Skip Links

Developer denies software to beat Chinese censors is malicious

UltraSurf programmer says the software acts suspiciously, but it’s just trying to put one over on the Great Firewall of China.

By , Network World
August 28, 2009 05:29 PM ET

Network World - Software designed to beat Chinese censorship may behave in ways that seem suspect, but it is all part of the application’s strategy to fool the Great Firewall of China, according to one programmer of the software.

“There are many built-in tricks that do all kinds of things to confuse the firewall,” says David Tian, a scientist for NASA who works spare-time on UltraSurf, the free software designed to promote unrestricted Internet access for citizens of China persecuted for being members of Falun Gang, the religious group the Chinese government is trying to suppress.

 How the Chinese Internet is different from yours

Some of those tricks were pointed out last month at the Black Hat security conference by researchers who interpreted the odd behaviors as counterproductive to the anti-censorship goal and as perhaps malicious. After about a month, Tian recently responded to a request made during the conference for reaction to the research.

UltraSurf is a proxy network that masks where traffic is being sent to and received from in an effort to keep the Chinese government’s Internet filters from detecting forbidden communication. It calls for users to download an UltraSurf client, which sends and receives traffic via a network of proxies set up and maintained by UltraReach, a subgroup under the Global Internet Freedom Consortium.

Kyle Williams, security director of XeroBank, an Internet privacy vendor, said in his Black Hat conference briefing that UltraSurf automatically attempts to make HTTPS encrypted connections to servers unrelated to the UltraSurf proxy network.

“How does it know I got an invalid server if the traffic is really end-to-end encrypted?” Williams says.He also noted these odd behaviors:
= When the client appears to connect to an IP address within a private network, it probes sequentially close IP addresses as well, Williams says.
= When an UltraSurf client seeks a non-existent URL via HTTPS, it receives a response from an UltraSurf server
= UltraSurf taps a Google Reader RSS feed for updates that Williams interprets as lists of targets for the software to probe.
= Commercial anti-virus software detects UltraSurf as a Trojan.


Tian addressed each behavior, but the overriding theme of his answers was that UltraSurf does an ever-changing variety of strange things in order to fool the Great Firewall of China. The response from UltraSurf servers to attempts to reach non-existent URLs is due to the proxy network sending back a notification. It proxies all the communication including SSL so any response will be from a proxy, Tian says

When UltraSurf appears to probe private IP space, it is actually sending out ruse connection attempts. “We send pretend connections out and the purpose is to confuse the Great Firewall and possibly local firewalls,” he says.

Chinese authorities monitor UltraSurf carefully and try to identify signatures that can be used to set filters, so the software sends out useless traffic to make noise that makes it difficult to characterize the legitimate traffic, he says.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News