Video Screencast Help

PROXYBUSTERS Part 1 - UltraSurf

Created: 25 May 2009 • Updated: 26 May 2009 | 38 comments
Language Translations
Nel Ramos's picture
+15 15 Votes
Login to vote

PROXYBUSTERS Part 1 - UltraSurf

In order to implement rules in every organization’s internet access, filtering and censorship are properly defined by administrators to forbid access to non business related sites and download/ upload classified data. Computer users today use different ways to bypass the firewall for freedom to access knowledge whether good or bad. One of these is proxy servers that bypass restrictions, UltraSurf.

UltraSurf is a light executable application that is designed to find a way around internet filtering and censorship. It enables the users to access any websites freely using a regular Internet Explorer browser in the foreground while using the best speed proxy servers among three in the background.

UltraSurf does not need to install nor change any settings in the system that is why it is commonly used by ordinary users in doing extraordinary things. Almost all HTTP based functions are retained like:
 
1. Website browsing
2. Web mail
3. Data uploading and downloading
4. Real time apps

Here is one of the sites to download UltraSurf:
Word of advice! Only use this in a controlled environment to avoid any complications or infections.

http://ultrasurf.en.softonic.com/download

How does a user access unauthorize sites in a flick of a finger? It is easy as counting 1, 2 and 3. Open the executable file and browse! Be sure that you are using the latest version 9.2 or newer one. Also check if the speed is 98% or faster to get maximum/ optimal use.

imagebrowser image

How do we mitigate this application? Could we detect and solve the Ultrasurf issue? We could get valuable information from our forums with the link below.

https://www-secure.symantec.com/connect/forums/ultrasurf

Here is some of the most valuable information contributed by our members in the forums. Thanks for their voluntary contibutions.

RickJDS says: “ Its an anonymous proxy that the SEP firewall cannot stop. Apparantly it creates a local port 9996 on localhost and listens. I think it creates a tunnel out of port 443 so firewalls cant block it. Please tell me how to prevent this file from running with SEP MR4 MP2.”
bloo
Cycletech says: “ In my test lab I am running Ultrasurf, I am hitting IP address 65.49.2.114 through port 443. You can block all traffic to this IP address or an IP range. I know this won't keep the application from running, but it will stop all traffic from going through Ultrasurf.”

Dperfekgent says: “Ultrasurf... Yes this executable file is used by clients to bypass policies in getting to non business related sites. They could be detected as bloodhound sonar using Truscan Proactive threat scan...Some tends to rename the file so that they could use it again... but could still be seen by the AV.Any help in blocking it would be very useful.
Thanks.
Paul Mapacpac says “I see, what if we request it to be treated as a virus and get its file signature so that It will not work. But this could lead a long discussion with Symantec.I just received a report from my officemate that sometimes it can be detected by SEP as Bloodhound.Sonar.1 but I guess this depends on the websites they visit.I if the environment has a proxy as long as the proxy is set to be transparent there could be a ways to block it. I currently testing it my colleges.”

mon_raralio says: “ If you open Ultrasurf, you have at least 3 options for which servers to use.An additional info: When using firefox with Ultrasurf, you need to configure a proxy as 127.0.0.1 (localhost) with port 443.The admins here tried blocking it, but some applications used for work also stopped functioning.

So far, we had not yet totally blocked the application but we could detect it through SEPM v11. We shall be waiting for Symantec to assist us in dealing with this application in the near future.

Comments 38 CommentsJump to latest comment

Jobert's picture

@Dperfekgent: Nice prep...
I had checked the site...
by the way do you know the latest version of Ultrasurf out in the market?
thanks.

+10
Login to vote
Paul Mapacpac's picture

Thanks for including my name on this article.. 2 Thumbs up! But I believe sir RickJDS already found a solution for this. Using MD5 via App Dev control..

+9
Login to vote
Nel Ramos's picture

@Paul Mapacpac: no problem Paul... you are one of the most industrious resource we have in the forum... Just making you and the others be commended for your precious advice...
by the way we are trying the suggestion of trusted advisor "RickJDS"...
if this works I shall document the process and post it in the forums so that others may use it also..

Thanks.

Nel Ramos

+7
Login to vote
Jobert's picture

Thanks Paul... I was just wondering how many ultrasurf versions are there.
thanks... I had seen v89..

+7
Login to vote
bee3's picture

our company implemented a change that blocked port 443 but still Usurf is still usable :)

+7
Login to vote
Nel Ramos's picture

@bee3: yes, it didn't did much... might as well use this links resources:
https://www-secure.symantec.com/connect/forums/ultrasurf

RickJDS had suggested "Using the checksum utility and getting the MD5 and adding that into application and device control successfully blocks Ultrasurf from running even when you rename the executable." which is what were gonna use... If this works seemlessly then we shall document this for PROXYBUSTERS Part 2: The documentaions to block Ultrasurf...

There is another suggestion using a blocking apps but it has to be install in every computer... very tedious though but using a deployment agent would minimize the workload..

thanks...

Nel Ramos

+7
Login to vote
ubri04's picture

Ultra Surf is a kind of an apps that gives you a temporary proxy so you can finally browse the net, but using this kind of apps have some kind of consequences too. Sometimes it affects the system of the operating System especially network. But still it can really help us sometimes when we need to browse something important through the internet where we were strictly prohibited using the internet.

+5
Login to vote
Paul Mapacpac's picture

Ubri, I guess if the site is really important then you should request it to be unblocked via corporate firewall.

0
Login to vote
mon_raralio's picture

ubri04 & Paul M. : Unblocking a website for a temporary solution would take some time which usually we don't have. This would go through approvals from management or department heads. So I guess it is ok to use this application.

Ultrasurf was designed in security for the user in mind. Giving them privacy, allowing them to access websites not available in their country because of being blocked.

“Your most unhappy customers are your greatest source of learning.”

+5
Login to vote
RickJDS's picture

What we really need is for Symantec to categorize this application using TruScan.  Also, Ultrasurf is not the only product out there that can run without installing, check out FreeGate as well: http://download.cnet.com/Freegate/3000-2085_4-10415391.html  This one works a little different in my limited testing, but I can see it uses port 8580 source and destination (different instances connecting to different source/destination ports respectively).

+7
Login to vote
i2professional@yahoo.com's picture

can you share more such tools so we can block them in our clients place?

+2
Login to vote
Nel Ramos's picture

@RickJDS: thanks for the info...
we had not yet detected any clients using freegate yet...
is this also detected by truscan as bloodhoundsonar1 or another?

Nel Ramos

+4
Login to vote
RickJDS's picture

No, it is not detected by TruScan and neither is Ultrasurf being detected (version 94 in my environment).

+1
Login to vote
mon_raralio's picture

Since this is a valid software - not a malware - I guess Symantec would be the one to decide if this is worth blocking or not. I'd like to state AngryIPScanner.exe as an example of an application that Symantecs detects as harmful and deletes any found on a PC.

“Your most unhappy customers are your greatest source of learning.”

+4
Login to vote
i2professional@yahoo.com's picture

since AngryIPScanner.exe  is used to get IP address during attack thus Symantecs detects as harmful and deletes any found on a PC.

+2
Login to vote
Paul Mapacpac's picture

You have a point mon, but I would like to consider the company, if they use a proxy for their internet then the employees should not use any tool to bypass proxy.

0
Login to vote
mon_raralio's picture

Points to consider:

1. Maybe this application is not yet widely used and since not being a real threat in itself poses no risk.
2. You should also consider the political view of the country where Symantec is being used. Blocking an application that supports your freedom to do whatever with your PC. It is like saying that browsing a certain website is against the law. (This is how petitions starts :P) I got this idea from the site.
3. We already have a solution. [wink,wink]

“Your most unhappy customers are your greatest source of learning.”

+4
Login to vote
DaveMich's picture

The problem isn't that you need to block you users proxy traffic, the problem is that you are letting them set their proxy settings themselves.   If you prevent users from changing their proxy settings, these problems go away.  You do that by removing permissions on the relevant portions of the registry. For a given user, the key area is

HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Internet Settings

Interactively you right-click on that and change permissions for the desired user.  A good admin should be able to figure out how to do this company-wide.   Once you do this, users can't set a proxy server, and UltraSurf will fail to run because the first thing UltraSurf does is to change this registry key.  

+3
Login to vote
Paul Mapacpac's picture

Hi Dave, in our test enviroment, changing proxies on the Internet Settings of Internet Explorer is blocked via GPO. but still if they run Ultrasurf, it is changed. Just maybe we need to set permissions on this key that to only a certain user can change it. (eg. admins)

I am not sure what ultrasurf uses when changing the proxies, it could be the SYSTEM account.

0
Login to vote
DaveMich's picture

Well, in my test environment, if I take a machine, browse to

KEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Internet Settings

and right-click and deny permissions to that section of the registry to admin (which is what I'm logged in as) then ultrasurf fails to create the "ProxyServer" key and hangs.  I haven't experimented beyond this, but it does work.

0
Login to vote
Kristel's picture

how can you block ultrasurf if each one has its on fingerprint?
means you need to get everyones manually?
cheers...

+4
Login to vote
RickJDS's picture

Each *version* has it's own fingerprint.  If you rename the file, it will still have the same fingerprint as the original.

0
Login to vote
Jobert's picture

that is right...
better to filter not the file names but by process...
thanks...

+4
Login to vote
Nel Ramos's picture

Hi Team,

Please see how we blocked UltraSurf ... step by step...

Thanks to all that helped us specially RickJDS... He knows what he is saying...
Hope we could promote him to Symantec Guru... hahaha..
Thanks Sir for the help...

https://www-secure.symantec.com/connect/articles/most-detailed-way-block-ultrasurf

Nel Ramos

+5
Login to vote
i2professional@yahoo.com's picture

Hi nel ramos;

this is really amazing article

+3
Login to vote
Ghe21's picture

good article..
hope more to come..

+4
Login to vote
zayreetadiosa's picture

great work...
good prep...
thanks..

+1
Login to vote
mon_raralio's picture

Where is part 2?

“Your most unhappy customers are your greatest source of learning.”

+1
Login to vote
Nel Ramos's picture

@mon_raralio: hi.. please kindly access part 2 in this link..
it is how the resolution of ultrasurf came to be..

https://www-secure.symantec.com/connect/articles/most-detailed-way-block-ultrasurf

Hope you all could read it since it worked for us..

Thanks...

Nel Ramos

+2
Login to vote
she_esteban's picture

i had seen part 2 from the link..
thanks

+1
Login to vote
kailaspadwale's picture

Plz provide link for part 2

Thanx...

0
Login to vote
Paul Mapacpac's picture

Hi kayla, please check the last post of Nel Ramos on this thread.

Btw, here is the link again;

https://www-secure.symantec.com/connect/articles/m...

+2
Login to vote
Amihan's picture

@Paul Mapacpac: you are righ paul..
nel's article is good..
it is step by step..
thanks...

0
Login to vote
jimmygreen's picture

nice job on this article.
well explained

organic foods

0
Login to vote
a_farmahini@sooshia.net's picture

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}

I added 20 md5 from different version of ultra surf but some version still working

How can I do?

0
Login to vote
nandoc_2k's picture

Hello, I think that the best option for block any versions of Ultrasurf is use the IPS technology. I'm working on how to block Ultrasurf using a IPS Signature in SEP. I could say the results more late.

0
Login to vote
Sagar D. Kanase's picture

Hello,

Please try below document for "How to block UltraSurf using Application and Device Control"

http://www.symantec.com/docs/TECH184200

 

 

 

Regards,

Sagar D. Kanase.
Technical Support Analyst.

+1
Login to vote
Elisha's picture

I did some quick testing with Ultrasurf and found out it will use port 80 or port 443 to send traffic out.  One solution is to create a firewall rule to block all applications except Firefox and Internet Explorer (or any other specific app you wanted to allow) from sending traffic out on port 80 or 443.  However since so many applications use port 80 or 443 this may not be doable.

In addition, I created an Application Control policy that will block Ultrasurf from running.  I have attached the policy.  You can simply import this into SEPM and then assign it to the group you want to block Ultrasurf.

AttachmentSize
Application Control policy - Block Ultrasurf.zip 2.47 KB
+1
Login to vote