Posted: 29 Aug 2009 12:18 AM PDT
During last months rumors regarding Ultrasurf being a malware got stronger and stronger. Now, a developer from Ultrareach team explained the Ultrasurf strange behavior.
Ultrasurf is a proxy tool that is used to hide the IP address and masks where traffic is being sent to and received from. The main goal of Ultrasurf was to keep the Chinese government's Internet filters from detecting forbidden communication.
Lately, Ultrasurf was suspected to be a trojan due to its strange bevior and traffic sent to different locations. On Wilders Security Forum, SteveTX, member of XeroBank team, explained in detail what Ultrasur does and concluded:
Last month, at the Black Hat security conference, Kyle Williams, security director of XeroBank, said that UltraSurf automatically attempts to make HTTPS encrypted connections to servers unrelated to the UltraSurf proxy network.
"How does it know I got an invalid server if the traffic is really end-to-end encrypted?" Williams says. He also noted these odd behaviors:
David Tian, a scientist for NASA who works spare-time on UltraSurf, addressed each behavior, but the main idea was that UltraSurf does an ever-changing variety of strange things in order to fool the Great Firewall of China. The response from UltraSurf servers to attempts to reach non-existent URLs is due to the proxy network sending back a notification. It proxies all the communication including SSL so any response will be from a proxy.
This is done due to the fact that Chinese authorities monitor UltraSurf carefully and try to identify signatures that can be used to set filters, so the software sends out useless traffic to make noise that makes it difficult to characterize the legitimate traffic.
UltraSurf programmers play a cat-and-mouse game with Chinese censors trying to block its traffic, so the team working on it has to continually alter its methods to adapt to each innovation in the Great Firewall, Tian says. "We have a great understanding of the Great Firewall and how to defeat it."
|You are subscribed to email updates from How to hide your ip |
To stop receiving these emails, you may unsubscribe now.
|Email delivery powered by Google|
|Google Inc., 20 West Kinzie, Chicago IL USA 60610|