PROXYBUSTERS Part 1 - UltraSurf
PROXYBUSTERS Part 1 - UltraSurf
In order to implement rules in every organization’s internet access, filtering and censorship are properly defined by administrators to forbid access to non business related sites and download/ upload classified data. Computer users today use different ways to bypass the firewall for freedom to access knowledge whether good or bad. One of these is proxy servers that bypass restrictions, UltraSurf.
UltraSurf is a light executable application that is designed to find a way around internet filtering and censorship. It enables the users to access any websites freely using a regular Internet Explorer browser in the foreground while using the best speed proxy servers among three in the background.
UltraSurf does not need to install nor change any settings in the system that is why it is commonly used by ordinary users in doing extraordinary things. Almost all HTTP based functions are retained like:
1. Website browsing
2. Web mail
3. Data uploading and downloading
4. Real time apps
Here is one of the sites to download UltraSurf:
Word of advice! Only use this in a controlled environment to avoid any complications or infections.
http://ultrasurf.en.softonic.com/download
How does a user access unauthorize sites in a flick of a finger? It is easy as counting 1, 2 and 3. Open the executable file and browse! Be sure that you are using the latest version 9.2 or newer one. Also check if the speed is 98% or faster to get maximum/ optimal use.
How do we mitigate this application? Could we detect and solve the Ultrasurf issue? We could get valuable information from our forums with the link below.
https://www-secure.symantec.com/connect/forums/ultrasurf
Here is some of the most valuable information contributed by our members in the forums. Thanks for their voluntary contibutions.
RickJDS says: “ Its an anonymous proxy that the SEP firewall cannot stop. Apparantly it creates a local port 9996 on localhost and listens. I think it creates a tunnel out of port 443 so firewalls cant block it. Please tell me how to prevent this file from running with SEP MR4 MP2.”
bloo
Cycletech says: “ In my test lab I am running Ultrasurf, I am hitting IP address 65.49.2.114 through port 443. You can block all traffic to this IP address or an IP range. I know this won't keep the application from running, but it will stop all traffic from going through Ultrasurf.”
Dperfekgent says: “Ultrasurf... Yes this executable file is used by clients to bypass policies in getting to non business related sites. They could be detected as bloodhound sonar using Truscan Proactive threat scan...Some tends to rename the file so that they could use it again... but could still be seen by the AV.Any help in blocking it would be very useful.
Thanks.
Paul Mapacpac says “I see, what if we request it to be treated as a virus and get its file signature so that It will not work. But this could lead a long discussion with Symantec.I just received a report from my officemate that sometimes it can be detected by SEP as Bloodhound.Sonar.1 but I guess this depends on the websites they visit.I if the environment has a proxy as long as the proxy is set to be transparent there could be a ways to block it. I currently testing it my colleges.”
mon_raralio says: “ If you open Ultrasurf, you have at least 3 options for which servers to use.An additional info: When using firefox with Ultrasurf, you need to configure a proxy as 127.0.0.1 (localhost) with port 443.The admins here tried blocking it, but some applications used for work also stopped functioning.
So far, we had not yet totally blocked the application but we could detect it through SEPM v11. We shall be waiting for Symantec to assist us in dealing with this application in the near future.
Comments 38 Comments • Jump to latest comment
@Dperfekgent: Nice prep...
I had checked the site...
by the way do you know the latest version of Ultrasurf out in the market?
thanks.
Thanks for including my name on this article.. 2 Thumbs up! But I believe sir RickJDS already found a solution for this. Using MD5 via App Dev control..
@Paul Mapacpac: no problem Paul... you are one of the most industrious resource we have in the forum... Just making you and the others be commended for your precious advice...
by the way we are trying the suggestion of trusted advisor "RickJDS"...
if this works I shall document the process and post it in the forums so that others may use it also..
Thanks.
Nel Ramos
Thanks Paul... I was just wondering how many ultrasurf versions are there.
thanks... I had seen v89..
our company implemented a change that blocked port 443 but still Usurf is still usable :)
@bee3: yes, it didn't did much... might as well use this links resources:
https://www-secure.symantec.com/connect/forums/ultrasurf
RickJDS had suggested "Using the checksum utility and getting the MD5 and adding that into application and device control successfully blocks Ultrasurf from running even when you rename the executable." which is what were gonna use... If this works seemlessly then we shall document this for PROXYBUSTERS Part 2: The documentaions to block Ultrasurf...
There is another suggestion using a blocking apps but it has to be install in every computer... very tedious though but using a deployment agent would minimize the workload..
thanks...
Nel Ramos
Ultra Surf is a kind of an apps that gives you a temporary proxy so you can finally browse the net, but using this kind of apps have some kind of consequences too. Sometimes it affects the system of the operating System especially network. But still it can really help us sometimes when we need to browse something important through the internet where we were strictly prohibited using the internet.
Ubri, I guess if the site is really important then you should request it to be unblocked via corporate firewall.
ubri04 & Paul M. : Unblocking a website for a temporary solution would take some time which usually we don't have. This would go through approvals from management or department heads. So I guess it is ok to use this application.
Ultrasurf was designed in security for the user in mind. Giving them privacy, allowing them to access websites not available in their country because of being blocked.
“Your most unhappy customers are your greatest source of learning.”
What we really need is for Symantec to categorize this application using TruScan. Also, Ultrasurf is not the only product out there that can run without installing, check out FreeGate as well: http://download.cnet.com/Freegate/3000-2085_4-10415391.html This one works a little different in my limited testing, but I can see it uses port 8580 source and destination (different instances connecting to different source/destination ports respectively).
can you share more such tools so we can block them in our clients place?
@RickJDS: thanks for the info...
we had not yet detected any clients using freegate yet...
is this also detected by truscan as bloodhoundsonar1 or another?
Nel Ramos
No, it is not detected by TruScan and neither is Ultrasurf being detected (version 94 in my environment).
Since this is a valid software - not a malware - I guess Symantec would be the one to decide if this is worth blocking or not. I'd like to state AngryIPScanner.exe as an example of an application that Symantecs detects as harmful and deletes any found on a PC.
“Your most unhappy customers are your greatest source of learning.”
since AngryIPScanner.exe is used to get IP address during attack thus Symantecs detects as harmful and deletes any found on a PC.
You have a point mon, but I would like to consider the company, if they use a proxy for their internet then the employees should not use any tool to bypass proxy.
Points to consider:
1. Maybe this application is not yet widely used and since not being a real threat in itself poses no risk.
2. You should also consider the political view of the country where Symantec is being used. Blocking an application that supports your freedom to do whatever with your PC. It is like saying that browsing a certain website is against the law. (This is how petitions starts :P) I got this idea from the site.
3. We already have a solution. [wink,wink]
“Your most unhappy customers are your greatest source of learning.”
The problem isn't that you need to block you users proxy traffic, the problem is that you are letting them set their proxy settings themselves. If you prevent users from changing their proxy settings, these problems go away. You do that by removing permissions on the relevant portions of the registry. For a given user, the key area is
HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Internet Settings
Interactively you right-click on that and change permissions for the desired user. A good admin should be able to figure out how to do this company-wide. Once you do this, users can't set a proxy server, and UltraSurf will fail to run because the first thing UltraSurf does is to change this registry key.
Hi Dave, in our test enviroment, changing proxies on the Internet Settings of Internet Explorer is blocked via GPO. but still if they run Ultrasurf, it is changed. Just maybe we need to set permissions on this key that to only a certain user can change it. (eg. admins)
I am not sure what ultrasurf uses when changing the proxies, it could be the SYSTEM account.
Well, in my test environment, if I take a machine, browse to
KEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Internet Settings
and right-click and deny permissions to that section of the registry to admin (which is what I'm logged in as) then ultrasurf fails to create the "ProxyServer" key and hangs. I haven't experimented beyond this, but it does work.
how can you block ultrasurf if each one has its on fingerprint?
means you need to get everyones manually?
cheers...
Each *version* has it's own fingerprint. If you rename the file, it will still have the same fingerprint as the original.
that is right...
better to filter not the file names but by process...
thanks...
Hi Team,
Please see how we blocked UltraSurf ... step by step...
Thanks to all that helped us specially RickJDS... He knows what he is saying...
Hope we could promote him to Symantec Guru... hahaha..
Thanks Sir for the help...
https://www-secure.symantec.com/connect/articles/most-detailed-way-block-ultrasurf
Nel Ramos
Hi nel ramos;
this is really amazing article
good article..
hope more to come..
great work...
good prep...
thanks..
Where is part 2?
“Your most unhappy customers are your greatest source of learning.”
@mon_raralio: hi.. please kindly access part 2 in this link..
it is how the resolution of ultrasurf came to be..
https://www-secure.symantec.com/connect/articles/most-detailed-way-block-ultrasurf
Hope you all could read it since it worked for us..
Thanks...
Nel Ramos
i had seen part 2 from the link..
thanks
Plz provide link for part 2
Thanx...
Hi kayla, please check the last post of Nel Ramos on this thread.
Btw, here is the link again;
https://www-secure.symantec.com/connect/articles/m...
@Paul Mapacpac: you are righ paul..
nel's article is good..
it is step by step..
thanks...
nice job on this article.
well explained
organic foods
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
I added 20 md5 from different version of ultra surf but some version still working
How can I do?
Hello, I think that the best option for block any versions of Ultrasurf is use the IPS technology. I'm working on how to block Ultrasurf using a IPS Signature in SEP. I could say the results more late.
Hello,
Please try below document for "How to block UltraSurf using Application and Device Control"
http://www.symantec.com/docs/TECH184200
Regards,
Sagar D. Kanase.
Technical Support Analyst.
I did some quick testing with Ultrasurf and found out it will use port 80 or port 443 to send traffic out. One solution is to create a firewall rule to block all applications except Firefox and Internet Explorer (or any other specific app you wanted to allow) from sending traffic out on port 80 or 443. However since so many applications use port 80 or 443 this may not be doable.
In addition, I created an Application Control policy that will block Ultrasurf from running. I have attached the policy. You can simply import this into SEPM and then assign it to the group you want to block Ultrasurf.
Would you like to reply?
Login or Register to post your comment.