Black Hat: Free cloaking software may actually draw attention to traffic it’s supposed to protect

An examination of UltraSurf finds odd activity running in the background

An Internet tool to shield Chinese dissidents from their government seems to do just the opposite and also probes military, financial and academic networks in the U.S., Canada and Taiwan, according to research presented at Black Hat.

(How the Chinese Internet is different: slideshow)

UltraSurf software is promoted as a means to proxy Internet traffic so that when it arrives at its destination forensic experts can't figure out where it came from.

But observation of UltraSurf at work reveals that it also automatically attempts to make HTTPS encrypted connections to unrelated servers, says Kyle Williams, security director of XeroBank, an Internet privacy vendor, who has researched the software.

Among the sites it has probed without user intervention is acquisitions.army.mil, he says, a U.S. Army URL that would be sure to attract the attention of the Great Firewall of China, the Internet filtering infrastructure the Chinese government uses to restrict the Internet access of its citizens.

The proxy system that versions of UltraSurf has used included six entry proxies, half in California and half in Taiwan, and six exit proxies, half in the U.S., two in China and two one in Taiwan, Williams says. A Chinese dissident sending traffic to an entry node in the U.S. or Taiwan and receiving traffic from the U.S. and Taiwan would also flag attention, he says.

The software used to have a two-hop proxy but that has been downgraded to one hop, he says.

from UltraReach, whose Web site doesn’t list an address or management team. It says the company is “dedicated to providing technologies and service for people to exchange information on Internet freely and safely” and was founded “by a group of successful entrepreneurs, renowned scientists and engineers in Silicon Valley.”

The software is available free

UltraReach hasn't responded to a request left at its Web site for an interview about the software.

The software is promoted on the Web site of Global Internet Freedom Consortium, a group whose Web site describes its purpose this way: “Our mission is to build a pioneering online platform that breaks down the Great Firewalls blocking the free flow of information penetrating into, moving within, and originating from closed societies (e.g., China and Iran) via the Internet.”

UltraSurf does some other puzzling things. For instance, if one of the HTTPS requests hits an invalid URL, the request is redirected to UltraSurf’s page. “How does it know I got an invalid server if the traffic is really end-to-end encrypted?” Williams says.

UltraSurf has an auto-update feature that uses Google Reader RSS feeds to receive a Google Docs URL where it downloads encrypted payloads. Williams says he thinks the payloads are lists of target addresses for the software to probe.

In experimenting with UltraSurf in virtual machines, he has had the software succeed in accessing IP addresses with what seem to be internal IP addresses, making it seem that the software has successfully accessed another network. Once this happens, the software checks a few more addresses in that range as if to discover more about the apparent internal network, he says.

UltraSurf doesn’t launch any attacks, but seems to be doing Internet reconnaissance, Williams says. Reconnaissance traffic sent by earlier versions of the software had Trojans attached that set off alerts from mainstream anti-virus software. He says he doesn’t know what the Trojans did and at the time they were part of the software package anti-virus vendors might not have had signatures for them. “They might not have been known then,” he says.

Williams says he plans further research into UltraSurf.

Learn more about this topic

China pressures Google on 'porn' to get even over Green DamChinese security company shares huge malware database
Insider Shootout: Best security tools for small business
Join the discussion
Be the first to comment on this article. Our Commenting Policies