Ultrasurf

Ultrasurf... Yes this executable file is used by clients to bypass policies in getting to non business related sites. They could be detected as bloodhound sonar using Truscan Proactive threat scan...
Some tends to rename the file so that they could use it again... but could still be seen by the AV.
Any help in blocking it would be very usefull.

thanks.   

Signing up to see a solution.

I think we block executable files via GPO, but just rename it will run again. How about submitting this to Symantec?

Yes Paul M...
Blocking executable files via GPO is only good if the clients would not rename the file...
They always rename it... that is a real problem... :(
I hope we could resolve it hear in the forums first..
if not then we might just get a ticket from Symantec...

Thanks...

How about testing SEP on VNC first. I'm also getting alerts from users with WinVNC installed. They're tagged as Commercial.Apps
But unlike UltraSurf, it needs to be installed.

Nel, I believe you found this application to be suspicous (virus) I suggest you submit it to Symantec for Analysis.

Okay, I submitted the file (version 94) to gold support.  We'll see what they say.  It's not really a virus, so I stated that I wanted SEP to be deny this file from running.

Well, just got a reply, they say the file is clean.

Hi Rick, the file is tagged as proxy avoidance.. this could be a risk if the one using it will use it for personal gain or something.

Hi Paul,

This is the text included with my submission:

This file is called Ultrasurf. Its an anonymous proxy that the SEP firewall cannot stop. Apparantly it creates a local port 9666 on localhost and listens. I think it creates a tunnel out of port 443 so firewalls cant block it. Please tell me how to prevent this file from running with SEP MR4 MP2

I see, what if we request it to be treated as a virus and get its file signature so that It will not work. But this could lead a long discussion with Symantec.

I just received a report from my officemate that sometimes it can be detected by SEP as Bloodhound.Sonar.1 but I guess this depends on the websites they visit.

I if the environment has a proxy as long as the proxy is set to be transparent there could be a ways to block it. I currently testing it my colleges.

We could try to block their servers, but we haven't captured all of it's servers. What about putting localhost:9666 on the restricted zone as a policy?

just tried it on our RAS access, our RAS access is only for emails.. Ultrasurf doesn't work.. hehehe

What about creating whitelist of authorized HTTPS sites? (just an idea)

Well, SEP is not reporting anything about this executable.  I know my hardware based firewall supports blocking this application, but I would have to do a major upgrade to the OS (Astaro).  I came across some internet sites talking about blocking it with GPO's, but my tests have not blocked it at all (I did manage to get it into the Internet Explorer's Restricted zone, but you really can't stop it there either).

I was hoping we could use Application Control to block it, but unless you can do it by the hash value, I don't see that as an option since you can rename the executible to anyting and it will still run.

Yah, we are still doing some tests, will update this thread for any updates. Thanks!

In my test lab I am running Ultrasurf, I am hitting IP address 65.49.2.114 through port 443. You can block all traffic to this IP address or an IP range. I know this won't keep the application from running, but it will stop all traffic from going through Ultrasurf.

Thomas

Well, seeing as how I have Learning applications enabled in my communication settings for all groups, I dug around and found the app in question (I had renamed it to test.exe) and SEP sees it as a 0 byte file with a very old time/date stamp and no fingerprint value: 

Although Ultrasurf is not treated as a virus but it makes security breeches for virus to proliferate...
Symantec better have this apps blacklisted not by its name but by its characteristics since clients just renames it to be undetected...
Since we could capture it thru heuristic scanning and all instances in our company had detected it thru the TruScan Proactive Threat Scan... Symantec could find a way to restrict it from executing..

Hopeful and thanks.
 

Hi Rick wat was the fingerprint before you rename it?

I don't know, I renamed it before I ran it.  Would it have made a difference since renaming it apparently wipes out the fingerprint (or wouldn't a new fingerprint be generated by SEP)?

I see that what I am after.. thanks for the info..

I am also in the dark Sir Rick (heheheeh) , we are still testing how to block it, dont worry we are compiling all of the methods that we are using and will post here..

But I think the solution is when the software is reqesting a connectiong from port 9666 to port 443, it should be routed to a dummy server. (just a thought , cannot test yet)

Btw, has anyone tried ultrasurf on a websense proxy environment?

Maybe I missed something here by why can you not just use application control in SEP to block the .exe using the MD5?  The latest version I downloaded has a value of: 11BC744801B516D0B84FBA5850EC8789   I guess you would then have a to have all older versions to get the MD5 from?

@mon_raralio: since we already have resource to wipe ultrasurf, it is an easier option rather than buy hardware although this option would be labor intensive...
Eventhough we wipe it... It does replicate after a while...
thanks...

We usually detect users as bloodhound sonar...
but the ussual problem is them renaming the apps...
cheers..      

A dummy server can be anything, im not proposing it be online.. could be a virtaul also (This is just an idea) as there no clear way of blocking this app.

Hi i have searched the net i have read that using windows publisher security, we can block this software via windows.

great paul.
please post the link if it is alright.
thanks.

Thanks, I will post procedures as soon as our team tests it.

May I know the latest Ultrasurf version in the market?
thanks.

Thank Mon...
I might had downloaded the 89 version because it would not operate anymore...
We shall test the 9.4...
thanks

http://blog.zemana.com/2009/01/zemana-anti-ultrasu...

How can we get this so TrueScan will detect this application like it does for VNC and LogMeIn so we can apply an action on it?

@delifeath: thanks.. we are now testing it... hope this works to stop internet junkies from exploiting the web... give you the test results later...

I am also into it...
would SEP be detecting this in heuristics?

Not only ultrasurf is detected as bloddhound sonar in SEP.
would it also block other applications that have the same properties?
I would like to know it before I use this...
lastly is this recommended by symantec?

many thanks all...

@RickJDS: hi... would it slow the SEP process if we activate the learn mode to detect Ultrasurf if we have 10,000 computers?

Thanks...

The MD5 for the latest versions is listed on their website. They also include the md5 on the zip. Their site would be a good place to check periodically to look for newer versions and the latest md5.

http://www.ultrareach.com - It's a noble cause, just a pain in the &$# for us admins here in the land of the free.

Also, here are two md5s for two earlier versions of ultrasurf:

f556271e1338dfc224cbebf6fe8f8eae - Not sure of version number

4e3a66482ef96368251d91b4f5ae0fda - Looks like version 8.8

Hi, I'm not familiar with the MD5s. Are they unique to everything being made?

I'm not against the use of Ultrasurf. It's just that some users don't understand the security issues it poses when used inside their company. They visit sites with malicious code and then...

4b498bcac14da546f420cd08bae1894b - MD5 for version 9.2

I'm adding these to my app/device control rule as I find them on the web. Blocks each and every version as I add them. Works like a charm!

Info on MD5

http://en.wikipedia.org/wiki/MD5

Hi Rick, have you tried the changing the Actions of the Application rule to log it? And also, ultrasurf is being detected by SEP and sending us notifications that it detected as BLOODHOUND .sonar

Why would something like this is not being detected via signature? Has anyone tried to submit UltraSurf to Symantec for idnetification and detection?

Here's Symantec's response after I submitted the file:
We have analyzed your submission. The following is a report of our findings for each file you have submitted:

filename: u94.zip
machine: Machine
result: See the developer notes

filename: u94.exe
machine: Machine
result: This file is clean

Customer notes:
This is an Ultrasurf application that allows users to open a rogue proxy server on their machines and connect to other proxies via https to bypass all local outbound connection control measures.

Developer notes:
u94.zip is a container file of type ZIP
u94.exe is a clean file This file is contained by u94.zip

Hi Paul,

I am logging it (see the screen shot above it says under the launch process attempt: Block (log)). I have confirmed that SEP 11.0.4014.26 with AV/AS definitions of 6/1/2009 r3, PTP definitions of 6/1/2009 r20 and NTP definitions of 5/19/2009 r2 is NOT detecting Ultrasurf version 9.4 as anything.  I have the u94.exe on the desktop and right clicking on it and clicking on scan for viruses does not find anything.

Dimitri, I have submitted this to Symantec (read my post earlier) and the only response I got was the file was clean.

Also, just to note, the MD5 reported by the Ultrareach/wujie website is not the same as what is reported by the checksum utility provided with SEP.

Dperfekgent, I don't know what kind of performance hit the SEP client would take by enabling the learn application process, hopefully a Symantec employee can address this.  SEP is not detecting this as anything right now so it's pointless to enable the learn application process to detect it.  Users can rename the executable to anything and you would not know what file name to block.

Uh, the same exact fingerprint you have listed in your attached pic is the same exact one that is listed on the site. It is also the same exact one I pull from version 9.4 when I scan it. It also prevents version 9.4 from running when I add it to my block list. ??

11bc744801b516d0b84fba5850ec8789 - MD5 for version 9.4 - Listed on http://www.ultrareach.com as the version's MD5 and is also the result of Symantec's checksum ultility scan of the file.

b6d9db95e947705eeaa98544de5647ce - Fingerprint for version 8.7

The best way to do this is via SEP's firewall policy. Create a rule where host source is ANY and destination is 127.0.0.1 and under services source is ANY and destination is TCP/9996.
Other methods are not as reliable as Rick mentioned, as MD5/fingerprint and file name are easily bypassed by someone who knows what they're doing.

Specificity

http://www.ultrareach.com/download_en.htm

Have you tested this dimitri?

@SysAdmin1979: f556271e1338dfc224cbebf6fe8f8eae is the MD5 of U89.exe.
This was the first ultrasurf variant that we had encountered before the client updated to the Ultra surf 9.4...

 MD5 or fingerprint is not going to work all the time. Just like with signatures, you are always behind unless you can be 110% sure you've covered ALL possible versions. That's why you want to block this on the endpoint and on the network layer. Blocking it on the endpoint is done via fwall rule I described above. Blocking it on the network layer is a bit more complicated but I'm working on that. You will need a smart firewall or NIPS appliance that can do packet inspection and SSL reassembly to achieve this, or you will need to keep a list of all Ultrasoft proxy networks and blacklist them that way, which is a major pain in the ass.
It would be nice if Symantec released a signature for this, or at least gave us an option to classify UltraSurf as an unwanted proxy application, the way McAfee and Sophos does. This way you could block it on the endpoint once and for all and not load a separate fwall rule for this particular threat.

We're testing this MD5 today.

SEPM > Clients > Ploicies > Application and Device Control Policy

Enabled: Block applications from running.

Added the MD5 in the Launch Process Attempts for versions 89 and 94 of Ultrasurf.
Add...
Match file fingerprint.

We've successfully prevented the user from using the application:

SEPM > Clients > Policies > Application and Device Control Policy

Enabled: Block applications from running.

Added the MD5 in the Launch Process Attempts for versions 89 and 94 of Ultrasurf.
Add...
Match file fingerprint. Added these MD5 values
md5 for version 94:   11bc744801b516d0b84fba5850ec8789
md5 for version 89:   f556271e1338dfc224cbebf6fe8f8eae

Set the action to Terminate the Process.
Note: Setting it to block doesn't do anything.

Success also on our part...
Both U89 and U94 that is being used by clients are now terminated upon startup of execution.
We are also finding the fingprint of the other apps that needs blocking....
They are not happy but we are!
Many thanks to RickJDS for the resolution!

thanks...

Block works better for me.  The user is given an error message "the handle is invalid".  I'm hoping they think they have a corrupt file.

Terminate does the job well too, but the users will probably try to keep running the executable since they don't get a notification unless you enable it.  I haven't tested enabling the notification through the policy (would it be a Symantec pop up windows or a normal Windows pop up?).

Glad it works for you both.

8.7 or u87 = b6d9db95e947705eeaa98544de5647ce
8.8 or u88 = 4e3a66482ef96368251d91b4f5ae0fda
9.2 or u92 = 4b498bcac14da546f420cd08bae1894b
9.4 or u94 = 11bc744801b516d0b84fba5850ec8789
Unknown at this time to me = f556271e1338dfc224cbebf6fe8f8eae -  Looks like it's 8.9 - Thanks Nel Ramos!

What versions we are missing...... No idea

I wonder if they would respond to an email request for this information?

info@ultrareach.com

So now that everyone is blocking Ultrasurf, what about Tor? Same concept, but fwall policy blocking traffic to localhost won't work since the port is dynamic. Anyone figured it out on a network layer, versus chasing down versions and checksums? 

Hi Team, have you tried renaming the file then run the process again? Hi dimitri, we are testing it to block via network side, still no progress.. will update this thread as soon as we get positive results.

8.6 or u86 = f53597f07ad9425d64a1eccd440e7b54
9.0 or u90 = faf9418cc0d4d4ff0a78f61283a9d29a
9.1 or u91 = 13f51c8c42e44bcb459c62e1c0e0e93b

I'm going to get to Tor eventually

Besides Tor, there are about 7 others that come up on a quick websearch.

Is there a group policy that can prevent users from configuring their proxy settings?

Yes, i've tried renaming the file and it is still blocked via the fingerprint method.

@Dimitri - I like your suggestion for blocking it via the firewall with port 9996, but when i test it here i'm seeing ultrasurf configure via port 9666. Has anyone else seen anything other than these two ports? I wonder if it uses several different ports, or whether I'm just seeing it wrong.

Hi SysAdmin I believe it is only using port 9666 of the localhost. Try to use firefox and it will only work if you put 127.0.0.1(address) and 9666(port) after running ultrasurf.

Now I'm curious as to how/if anyone is blocking the Firefox snap-ins for either Ultrasurf or Tor. SEP can only block (and fingerprint) EXEs to be used in application execution control rules, and file access rule that prevents access to actual XPI doesn't seem to do anything. I've tested few different combinations but every time  Firefox loads plug-in and provides access to either Tor or UltraSurf network.
Thoughts?