PROXYBUSTERS Part 1 - UltraSurf
In order to implement rules in every organization’s internet access, filtering and censorship are properly defined by administrators to forbid access to non business related sites and download/ upload classified data. Computer users today use different ways to bypass the firewall for freedom to access knowledge whether good or bad. One of these is proxy servers that bypass restrictions, UltraSurf.
UltraSurf is a light executable application that is designed to find a way around internet filtering and censorship. It enables the users to access any websites freely using a regular Internet Explorer browser in the foreground while using the best speed proxy servers among three in the background.
UltraSurf does not need to install nor change any settings in the system that is why it is commonly used by ordinary users in doing extraordinary things. Almost all HTTP based functions are retained like:
1. Website browsing
2. Web mail
3. Data uploading and downloading
4. Real time apps
Here is one of the sites to download UltraSurf:
Word of advice! Only use this in a controlled environment to avoid any complications or infections.
How does a user access unauthorize sites in a flick of a finger? It is easy as counting 1, 2 and 3. Open the executable file and browse! Be sure that you are using the latest version 9.2 or newer one. Also check if the speed is 98% or faster to get maximum/ optimal use.
How do we mitigate this application? Could we detect and solve the Ultrasurf issue? We could get valuable information from our forums with the link below.
Here is some of the most valuable information contributed by our members in the forums. Thanks for their voluntary contibutions.
RickJDS says: “ Its an anonymous proxy that the SEP firewall cannot stop. Apparantly it creates a local port 9996 on localhost and listens. I think it creates a tunnel out of port 443 so firewalls cant block it. Please tell me how to prevent this file from running with SEP MR4 MP2.”
Cycletech says: “ In my test lab I am running Ultrasurf, I am hitting IP address 126.96.36.199 through port 443. You can block all traffic to this IP address or an IP range. I know this won't keep the application from running, but it will stop all traffic from going through Ultrasurf.”
Dperfekgent says: “Ultrasurf... Yes this executable file is used by clients to bypass policies in getting to non business related sites. They could be detected as bloodhound sonar using Truscan Proactive threat scan...Some tends to rename the file so that they could use it again... but could still be seen by the AV.Any help in blocking it would be very useful.
Paul Mapacpac says “I see, what if we request it to be treated as a virus and get its file signature so that It will not work. But this could lead a long discussion with Symantec.I just received a report from my officemate that sometimes it can be detected by SEP as Bloodhound.Sonar.1 but I guess this depends on the websites they visit.I if the environment has a proxy as long as the proxy is set to be transparent there could be a ways to block it. I currently testing it my colleges.”
mon_raralio says: “ If you open Ultrasurf, you have at least 3 options for which servers to use.An additional info: When using firefox with Ultrasurf, you need to configure a proxy as 127.0.0.1 (localhost) with port 443.The admins here tried blocking it, but some applications used for work also stopped functioning.
So far, we had not yet totally blocked the application but we could detect it through SEPM v11. We shall be waiting for Symantec to assist us in dealing with this application in the near future.