UltraSurf is free software designed to promote unrestricted Internet access for citizens of China.
Software designed to beat Chinese censorship may behave in ways that seem suspect, but it is all part of the application’s strategy to fool the Great Firewall of China, according to one programmer of the software.
“There are many built-in tricks that do all kinds of things to confuse the firewall,” says David Tian, a scientist for NASA who works spare-time on UltraSurf, the free software designed to promote unrestricted Internet access for citizens of China persecuted for being members of Falun Gang, the religious group the Chinese government is trying to suppress.
Some of those tricks were pointed out last month at the Black Hat security conference by researchers who interpreted the odd behaviors as counterproductive to the anti-censorship goal and as perhaps malicious. After about a month, Tian recently responded to a request made during the conference for reaction to the research.
UltraSurf is a proxy network that masks where traffic is being sent to and received from in an effort to keep the Chinese government’s Internet filters from detecting forbidden communication. It calls for users to download an UltraSurf client, which sends and receives traffic via a network of proxies set up and maintained by UltraReach, a subgroup under the Global Internet Freedom Consortium.
Kyle Williams, security director of XeroBank, an Internet privacy vendor, said in his Black Hat conference briefing that UltraSurf automatically attempts to make HTTPS encrypted connections to servers unrelated to the UltraSurf proxy network.
“How does it know I got an invalid server if the traffic is really end-to-end encrypted?” Williams says.He also noted these odd behaviors:
= When the client appears to connect to an IP address within a private network, it probes sequentially close IP addresses as well, Williams says.
= When an UltraSurf client seeks a non-existent URL via HTTPS, it receives a response from an UltraSurf server
= UltraSurf taps a Google Reader RSS feed for updates that Williams interprets as lists of targets for the software to probe.
= Commercial anti-virus software detects UltraSurf as a Trojan.
Tian addressed each behavior, but the overriding theme of his answers was that UltraSurf does an ever-changing variety of strange things in order to fool the Great Firewall of China. The response from UltraSurf servers to attempts to reach non-existent URLs is due to the proxy network sending back a notification. It proxies all the communication including SSL so any response will be from a proxy, Tian says
When UltraSurf appears to probe private IP space, it is actually sending out ruse connection attempts. “We send pretend connections out and the purpose is to confuse the Great Firewall and possibly local firewalls,” he says.
Chinese authorities monitor UltraSurf carefully and try to identify signatures that can be used to set filters, so the software sends out useless traffic to make noise that makes it difficult to characterize the legitimate traffic, he says.
The software taps Google Reader RSS feeds to download software updates, just as some commercial applications tap servers to download new versions and patches, Tian says. UltraSurf uses Google Reader and other third-party resources because Chinese authorities would soon discover and block download sites maintained by Global Internet Freedom Consortium, he says.
Commercial anti-virus software detects UltraSurf as malware because it does engage in suspicious ac tivity, he says, but some anti-virus vendors have agreed to white list the application. Those that have not agreed report it as malware, Tian says.
UltraSurf programmers play a cat-and-mouse game with Chinese censors trying to block its traffic, so the team working on it has to continually alter its methods to adapt to each innovation in the Great Firewall, he says. “We have a great understanding of the Great Firewall and how to defeat it.”
He says he has been working on UltraSurf since 2002 with a team of other volunteers distributed around the world. He gives the software credit for enabling Iranian protesters to send messages out of the country during the aftermath of that country’s elections in June. Demand for UltraSurf servers was so high that Global Internet Freedom couldn’t afford the bandwidth and ultimately had to cut off access.
“We couldn’t afford to support them. Traffic doubled every day. If we had the money I think history would be quite different,” Tian says.