008
    Posts:
    177
    Location:
    China Changsha
    When i say blocked, I mean "Connection Interrupted" or "Connection is Reset". Anyway, GFW is obviously contributing.
     
  2. MakePB

    MakePB Registered Member

    Joined:
    Jan 18, 2007
    Posts:
    85
    Location:
    Find-IP-Address.org
    Good point. I have completely overlooked testing of servers against SSL site and not SSL site for support of servers. (however i've pointed in similar way before https://www.wilderssecurity.com/showpost.php?p=1512997&postcount=102 )
    The main reason that i do not like automated tools like UltraSurf is that they do everyything automatically leaving without any choice like rotating servers, testing servers and connecting against SSL and not SSL site etc...
    There are always better tools in my opinion like ProxyHunter(testers and surfing tool), AAtools (testers), Charon (testers), Proxyrama(testers and surfing tool), multiproxy(testers and surfing tool), a4proxy(testers and surfing tool).

    But i must say again that you have very good point with explaining bombastic title "Ultrasurf Is Malware" and evidence.
     
    Last edited: Aug 19, 2009
  3. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    That isn't a plausible explanation. You don't create a highly sophisticated triangle-boy technology for fast http, then turn off https certificate checking for every domain except your own, and use encrypted compression on a tiny binary to obscure what the program is doing on the users' machine (which later turn out to be viruses). There are tons of standard sites you can use for reachability testing. Financial, military, and government login pages are not them, but I'll tell you why: if the user had such a login, it could trick the browser into providing the credentials, at which point UltraSurf can potentially capture the credentials or session cookie because https has been designed to be invisibly compromised. There is absolutely no legitimate reason for that, and it was purposely designed that way, it is not an accident.

    I know a lot of people are in denial, and don't want to believe they've been tricked/compromised by what they thought was a good technology, but the facts are undeniable, and the proof is rock solid.
     
  4. Bensec

    Bensec Registered Member

    Joined:
    Aug 4, 2008
    Posts:
    177
    Location:
    China Changsha
    Steve, if the behavior of connecting to ssl-enabled sites is just all you have got as "evidence". I have to say you are not persuasive at all. You dont even need wireshark, anyone who can use TCPView already know that. That's no secret.

    I myself have done a similar test a year ago, weeks after i know uf. I use EQ, Process Explorer and WireShark just like you do. I dont think there are malware behavior (you are talking about Trojan, not vulnerability, just keep this in mind. so you need something concrete and solid ) The only thing I cant figure out is that how it can find its proxy servers. Further analysis suggests that the are connections between the proxy servers and these groups of dynamic domain controllers. I am still not quite sure until I read news about confiker. Surely there is a master algorithm. At first I thought it was used to generating a sequence of proxy address. but later it turned out to be groups of available domain controllers.
    And this may explain why they use polymeric packers. Because if the master algorithm is reverse engineered, GFW will get a full set of patterns that be used to block all uf proxies as easily as anything.

    I think you mean the packer thing, I have already explained my idea on that.

    this not true. if you mean the proxy checking process. I have to tell you a lot of https proxy verifying tools dont bother that. If you mean surfing with uf, you can see the ssl-cert in your browser, just like all proxies do. Please be as clear as possible.

    Then you tell me what other sites the government would bother to close. what about your xb front-page? You cant simply update the list of site after they got blocked. You are responsible for the blockage.


    Steve dont be blinded by your xb-supremacy and arrogance. If you have direct and solid facts, I would even spread your words on the mainland forums I usually visit. But ...they are just not good enough. Anyway work harder Steve. You look promising.;)
     
  5. Bensec

    Bensec Registered Member

    Joined:
    Aug 4, 2008
    Posts:
    177
    Location:
    China Changsha
    hey Steve. I forget to mention that, good professors never say "Oh, my facts are undeniable, my proofs are solid rocks". That sounds like dumb bluffing stereotype (or bluff stereotype? please allow my bad English.)
     
    Last edited: Aug 20, 2009
  6. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,201
    I thought this was supposed to be published in the mainstream media.
    I'm not an American, but I haven't read any stories about 'Ultrasurf is Malware'.
     
  7. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,227
    Location:
    Sydney, Australia
    Well, well; Softpedia was hosting U-S as recently as 3/7 ago: now gone.
     
  8. MakePB

    MakePB Registered Member

    Joined:
    Jan 18, 2007
    Posts:
    85
    Location:
    Find-IP-Address.org
    Because someone claim that it is malware 2 days a go and should be removed:

    http://board.softpedia.com/index.php?showtopic=10771

    However as Bensec pointed it is not strong evidence.Speculation rather than strong evidence.
     
    Last edited: Aug 20, 2009
  9. elreteipos

    elreteipos Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    4
    I fell for the Ultrasurf scan. I deleted the executable (avast! Home didn't notice anything suspicous about it) and scanned my PC with Malwarebytes Anti-Malware, but nothing bad was found. I can't install VBA32 Antivirus because avast! is already installed on my PC.

    How do I get rid of the traces of Ultrasurf? And how do I fix that dangerous SSL vulnerability?
     
  10. mango

    mango Registered Member

    Joined:
    Sep 9, 2004
    Posts:
    82
    Just stumbled upon this ultrasurf thread.
    Would have thought it had garnered more attention after what been written in the thread.

    Deleting the .exe should be enough?
     
  11. MakePB

    MakePB Registered Member

    Joined:
    Jan 18, 2007
    Posts:
    85
    Location:
    Find-IP-Address.org
    I would suggest to better read this thread before doing anything:

    https://www.wilderssecurity.com/showthread.php?t=252102
     
  12. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    MakePB, I suggest you go speak with the Tor developers. They have more horror stories about Ultrasurf than I do. ~Snip - Blue~

    And yes, deleting the EXE should be enough, but hard to say, since their encrypted viral payload and behaviors keep changing.
     
    Last edited by a moderator: Oct 24, 2009
  13. I no more

    I no more Registered Member

    Joined:
    Sep 18, 2009
    Posts:
    358
    I'm willing to concede that there may be non-malicious behaviors exhibited by this program that may be interpreted as malicious. And I'm willing to postpone my final judgment about this program until we hear a rebuttal.

    But where is the rebuttal? There was some half-assed interview, but that's not even close to enough. Steve's tearing them a new one, and we get nothing from them.

    I sent them a message through their site in case they're on another planet and haven't noticed this thread. But I won't hold my breath. If they don't respond, why would anyone consider using Ultrasurf in the future? They just let someone use them for target practice and do nothing about it.

    Steve, do you have links to comments by the Tor developers about Ultrasurf? Or were they private discussions?
     
  14. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    A couple of politically oriented comments removed. Before going down that road again, please take a moment to review the site Terms of Service and please adhere to them.

    Regards,

    Blue
     
  15. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    My understanding is that these comments were made by a Roger Dingledine (Tor) to Kyle Williams (XeroBank) in regards to an Ultrasurf "employee".
     
  16. Mr Wolf

    Mr Wolf Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    3
    Hi!

    I found this discussion searching information about Ultrasurf
    I discovered it recently and even to me it seems too good to be true!

    I'll have a look to the material SteveTX posted

    So, what about the other services present here: http://www.internetfreedom.org/
    Can we trust them?

    Or better, can we trust this Global Internet Freedom Consortium? Who are these guys?
     
  17. elreteipos

    elreteipos Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    4
    I'd stick with the advice every grandmother would give you: if it looks to good to be true, it's a scam.
     
  18. lionboy44

    lionboy44 Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1


    Dear Steve,

    Please! Please! Please! I need help. I have fallen prey to the UltraSurf sacm. It has taken over my PC to the extent that i now have only 4% disc space available on my hard drive. I have tried to search for the u98.exe file to no avail. I must admit i am not very computer savvy. I have used many AVs including VBa32 and all them have failed to find it on my PC. I use Internet explorer and my operating system is Vista. Can you tell me how to get rid of this UltraSurf? None of ur other recommendations is working.

    Many Thanks
     
  19. I no more

    I no more Registered Member

    Joined:
    Sep 18, 2009
    Posts:
    358
    How do you know that Ultrasurf is responsible for the problems you're experiencing? My guess is that something other than Ultrasurf is th problem. What do you mean by "taken over your PC"?

    Regarding the 4% disk space, I don't believe Ultrasurf uses your hard drive to store data, although I might be wrong. How much disk space did you have before Ultrasurf? FYI, having low disk space isn't a usual symptom of malware.
     
  20. weilian

    weilian Registered Member

    Joined:
    Dec 15, 2009
    Posts:
    1
    Location:
    Beijing
    So what is the alternative? Is there a free alternative solution to replace what 'us' offered without the alleged malware?
     
  21. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Yes. We are hard at work on it.
     
  22. SKA

    SKA Registered Member

    Joined:
    Aug 2, 2002
    Posts:
    179
    Is there a reliable detect/removal tool for US and its traces/remnants on WinXP, Vista, Windows 7 ?

    Anyone has any cleaning/removal instructions ?

    SKA
     
  23. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    I wonder whether there's any connection to current events?
     
  24. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,614
    Location:
    European Union
    What do you mean by "current events" ? :)
     
  25. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    Well, there have been threads on Wilders since early 2009 -- e.g., "ultrasurf proxy" (started 2009021:cool: and "Dissecting Ultrasurf" (deleted 20090321).

    Information Warfare Monitor published "Tracking GhostNet: Investigating a Cyber Espionage Network" on 20090329 re "alleged Chinese cyber spying against Tibetan institutions" (and various governments' foreign-affairs ministries and embassies) <www.f-secure.com/weblog/archives/ghostnet.pdf>.

    Shishir Nagaraja and Ross Anderson (Cambridge) contemporaneously published a dissenting report that blamed the Chinese government more directly -- "The snooping dragon: social-malware surveillance of the Tibetan movement <www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf>.

    On 20091009, Northrop Grumman published "Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation" <online.wsj.com/public/resources/documents/chinaspy20091022.pdf>.

    On 20100114, Ryan Paul posted "Researchers identify command servers behind Google attack" on Ars Technica -- stating that "VeriSign's iDefense security lab has published a report with technical details about the recent cyberattack that hit Google and over 30 other companies." I don't see it yet on VeriSign iDefense <labs.idefense.com>.

    That's what I mean.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.