Ultrasurf by Ultrareach.net -> malware?
Virus Guy
http://www.ultrareach.com/index_en.htm
hxxp://www.ultrareach.com/downloads/ultrasurf/u98.zip
6 hits at VT:
CAT-QuickHeal (Suspicious) - DNAScan
Comodo Heur.Pck.EXECryptor
McAfee+Artemis Artemis!D446A55E30E2
McAfee-GW-Edition Heuristic.LooksLike.Win32.SuspiciousPE.C
PCTools Packed/Execryptor
VirusBuster Packed/Execryptor
Actual malware? Or fp?
FromTheRafters
news:4B25ACCE...@Guy.com...
Did you unzip it and submit the exe?
Virus Guy
> > hxxp://www.ultrareach.com/downloads/ultrasurf/u98.zip
> > 6 hits at VT:
> > Actual malware? Or fp?
>
> Did you unzip it and submit the exe?
Yes.
See also:
http://www.how-to-hide-ip.info/2009/08/29/developer-denies-ultrasurf-is-malicious/
Virus Guy
designed to allow users to get around web-surfing and blocking
strategies as performed by some countries (China, various arab
countries, etc).
http://en.wikipedia.org/wiki/Freegate
It seems that this is a grey area for AV/AM software. On one hand, you
want to detect legit threats. On the other, you want to help thwart
web-censorship by not flagging this software that does some very
peculiar and suspicious things.
It's not clear to me that this software will do what I'm looking for -
which is to view rights-restricted streaming / multimedia content across
certain national borders...
If this is true - that most of this catagory of software is _really_
designed to get around the "great firewall of china", would it, say,
allow someone in China to access and watch Hulu videos?
Or just allow them to access the New York Times or CNN.com or the BBC?
FromTheRafters
Thanks for the additional info.
In my opinion, this is neither malware nor a false positive.
As an analogy, a report of a bomb in a public place that turns out to be
a road flare protruding from a knapsack would be a FP. A report of a
suspicious package in a public place that turns out to be a road flare
protruding from a knapsack would not (it did, indeed, cause suspicion)
Most of the reports that you posted only reported the suspicious nature
of the exe, so IMO it is a correct assessment. Heuristic detections
should always be taken with a grain of salt. The program (or it's
installer) may *need* to be evasive detectionwise because of its nature,
and the antimalware should indeed warn the user when such methods are
employed for whatever reason.
Virus Guy
> Thanks for the additional info.
>
> In my opinion, this is neither malware nor a false positive.
Some additional material here:
http://www.wilderssecurity.com/showthread.php?t=237184
How can a piece of software evade exact analysis and catagorization by
so many people?
Note particularly the comments made by SteveTX (he started the thread).
FromTheRafters
Aside from them not knowing what a virus is, Steve may be adhering to
responsible disclosure in his refusal to comment further.
Rootkits (and even keyloggers) can be either bad or good, and this may
land in a grey area - but there has not been a virus yet that didn't
land pretty squarely in the malware category. If the running of that
software meant that an unintentional vulnerability exists on the host
system, it would be a good recommendation to remove the software even if
it *is* grey area software and not strictly malware.
FromTheRafters
Either.
...but then, you would have to agree with this (would you? - I don't
think so). :o)
http://www.ultrareach.com/privacy_en.htm
I especially enjoyed the part where you're expected to keep up with
changes in the privacy policy itself (recursion?).
Virus Guy
> If SteveTX is San Antonio Stalker Steve of Bexar County, he's
> probably adhering to responsible disclosure of his lack of
> knowledge.
It has been mentioned by some that SteveTX has some relationship with
xerobank.
http://en.wikipedia.org/wiki/XeroBank_Browser
We might be talking about Steve Topletz here.
It has been mentioned that these various anonymizers would be
competition for SteveTX / xerobank, hence his remarks.
See also:
http://www.wilderssecurity.com/showthread.php?t=252102
http://forum.sysinternals.com/forum_posts.asp?TID=20299&PN=1
http://www.wilderssecurity.com/showthread.php?t=252789
"While I certainly appreciate letting us know there are still some free
ones out there, the free VPN/Anonymous surfing world seems to be
drowning in snake oil, and, in the case of Ultrasurf, danger."
While this may not be a problem for Americans accessing the internet
within the USA, a growing catagory of malware will target Canadians,
Britain, Western Europe and Australia as internet users from those
countries resort to these various applications that promises access to
Hulu and other multimedia files.
From within the US, those that want to torrent multi-media files with
anonymity will increasingly resort to these applications - naturally for
different reasons...
Ant
> "Virus Guy" wrote:
>> http://www.wilderssecurity.com/showthread.php?t=237184
>>
>> How can a piece of software evade exact analysis and catagorization by
>> so many people?
>>
>> Note particularly the comments made by SteveTX (he started the
>> thread).
>
> Aside from them not knowing what a virus is, Steve may be adhering to
> responsible disclosure in his refusal to comment further.
Apparently he was waiting until after he had made a Blackhat 2009
presentation.
"UltraSurf and Gtunnel and likely all products put out by the Global
Internet Freedom Consortium / Internet Freedom.org, are infact secret
trojans. They give you a 1-hop proxy but use your system to launch
attacks against financial institutions, government and energy
websites, education, etc"...
http://www.wilderssecurity.com/showpost.php?p=1514487&postcount=106
Maybe I'm using the wrong search terms but I'm finding the lack of
comment about this by the security community a bit strange.
FromTheRafters
news:mfCdnQX_jNkYR7vW...@brightview.co.uk...
I thought the same thing. However, I didn't download the "proof" file
offered up in another post because I'm pretty sure I wouldn't have
understood it (or believed it) enough to form a conclusion for myself.
"Suspicious" is good enough for me (and that privacy statement is a work
of art).