http://www.giveawayoftheday.com/forums/topic/5851 Giveaway of the Day Forums » Topic: Anyone using Ultrasurf? It's malware... en-US Sun, 12 Feb 2012 07:20:52 +0000 http://bbpress.org/?v=1.0.2 http://www.giveawayoftheday.com/forums/topic/5851#post-61309 Sun, 02 Aug 2009 12:30:10 +0000 BentlyTCow 61309@http://www.giveawayoftheday.com/forums/ <p>In considering it, I think that, for about 99% of people it will never actually affect them. Maybe even fewer. But it's always watching and recording what you do, just in case you do anything of interest. It must be a big and well-funded organization to need such a small percentage of success. It also seems to open and transmit a *lot* of different connections. In the video he's basically just sitting there watching the connections opening and he closes them. He's not browsing, not doing anything, but Sysinternals shows that dozens of connections are being made and closed the entire time Ultrasurf is open, including bank and college websites. How many different connections do you actually need to go to a single website? </p> <p>Forgot to mention above: I believe once it's deleted it's gone, as it does all its changes on the fly. But I'm not positive. Again, they don't seem interested in volume damage, but quality and anonymity. Unfortunately it's a lot more than I understand about security and networking, but something doesn't seem right.. it's more than just using other computers to fake an IP address. I'll be keeping an eye on that forum to see how things develop, but still.. something just doesn't seem right. </p> http://www.giveawayoftheday.com/forums/topic/5851#post-61304 Sun, 02 Aug 2009 10:38:27 +0000 BentlyTCow 61304@http://www.giveawayoftheday.com/forums/ <p>It's very interesting to see how it works. In the proof he mentions there's a video of the complete operation, from downloading it, running it and closing it. He's monitored network connections with Wireshark and sysinternals, and registry changes with Spybot. It makes changes when it opens, including monitoring and retransmitting connections, and then changes everything back when it closes, leaving no visible trace unless you're watching it happen. </p> http://www.giveawayoftheday.com/forums/topic/5851#post-61287 Sun, 02 Aug 2009 00:57:47 +0000 mekai 61287@http://www.giveawayoftheday.com/forums/ <p>It doesn't have an installer, it's just a thing that sits there until you activate it so if it's a worm or whatever, is deleting it enough once it's been used? </p> http://www.giveawayoftheday.com/forums/topic/5851#post-61282 Sat, 01 Aug 2009 23:23:52 +0000 delenn13 61282@http://www.giveawayoftheday.com/forums/ <p>BTC, thanks.</p> <p>Is nothing sacred? I have been using that for over 5 years because it was recommended by New York Times and, IIRC, CNet or something similar to it. I only used it with IE maybe once a month to see a TV show I missed etc. I never just surfed with it.</p> <p>Well, I am leaving to go camping for 9 days with NO internet access so I went ahead and took it off my PC. It was just an EXE with a shortcut on my Start Menu. I will be looking forward to see what has happened when I get back.</p> <p>I know I have recommended it here a few times. Sorry, but it came highly recommended. </p> http://www.giveawayoftheday.com/forums/topic/5851#post-61276 Sat, 01 Aug 2009 20:50:23 +0000 BentlyTCow 61276@http://www.giveawayoftheday.com/forums/ <p>For those that aren't familiar with Ultrasurf, the below is taken from their website:</p> <p>Privacy<br /> Protect Internet privacy with anonymous surfing and browsing -- hide IP addresses and locations, clean browsing history, cookies &#38; more ...<br /> Security<br /> Completely transparent data transfer and high level encryption of the content allow you to surf the web with high security.<br /> Freedom<br /> UltraSurf allows you to overcome the censorship and blockage on the Internet. You can browse any website freely, so as to obtain true information from the free world.</p> <p>This is mostly used in countries where internet censorship is still big, China, for instance. What they don't tell you is that they certainly do all that they say, but they also come along for the ride. The below information was released at Black Hat '09, a security convention held every year in Las Vegas, summed up by one of the people who spoke on the matter (link to his original post below):</p> <p>"UltraSurf and Gtunnel and likely all products put out by the Global Internet Freedom Consortium / Internet Freedom.org, are infact secret trojans. They give you a 1-hop proxy but use your system to launch attacks against financial institutions, government and energy websites, education, etc. Now here is the scary thing, if you are logged into one of these domains, like your bank, then they can get access to your authenticated session / cookie and potentially break right into your account, THROUGH YOUR OWN COMPUTER.</p> <p>Imagine if someone with a sensitive US position used ultrasurf. Suddenly their military login has been compromised. Not likely? They've been around twice as long as tor, and this exact thing happened on tor last year (see dan egerstadt).</p> <p>It gets better, any site you visit using the program, the turn off SSL cert checking so they can perform MITM and watch your entire session and logins. It is also capable of auto-updating, and spiders into your system when you install it, capturing not only IE but now Firefox and DNS and most other traffic. So everything you are doing, they have access to and may be logging and using against you.</p> <p>GIFC / Internet Freedom org are a huge scam. They are likely run by by a private chinese intelligence firm to monitor dissidents and us citizens while attacking critical infrastructure in the USA and Taiwan. They have fooled everyone for nearly a decade, and are seeking a $40m grant as an internet anti-censorship software.</p> <p>We have proof, wireshark logs, video, live audit, and a list of their attack patterns. Special thanks to Moxie Marlinspike for assistance."</p> <p>and in another post:</p> <p>"I don't know about the particular behavior, but from what we have seen it is insidious: when you move, it moves. When you don't, it doesn't. That way it's evil behaviors go undetected and you only get notices that would coincide with things you are already doing on your computer. fun fact: when you run Ultrasurf it spiders into your system; check your reg settings, when you close the program it removes the evil traffic-capturing entries it made, leaving no trace. evil evil. very well written."</p> <p><a href="http://www.wilderssecurity.com/showthread.php?s=e9453864d890aeeca63b54b0b5f48d8e&#38;t=237184&#38;page=5" rel="nofollow">http://www.wilderssecurity.com/showthread.php?s=e9453864d890aeeca63b54b0b5f48d8e&#38;t=237184&#38;page=5</a> </p> <p>So what does this mean? If you've been using it or even if you have it installed, delete it. Most people who've used it, I imagine, are safe. But delete it, and quick! If you want to see the proof he mentions there's a download link in his post. This is as of August 30th, so it's not likely to be well documented anywhere yet, especially for as popular (and renowned) as Ultrasurf is. Scary stuff! </p>