A new interesting thread:

Ultrasurf Is Malware - Wilders Security Forums (http://www.wilderssecurity.com/showthread.php?t=237184)


there are real and severe negative consequences from running the software in question, it is not a trivial and passive "vulnerability" (...) Just don't use ultrasurf, not for any reason, not even inside a virtual machine or sandbox.

Perhaps those who are network specialists here could investigate the subject, and deeply analyze Ultrasurf's behaviour (malware ? botnet ???)

After reading the whole thread, the forum post only calls Ultrasurf malware because of the following:


"it promotes man in the middle attacks by allowing any ssl cert" - I'm really sure that's a flaw on its design rather than an intentional measure.
"heuristic avoidance" - Freegate does this too, it even provides many differently packed EXEs to avoid false antivirus warnings.
"encrypted payloads" - that's to make it harder for someone to unpack the executable and see the server park's IPs inside, which could then be blocked or exploited.


Another user identified it as an IRC backdoor, when the truth is I have never seen it connect to another host's port 9666.

Sure it can bypass firewalls, but that's what enables censored chinese users, or people at the office to use it.

The most "sensitive" thing I have seen Ultrasurf do is creating a file called PUTTY.RND in the %userprofile% directory, most likely a certificate used to connect to its servers.

Furthermore, SteveTX keeps on saying "uninstall it, use other stuff, I'll explain later" even though he's been asked why several times, and given enough time to reply. :rolleyes:

Furthermore, SteveTX keeps on saying "uninstall it, use other stuff, I'll explain later" even though he's been asked why several times, and given enough time to reply. :rolleyes:


I fully agree with you. SteveTx indeed brings no proof of his assertions. The only facts are not that US were a malware, but that stevetx says it is. But he seems not to be an "average joe" about internet security (although one can think he could have some commercial interests to denigrate ultrasurf, this hypothesis being mitigated by his sentence "every alternative is better").


I did not write my post to scare anyone, but to warn about a possible problem, and to invite those who have enough competences to investigate further.

I fully agree with you. SteveTx indeed brings no proof of his assertions. The only facts are not that US were a malware, but that stevetx says it is. But he seems not to be an "average joe" about internet security

Yes, you're right with that: a quick look at his "reputation" in the forum shows he's no newbie. Although that doesn't make up for his lack of solid proofs and good reasons for us not to use Ultrasurf apart from believing him.

Whether he may have commercial interests in bashing/advertising the app is touched several times on that thread - he denies it, of course, but I don't think that's his intention either.


I did not write my post to scare anyone, but to warn about a possible problem, and to invite those who have enough competences to investigate further.

I fully understand. Information has to be free, right? :smile:

Some news I just have found. An examination of US has been presented recently at BlackHat.


UltraSurf software is promoted as a means to proxy Internet traffic so that when it arrives at its destination forensic experts can't figure out where it came from.

But observation of UltraSurf at work reveals that it also automatically attempts to make HTTPS encrypted connections to unrelated servers, says Kyle Williams, security director of XeroBank, an Internet privacy vendor, who has researched the software.

Among the sites it has probed without user intervention is acquisitions.army.mil, he says, a U.S. Army URL that would be sure to attract the attention of the Great Firewall of China, the Internet filtering infrastructure the Chinese government uses to restrict the Internet access of its citizens.

The proxy system that versions of UltraSurf has used included six entry proxies, half in California and half in Taiwan, and six exit proxies, half in the U.S., two in China and two one in Taiwan, Williams says. A Chinese dissident sending traffic to an entry node in the U.S. or Taiwan and receiving traffic from the U.S. and Taiwan would also flag attention, he says.

The software used to have a two-hop proxy but that has been downgraded to one hop, he says.

(...)



Black Hat: Free cloaking software may actually draw attention to traffic it's supposed to protect - Network World (http://www.networkworld.com/news/2009/073109-blackhat-ultrasurf.html)



Here is an link to an archive containing the video of the examination, with wireshark logs, etc:

http://janusvm.com/Ultrasurf_audit.zip.

What do you think bout these data ?

Could someone independently audit this audit ?

I'm not experienced enough to have a "real" look at the audit, but now we're talking about someone that knows about the matter. The behavior Williams describes in the article is suspicious, at the very least, specially UltraReach not being too specific about a contact address or who's part of their team (although they may be doing this to protect their privacy).

I guess that in the end, you can never be sure about who's on the other side, specially with a public service. There's been talk about HSS being an "advanced" counter-terrorist method/honeypot on a local blog, too.

I hope there is no reason to worry.
Since I'm using it every day.

It is hard to find something as good and still free.