Blocking UltraSurf and Tor.

[Jinhee]

I know there are a lot of system admins wanting to block UltraSurf and Tor.
I had some idea for this one.
At least it seems like a possible solution to me at the moment.

But don't know if it really works in real world.
I will make an application killing these processes.
If anybody interested in the application you can test it.

Jinhee

[Giorgio Catena]

Hi,

could be interesting....

[Giorgio Catena]

and if I can add....also locking dnscrypt could be a good idea...

[Jinhee]

Don't know if it's any useful.
Seems Like something similar to DNSSec.
Some people talking about it.
But nobody uses it.
Don't need to jump in before it's widely used.

Do you have any other application to block?
Like Skype?
Or uTorrent?
DropBox?

Just finished 30% of the job.
I was going to go with C#.
But I changed my mind considering your possible difficulties in the deployment process.
So I am writing C++ code.
Only I forgot too many things.

I still think C# is much more promising for the future.

Jinhee

[Giorgio Catena]

Well if possibile it could be usefule to lock a list of process, how do you identify them? By MD5/SHA or name?

Regards

[Jinhee]

Process name first and then some little secret. :)

What do you mean by 'to lock a list of process'?

Jinhee

[Giorgio Catena]

Well access to config file containing the list of process to be blocked.....

[Nate Blanchard]

Giorgio,

what happens when I rename ultrasurf to Explorer?

I think it will be done on the Hash or digital Certificate.  Which means you would have to keep the list or up to date.

In windows with Group policy it is possible to Block Ultrasurf via it's certificate... (havent done it but it is possible)

[Jinhee]

Even if you rename UltraSurf I think we'll be able to kill the process.
That's what I am going to find out with the testing.
And not sure you can change the filename if you're just a domain user on AD.
Of course UltraSurf's case, it's changing it's name with the version up.

Jinhee

[Jinhee]

@ Giorgio

Yeah, eventually we will have a better one.
On the GUI you can select which application to kill.
Could be even more flexible if you can add new applications to kill.

Jinhee

[mark page]

Users can rename files within their profile, and on removable media. We chased this problem last year, creating new hashes for every version and iteration of UltraSurf became too much to keep up with. I finally used GPO to remove the users rights to change the proxy settings in the registry. You can accomplish the same thing by setting the ACL on the proxy enable keys to read only.

[Jinhee]

@Mark

Yeah, that's the way to go.
I was going to use that proxy setting on registry to find UltraSurf process.
Don't know if it's useful if you can do it by GPO already.

What about Tor?
Can you block Tor with that?

Jinhee

[mark page]

Not sure, I've never tried. I assume that if the Tor app is using the system proxy, it should work. There are issues with Firefox, it does not use the system proxy on Windows, but the Firefox exe hashes are much easier to keep current.

[Jinhee]

I don't wan to use file hash.
Who's going to maintain it anyway?
I want to make it something configurable by a user without any serious knowledge.

Firstly using process name.
But it can be bypassed by changing the process name.

And then using windows title.
UltraSurf is a windows program and it has a title having 'UltraSurf'.
Tor browser is also a windows program and in the title it has 'Tor Browser'?
Is it easily changeable by users?

About UltraSurf I can use an extra measure.
Finding the process based on IE proxy settings.

Jinhee

[Jinhee]

I tested with some windows title changer program.
You can change UltraSurf's title.
But not for Tor at least for now.
Because as soon as you start browsing its title changes back.

Anyway it's still possible to find UltraSurf using IE proxy settings.
Only it does not look useful enough if you can do it by using GPO already.

About Tor.
I think I can find out its proxy settings by reading its config file.
But what if it's installed in a different directory.

Jinhee

[Rob Asher]

I know Tor can be run directly from a USB drive.  There's a bundle specifically for mobile "safe" browsing that can be run from USB or wherever you want to put it.  We attempt to stop both tor & ultrasurf by blocking all egress traffic except from our own internal proxy services.  It's pretty draconian and becomes a nightmare to maintain exceptions for valid services that can't be proxied.  We have roughly a 50/50 mix of apple & windows devices and haven't found a single solution that works well for both other than firewall rules.  Software restriction policies looked promising for windows.  Since we're not running an AD domain, that wasn't something that we pursued.  With samba4, that may be something I have to look into again now though.

Rob

[mark page]

TOR is a pain, and almost impossible to stop completely. I'm running pfSense with pfBlocker and three solid TOR blacklists updated hourly. It doesn't get 100% but it does make it take long enough that most folks give up. I use GPO (and psexec) to modify registry ACLs (HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings ProxyEnable / ProxyServer) so that only domain admins have write access, and take away user rights to regedit; that kills UltraSurf... for the most part. Stopping DNS requests at the firewall is critical. Only our caching DNS box has access to port 53 behind the firewall, and only the DCs talk to it. The NxFilter boxes get their DNS through the DCs, with redirection entries for all local hosts. If they want it bad enough, don't mind the wait and the slow connection, they can get through. I'm just trying to make it as inconvenient as possible.

BYOD is a whole 'nother story ;-)

Mark

[Giorgio Catena]

@Mark @Jinhee,

the only system I found to block completely the execution of unwanted programs like tor or something else is to solidify the workstation using solidstate (actually part of MCafee suites), the real pain is that almost every action is blocked.

A lighter way to manage unwanted process is to do a mix & match of both names (with wildcard on file name - windows title) and/or sha1 hash of the executable file.

SHA1 / MD5 or something else is, in my personal opinion, not something that a NXFilter admin would have difficulties to manage but is a personal idea.

Finally, with GPO you can manage proxy settings (it's exactly what I do passing a "false" pac file containing a directive that says direct for everything) but you can't block tor by GPO as far as i Know.

Regards

[Jinhee]

I am currently working on new nxlogon.
It will be able to kill UltraSurf and Tor process based on process name and windows title.
I think it might be still working with windows title if we run it every 5sec.
With 5sec you don't have enough time for changing a windows title using a program like windows title changer.
And for UltraSurf I will use that IE proxy setup thing.
And then see what happens first.

Jinhee

[Jinhee]

This is NxLogon v1.1.

It can find and kill UltraSurf and Tor processes.

I tested it on Windows 7, Windows 2003 server, Windows XP pro.
All succedeed in killing UltraSurf and Tor.

One thing to note is that we don't do killing by window title this time.
At first it seems OK but there's a possibility of having false positives.
There are some programs changing their window title.

Suppose you read some document about 'UltraSurf' On the Internet.
Then your browser's window title will be having 'UltraSurf'.
Of course it still might be different from 'UltraSurf' in case-sensitive way.
And you even might want to block that document as well.
But strictly speaking 'killing browsers' is not what you want.

Besides I found another way of killing Tor process.
So firstly we go that way.

You can just replace your old nxlogon.exe with this one.
Just need to add '-k' flag in nxlogon.bat.

So it will be like.
  nxlogon.exe 192.168.0.100 -k

If you don't know how to run it on GPO then read this first.
  http://nxfilter.org/tutorial.php#single_sign

Jinhee

[mark page]

Not bad! Stomps the out-of-box processes dead =)

[Jinhee]

Yeah, supposed to kill Tor even if a user change its filename and windows title.

Jinhee

[Jinhee]

If you want to run it without NxFilter or single sign-on.
Then just remove that server-ip part.

  nxlogon.exe -k

Jinhee

[mark page]

I made a test roll-out of about 30 computers this morning. DNS queries began to fail on just over 50% of the machines I tested, and they eventually locked-up within 5-10 minutes. The lock-ups appear to be occurring with the Computer Browser service, most likely AD / DNS related. These were all Windows 7 Pro boxes.

[Jinhee]

Are you trying to setup AD + single sign-on?
It seems like your pc can't resolve hosts in AD.
Did you do the zone-transfer?

But it's not clear what you're talking about firstly.
Is it about AD integration or is it about new nxlogon.exe causing some problem?

Jinhee

[mark page]

This is about NxLogon... Is that not the topic of this thread? I didn't have time to get back to it today, we rolled back to the previous NxLogon, rebooted, and everything was ok. Just a quick glance through the event logs show the computer browser service failing, along with some WMI query errors -- These do not appear with the previous version. I do not know how much of this is directly related to NxLogon, it may be a conflict with a specific driver or other software.

Mark

[Jinhee]

There are some possibility of false positive in finding Tor.
Thanks for the report.
I will test it on my side first.

Jinhee

[Jinhee]

This is the new one.
Now I excluded the microsoft internal ports from port checking.
And I made 2 more flags for debugging.

-k : Kill UltraSurl and Tor.
-ku : UltraSurf only.
-kt : Tor only.

Jinhee

[Jinhee]

Now I am working on a full scale application control.
You can set it up on NxFilter GUI.
The options are.

  1. Enable control
  2. Block UltraSurf
  3. Block Tor
  4. Blocked process name
  5. Blocked window title
  6. Exclude keyword

It's global but you can disable it on policy.
Means you can apply it to only specific groups.

Now we're talking about this thing on LinkedIn as well.
  http://www.linkedin.com/groupAnswers?viewQuestionAndAnswers=&discussionID=5867864515663642627&gid=51443&goback=.nmp_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1_*1#commentID_null

Jinhee

[Giorgio Catena]

Great this is a real great stuff!

[Giorgio Catena]

Now I've to discover how to prevent nxlogon to be killed (or to be able to relaunch it again once stopped).

[Jinhee]

Really? Can you tell us what it is? I didn't think about that kind of possibility so far. Because if they kill it they will lose the Internet connection. Actually DNS resolving. But it would be a nice tip for people just running NxLogon without NxFilter.

Jinhee

[mark page]

You could use Group Policy to prevent access to the task manager for non-admim users. You might want to prevent access to the shell as well to stop them from using taskkill. I guess someone could simply put pskill on a thumb drive, it depends on how far you want to go. Ideally, nxlogon would run as a service, but that would require a lot of work since it would no longer run in the users' context.

[Giorgio Catena]

Well the fact is that users can always be machine admins and in those cases they could be able to kill nxlogon when they want  without any problem and is not manageable by GPO.

Furthermore I'm testing the new nxlogon but it's crashing on my machine after a while it simply shut down.

[Giorgio Catena]

Jinhee they can alwasy logon by the block page and bypassing in that way the block of tor....

[mark page]

Your users can always be admins? I'm assuming you mean local admins. Yeah, that's a whole new nightmare. Why do they need to be in the local admins group?

[Jinhee]

@Giorgio

Yeah, you're right.If you still has the login-page that could happen.
What was your OS for the crash?

Jinhee

[Jinhee]

@Giorgio

What if you just run it with -ku flag.
Only for killing UltraSurf process.
Still crashes?

Jinhee

[Giorgio Catena]

Windows 7 x64.

Now I tried to relaunch it. Is there any debug option that I can enable?

I would suggest (take it as a suggestion) to enable a password lock of the process where the password is inserted as parameter in the command line, if disabled the process is killable without password otherwise you must insert a password.

What do you think?

[Jinhee]

-d option is the debug option.
You could see it running on your CMD.
But not working from GPO launch.
You need to run it on your CMD.

Can't protect the process anyway if you can kill it from taskmgr.
And making it a service is a whole different story.
You can't run it from GPO I guess.
Too much complicated anyway.

Already too far from a simple solution since I am working on central GUI and logging.

Jinhee

[Giorgio Catena]

Well you are right mine was just a suggestion because I know that users being blocked tries all the attempts to turn around the lock.

You're doing a great job and this could be a problem: you bilt a good application filter for unwanted software that works jointly with the dns filter but it's easily killable.

The idea of the password was only a things raised on my mind just to avoid to go through windows services and so on.

[Jinhee]

When you kill it as a local system admin do you not need to logoff?
I think NxLogon stops when you logoff the system anyway.
If you can be a system admin you can do whatever you want anyway.

If you just empty your login-page that might work.
They can't login.
But if you want to use the login-page it's not possible.

Jinhee

[Giorgio Catena]

well what you suggest (wmpty login page) would do the tricks but on the other side would block guest or not domain joined machines to be able to access the internet.

Once you logoff NXLogon stops and it's fine, infact I also enabled the logoff session option.

I know that an admin could almost do everything and infact I do have some applications that are also more critical that are not protected from uninstallation (e.g. MCAfee Agent).

Speaking with a guy from mcafee he said they are thinking to "passwordize" the service, it seemed a good idea als for NXLogon nothing more.....

In any case I'll search maybe something around the net enable an application to be protected by an "accidental shutdown".

[Jinhee]

If you worry about it that much then you can do the same thing as your users do.
Change the name to something like 'svchost' or some other thing.

And I don't think it's possible to protect the process from kill signal from admin.
Not sure about your mcafee guy.
Could have been talking about another thing.
Or maybe possible for him.

Did you find when it crash?
I will add more debugging messages with a new version.

Jinhee

[Jinhee]

I also run it on Windows 7 64bit.
No crash so far.
Are you sure it was a crash?

This is a new one with more debug message.

Jinhee

[Giorgio Catena]

thanks jinhee i'll try and I'll let you know

[Giorgio Catena]

HI Jinhee I left your last agent running locally on my machine in debug mode as requested.

I do not receive any error on the agent and it is still running but on the server side I do receive this:

ERROR [05-07 07:57:29] - Couldn't find the user 192.168.167.51, /LP 6575863ea92e2c2c15fafa6460c76384

if I stop and restart the agent in the last release the error remains but if I start the original version (1.0) the system log me in successfully

I've never seen this error before and I do not think it is related to an active directory problem.

What could it be the origin?

Regards

[Giorgio Catena]

Before I forget, I left the agent running but the master node has been restarted due to the shallalist nightly update.

Regards

[Jinhee]

If it doesn't crash that's great.
That /LP protocol introduced with the new one.
It's being used for retrieving application-control policy.

But your NxFilter doesn't support it.
NxLogon is a new one but your NxFilter is an old one.
So you need to update it to v2.0.7.

I will do the beta testing for that next week.

Jinhee

[Jinhee]

The beta version for v2.0.7 has been released. We will continue on here.
  https://groups.google.com/forum/#!topic/nxfilter200/C_Iyf01EsD4