Ultrasurf Is Malware

Discussion in 'privacy technology' started by SteveTX, Mar 25, 2009.

Thread Status:
Not open for further replies.
  1. himynamaborat

    himynamaborat Registered Member

    Joined:
    Jul 25, 2009
    Posts:
    26
    It's Blackhat time. I've been waiting to see what Steve is going to say about Ultrasurf.

    I found this thread about a month ago after I did a google search of "Ultrasurf" and "malware". The reason I did that search was because Ultrasurf seemed too good to be true. Everyone was singing its praises, yet I couldn't find any useful information on the product, either from the Ultrasurf site or anywhere on the net. And I questioned why or how they could/would provide such a snappy service to everyone for free. Initially, I thought it was just a man-in-the-middle attack, which doesn't bother me too much, since I don't give out personal info with proxies. If it were just a MITM attack, I would probably still use it because I don't think it would affect me.

    But Steve made it seem like there was more to it than that. So, I guess we should know in a few days.
     
  2. MakePB

    MakePB Registered Member

    Joined:
    Jan 18, 2007
    Posts:
    85
    Location:
    Find-IP-Address.org
    It seems that NOD32 has analyzed this file in past in found first well and then not to be Trojan:

    https://www.wilderssecurity.com/showthread.php?t=232326

    Without any evidence it is hard to make any conclusion here. I'm not aware how Ultrasurf works and do not have time to test it and gonna deep into but if program use open proxy servers and if there is internal testing and if they are filtered then are terms or site like sex, ****, porn just used to filter out proxies that are set to not works on such a terms.

    Such a way works some other proxy programs and testers to get rid of not fully working proxies.

    btw

    Their chinese site is http://www.wujie.net/
    By their FAQ http://www.ultrareach.com/usercenter_en.htm

    4. Is UltraSurf a Trojan or virus?
    A: Neither. UltraSurf provides users with state-of-the-art internet technology to break through firewall safely. It is a popular anti-censorship software, not a Trojan or virus. Some anti-virus software companies classify UltraSurf as a Trojan software simply because UltraSurf is able to break through firewalls. It is a mistake and a wrong classification. We are in the process of resolving this issue with these anti-virus companies through technique channels and legal channels. It is our mission to protect users' privacy when browsing the internet. Please rest assured that UltraSurf will not touch any of the documents on your PC.
     
  3. coderman

    coderman Registered Member

    Joined:
    Feb 12, 2009
    Posts:
    39
    this is not the behavior in question. and a white list by some company at one point in time does not indemnify for the future.

    they're changing the behavior of this software at will, and without user notification or consent. this is bad.

    (hopefully many more details to come to light soon...)

    best regards,
     
  4. pocan

    pocan Registered Member

    Joined:
    Jul 30, 2009
    Posts:
    2
    Steve,
    What was this really all about?
    Swing Flu Virus?
    The only national newspaper article on UltraSurf I came across for the past four months is one in NY times and it was very positive.
    Now the blackhat conference is over, would you please tell us about the "jaw dropping" truth about UltraSurf?
     
  5. MakePB

    MakePB Registered Member

    Joined:
    Jan 18, 2007
    Posts:
    85
    Location:
    Find-IP-Address.org
    And what is behavior in question?
    Titled this topic as "Ultrasurf Is Malware" and then do not provide any evidence!o_O?
     
  6. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    We gave the talk so here is the answer:

    UltraSurf and Gtunnel and likely all products put out by the Global Internet Freedom Consortium / Internet Freedom.org, are infact secret trojans. They give you a 1-hop proxy but use your system to launch attacks against financial institutions, government and energy websites, education, etc. Now here is the scary thing, if you are logged into one of these domains, like your bank, then they can get access to your authenticated session / cookie and potentially break right into your account, THROUGH YOUR OWN COMPUTER.

    Imagine if someone with a sensitive US position used ultrasurf. Suddenly their military login has been compromised. Not likely? They've been around twice as long as tor, and this exact thing happened on tor last year (see dan egerstadt).

    It gets better, any site you visit using the program, the turn off SSL cert checking so they can perform MITM and watch your entire session and logins. It is also capable of auto-updating, and spiders into your system when you install it, capturing not only IE but now Firefox and DNS and most other traffic. So everything you are doing, they have access to and may be logging and using against you.

    GIFC / Internet Freedom org are a huge scam. They are likely run by by a private chinese intelligence firm to monitor dissidents and us citizens while attacking critical infrastructure in the USA and Taiwan. They have fooled everyone for nearly a decade, and are seeking a $40m grant as an internet anti-censorship software.

    We have proof, wireshark logs, video, live audit, and a list of their attack patterns. Special thanks to Moxie Marlinspike for assistance.
     
  7. bonedriven

    bonedriven Registered Member

    Joined:
    Jan 14, 2007
    Posts:
    566
    This is huge. But I found it strange because "the private intelligence" which is related to an anti-chinese-govenment religion( or organization) also attacks america and taiwan. That's not logical. Only if it is not a software provided by Falun?
     
  8. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    SteveTX et al

    Well this seems pretty conclusive, so i hope there will be some retracts from previous negative posters !

    Thanx for all the time doing the research and gathering the data etc. And also for keeping your head, and tongue, when given a hard time from some, i know what it's like !

    Las Vegas is better than i thought it would be, so much so i stayed 2 nights a few years ago. So hope you enjoy !


    DL'd the PROOF folder and tried to watch the AVI's with both VLC & WinMedPlayer, no joy ?

    RE -

    " It is also capable of auto-updating, and spiders into your system when you install it, capturing not only IE but now Firefox and DNS and most other traffic. So everything you are doing, they have access to and may be logging and using against you. "

    Even if you aren't actively using it at the time ?


    Looking forward to the global fallout on all this, which should be both interesting, and funny in a way.

    Regards,

    S
     
  9. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Thank you for updating this Steve, you've not only silenced the impatient overly critical people here (I hope at least), but cast a huge spotlight on a shady and dangerous organization.
     
  10. pocan

    pocan Registered Member

    Joined:
    Jul 30, 2009
    Posts:
    2
    Steve,
    Thanks for your reply.
    I'm sorry I was skeptical about this.
    Since I was a user of the software, this is really scary.
    Thanks.
     
  11. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Thank you for listening; I hope I've made believers out of some of you.

    Some things I can't talk about right away, but know that I am doing what I can. In this case covert study of it was being done, and we didn't want them to get too much wind of it, but didn't want people to keep using it. Now the cat is out of the bag.

    If you are having trouble viewing the video, try download a codec pack or two here (no warranties naturally).
     
  12. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    I don't know about the particular behavior, but from what we have seen it is insidious: when you move, it moves. When you don't, it doesn't. That way it's evil behaviors go undetected and you only get notices that would coincide with things you are already doing on your computer. fun fact: when you run Ultrasurf it spiders into your system; check your reg settings, when you close the program it removes the evil traffic-capturing entries it made, leaving no trace. evil evil. very well written.
     
  13. markoman

    markoman Registered Member

    Joined:
    Aug 28, 2008
    Posts:
    188
    Thanks Steve! This just made my day ;)
     
  14. MakePB

    MakePB Registered Member

    Joined:
    Jan 18, 2007
    Posts:
    85
    Location:
    Find-IP-Address.org
    Thank you for time to collect evidence and share all your finding with us.
     
  15. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Interestingly, as i was beginning to write this Prevx was scanning and detected 1 out of the 6 different Ultrasurf program versions included in SteveTx's report folder i'd DL'd earlier. A few minutes later Prevx was off scanning again as i reopened the folder, and this time detected a further 3. How about that for fast, on the fly, in the cloud, in your face updates ! I'm sure the other 2 won't be far behind.

    Only 1 was classed as a High risk worm though ?

    So even further Proof that vendors are now beginning to take this seriously.

    Funny thing is, out of curiousity i actually tried US recently lol, and it worked just fine, no install,SSL,fast'ish. So i'll be keeping a close eye on things now, even though i've uninstalled it.



    Here's the SH1's on the 6 above files to show the differences.

    2 x different U.exe =

    6DB58E3BD0B964A65A65BB5342ABE67BBE25961C

    BA088B3F66944BB8F47C9E23EA46ACF59A4CB029

    u92.exe = 7429A0B46B5C3D9763C4B1B88E76307A3046678B

    u93.exe = 72FFC21B065830232B4961EA8AD7176C2022D5B5

    u94.exe = B3E4DCFB4A2E6E0F15286B9D5664E1A3F2E89DFA

    UltraSurf62.exe = 260ABFB7C703C75228145323A1B3322BECA0BAFE

    As yet, Avira,a2,SAS,MBAM don't detect any of them. But i wonder how long before they do now, not too long i imagine !

    In the report are 2 videos of the live investigation, and amongst other Apps, InstallWAtch was used to monitor installation, but i was surprised to see SpybotS&D being used to capture changes in the Reg too. Nothing wrong with that of course, but it's a few years since i've had it on my PC's.


    So once again, top marks to Steve & the crew, and Prevx.
     

    Attached Files:

    • P-US.png
      P-US.png
      File size:
      115.5 KB
      Views:
      10,298
  16. markoman

    markoman Registered Member

    Joined:
    Aug 28, 2008
    Posts:
    188
    I can confirm that ESET Nod32 marks Ultrasurf files in the .zip as viruses.
     
  17. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,363
    Location:
    Oz
    Amazing work Steve! I was finally able to watch the videos, although I don't yet understand what they show, But anyway, if you use Gom player, you can download this codec and it works. http://www.gomlab.com/codec/success.html?intCodec=67
     
  18. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    That is amazing. Ultrasurf users become pawns in a global chess game. Thanks for bring this into the open.

    I'd also hope that users get a couple more lessons from this.
    1. Software can do exactly what the user expects, a 1 hop proxy in this instance, and still be much more than it appears.
    2. Some conspiracy theories are real! Botnet owners have long known the value of using others computers. Now we see an instance of our PCs being used as weapons. Don't bet on this being the only instance in this global internet war zone or that governments may be doing things very similar.
    3. Without outbound traffic monitoring, something like this would have escaped detection. There is security value in monitoring and controlling outbound traffic, especially when you look at the big picture and not just your own equipment.
     
  19. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,328
    Location:
    Here, There and Everywhere
    This is nothing short of a bombshell investigation. I think the security community is being slow to recognize what XeroBank presented at Blackhat. This isn't just security community news though. This will be frontpage NY Times as soon as somebody gets a clue as to the ramifications of this report and the breaches of U.S. security.

    Well done, Steve and Kyle. The evidence is damning and thanks for the zip file, which contains the evidence very clearly.

    Simply unbelievable.
     
  20. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,328
    Location:
    Here, There and Everywhere
    One other thing, the current reports of certain anti-spyware vendors not reporting this as Spyware should not be a surprise. This is much more than a simple file which can be flagged as "spyware." As sophisticated as they come. This is dynamite wrapped in candy paper. A grave security breach and the ramifications? Unknown and downright frightening to even think about.

    ON EDIT: It will take a day or two (heading into a weekend) for this to hit the security media, not to mention the mainstream media, but NetWorld has picked up the research report.
    http://www.networkworld.com/news/2009/073109-blackhat-ultrasurf.html
     
  21. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,328
    Location:
    Here, There and Everywhere
    Steve, If the above highlighted portion is true (and the evidence sure looks that way), your and Kyle's research has uncovered something nothing short of a Tom Clancy novel on steroids.
     
  22. ePost

    ePost Registered Member

    Joined:
    Feb 23, 2009
    Posts:
    105
    This is a police matter. Or the FBI/CIA even. Have they been give the material? What about the press?

    And it's also a matter for us. We should start writing about this on other boards, blogs, websites and our homepages. In Wikipedia and other strategic places.

    And: MAKE WOT SHINING HOT RED for the Global Internet Freedom Consortium / Internet Freedom.org

    Google them and vote them dead! :mad: Vote from Googles search page at the red circle. Don't give them a click for their counter. They don't deserve traffic.
     
    Last edited: Jul 31, 2009
  23. ePost

    ePost Registered Member

    Joined:
    Feb 23, 2009
    Posts:
    105
    There's also SiteAdvisor and others of the same kind...
     
  24. oldymin

    oldymin Registered Member

    Joined:
    Oct 31, 2008
    Posts:
    25
    Never trusted that ultrasurft crap anyway. But by the look of the evidence it's indeed something far more evil than just the next door piece of spyware. So if this stuff is for real than i can't imagine that the agencies over the world didn't know anything about it. It sure does raise questions;

    It's on a huge scale and not one agency or even a commercial organisation ever investigated or raised an eyebrow ? Perhaps indeed the Chinese or collaboration of foreign agencies to gather intel this way ? Perhaps their agents who infiltrate certain organisations recommend out of the blue to use ultrasurf ? The sky is the limit or is it just a big criminal enterprise ? Maybe not Madoff style but a serious impact on many lives if this is that big.

    Nice work :)
     
  25. wembleyy

    wembleyy Registered Member

    Joined:
    Apr 21, 2009
    Posts:
    47
    can any on tell me what this logs show?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.