Ultrasurf, quick'ish Test

Discussion in 'other security issues & news' started by CloneRanger, Jun 29, 2011.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Further to my previous one https://www.wilderssecurity.com/showthread.php?t=286100

    All done whilst ShadowDefender was enabled ;)

    Allowed KL :eek:

    z1.gif

    Crappy SSL lock :p

    lock.gif

    WireShark log excerpt 1

    ws1.gif

    Who the heck is 65.49.14.79 ?

    Sophidea, Inc. = https://www.projecthoneypot.org/ip_65.49.2.27

    Sophidea, Inc. = https://lists.dns-oarc.net/pipermail/dns-operations/2010-January/004835.html

    WireShark log excerpt 2

    cy.gif

    3 Telnet attempts from my ISP to Ports 22 & 23 ?

    za1.gif

    *

    I'm no Firewall etc expert, so i don't pretend to understand everything, but US definately does some "unusual" things !
     
  2. x942

    x942 Guest

    Look's like you are being hit with a MITM attack (Change cipher spec). Also looks like US is setting up a telnet server probably for sending commands back from a C&C server. That looks very worrisome for two reasons:

    1) It's looks like a trojan and a MITM attack against you.

    2) telnet is inherently insecure; this means it's not just the trojan your should be worried about as it is relatively easy to break into a telnet server. (google will show plenty of results will post links upon request - on mobile right now).
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ x942

    Hi, yes please post whatever info etc you can about it :thumb:

    I do have Telnet disabled on my comp ;)
     
  4. x942

    x942 Guest

    Source #1 - Wikipedia:
    Source #2 - SSL Change Cipher Spec.

    Source #3 - MITM Attack

    Those are the sources I found to back what I said. (I could tell just by what you posted but proof is always good :thumb: )

    Hope it helps. I think I am going toss US into IDA Pro and see what I get.:argh:
     
  5. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    I'm seeing 65.49.14.74 in the pic instead of 65.49.14.79

    o_O
     
  6. x942

    x942 Guest

    Well it is packed and or debug trapped. Anyways I posted the IDA Pro dump on my Drop box -http://dl.dropbox.com/u/3374394/u1008.idb.zip-. Hopefully someone with more experience can take a look at it. I am going to run it on a windows 7 box with no security but Wireshark and the like to see what it does. will post back. Also When running in OllyDbg it crashes - probably due to the anti-debug function. Originally (with default IDA Pro settings) it should function "execrypt_protected" so I modified IDA Pro's settings and got it to output that dump file. Before that there was NOTHING at all in the dump besides that and non-sense.
     
    Last edited by a moderator: Jun 30, 2011
  7. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ x942

    Thanks for posting back :thumb: Looking forward to whatever else you can find through testing etc ;)

    @ Konata Izumi

    Well spotted ;) Actually they both resolve to Sophidea, Inc. I must have just grabbed that IP from my FW whilst i was looking at the other Sophidea, Inc. ones.
     
  8. x942

    x942 Guest

    Installed it on Win 7 Home - Same EXACT firewall report and Wireshark log; this is not a one time thing. I downloaded from the website and verified the MD5 hash.

    I am going to monitor it by doing a MITM attack against my self to see all of the traffic it is sending. After that I will re-install windows and use an install monitoring tool to see what it does during install :thumb:

    So far this thing seems like a trojan and I do NOT trust it or recommend any one installing it on their machine. :thumbd:
     
  9. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ x942

    Brilliant :thumb: Should be Very revealing ;)

    Thanks :)
     
  10. x942

    x942 Guest

    I did some testing and ran into a problem (Windows crashed). After I set up again I will run it through the tests:
    NOTE: I will FULLY uninstall it between EACH phase.

    Phase I:
    1) install with Buster Sandbox Analyzer

    2) run it and monitor what it does with BSA and Wireshark ( running on another computer)


    Phase II:

    1) install and monitor using a Install Watching tool (not sure what one yet)

    2) Check log and Regestry.

    Phase III:

    1) Have "testing Machine (TM)" connected to "sniffing Machine (SM)" and SM pass through to internet.

    2) Run Wireshark on SM.

    3) Also monitor at Untangle FW level

    4) Run SSLStip and MITM attack TM (So I can see if UltraSurf is using SSL to send/recieve anything).


    Also What I did find before my crash was similar to what was found over here: -http://(#)janusvm.com/Ultrasurf_audit.zip(#)- and https://www.wilderssecurity.com/showthread.php?t=237184&page=5&highlight=ultrasurf by SteveTX

    I think Users should heed those warnings and NOT use UltraSurf. Above posts should be evidence enough but more will come shortly, The delay is because I am waiting out a DDOS attack and Banned all chinese based IP addresses for now. I will test when I unban them (so the results aren't saturated). This should only take a few days as I am in talks with my ISP.

    EDIT: Removed direct download.
     
  11. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    Please do it with the latest version from their site. Its 10.16. 0.95 has been released more than a year ago

    This is Busters Log
     
  12. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    I certainly didn't understand a thing :D
     
  13. x942

    x942 Guest

    thank you for the update :thumb: I am trying to piece together a win 7 box ( mine died) Will post back shortly (today or tomorrow). I will skip using Buster and go straight to the rest. If you are able to do any other testing that I mentioned please post back :thumb:


    Thanks again
     
  14. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    See this
    OUT,TCP - HTTPS,10.216.94.162,65.49.14.60:443,C:\downloads\u\u1016.exe
    IN,TCP - HTTPS,65.49.14.60:443,10.216.94.162,C:\downloads\u\u1016.exe

    10.216.94.162 my ip
    65.49.14.60 proxy server of ultra surf

    I was on the security list page which contained a lot of links when I used it thats why you see all the dns entries. It did not create any back doors or attached itself to any other ports.
    Malwarebytes detects the old versions as malware but not later released versions like 10.16
     
  15. Ranget

    Ranget Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    846
    Location:
    Not Really Sure :/
    Most antiVirus Report Ultrasurf as unwanted software

    MalwareBytes Do that


    kaspersky Reported Ultrasurf as internet Tool :doubt:
     
Loading...
Thread Status:
Not open for further replies.