PROXYBUSTERS Part 1 - UltraSurf In order to implement rules in every organization’s internet access, filtering and censorship are properly defined by administrators to forbid access to non business related sites and download/ upload classified data. Computer users today use different ways to bypass the firewall for freedom to access knowledge whether good or bad. One of these is proxy servers that bypass restrictions, UltraSurf. UltraSurf is a light executable application that is designed to find a way around internet filtering and censorship. It enables the users to access any websites freely using a regular Internet Explorer browser in the foreground while using the best speed proxy servers among three in the background. UltraSurf does not need to install nor change any settings in the system that is why it is commonly used by ordinary users in doing extraordinary things. Almost all HTTP based functions are retained like: 1. Website browsing 2. Web mail 3. Data uploading and downloading 4. Real time apps Here is one of the sites to download UltraSurf: Word of advice! Only use this in a controlled environment to avoid any complications or infections. http://ultrasurf.en.softonic.com/download How does a user access unauthorize sites in a flick of a finger? It is easy as counting 1, 2 and 3. Open the executable file and browse! Be sure that you are using the latest version 9.2 or newer one. Also check if the speed is 98% or faster to get maximum/ optimal use. How do we mitigate this application? Could we detect and solve the Ultrasurf issue? We could get valuable information from our forums with the link below. https://www-secure.symantec.com/connect/forums/ultrasurf Here is some of the most valuable information contributed by our members in the forums. Thanks for their voluntary contibutions. RickJDS says: “ Its an anonymous proxy that the SEP firewall cannot stop. Apparantly it creates a local port 9996 on localhost and listens. I think it creates a tunnel out of port 443 so firewalls cant block it. Please tell me how to prevent this file from running with SEP MR4 MP2.” bloo Cycletech says: “ In my test lab I am running Ultrasurf, I am hitting IP address 65.49.2.114 through port 443. You can block all traffic to this IP address or an IP range. I know this won't keep the application from running, but it will stop all traffic from going through Ultrasurf.” Dperfekgent says: “Ultrasurf... Yes this executable file is used by clients to bypass policies in getting to non business related sites. They could be detected as bloodhound sonar using Truscan Proactive threat scan...Some tends to rename the file so that they could use it again... but could still be seen by the AV.Any help in blocking it would be very useful. Thanks. Paul Mapacpac says “I see, what if we request it to be treated as a virus and get its file signature so that It will not work. But this could lead a long discussion with Symantec.I just received a report from my officemate that sometimes it can be detected by SEP as Bloodhound.Sonar.1 but I guess this depends on the websites they visit.I if the environment has a proxy as long as the proxy is set to be transparent there could be a ways to block it. I currently testing it my colleges.” mon_raralio says: “ If you open Ultrasurf, you have at least 3 options for which servers to use.An additional info: When using firefox with Ultrasurf, you need to configure a proxy as 127.0.0.1 (localhost) with port 443.The admins here tried blocking it, but some applications used for work also stopped functioning. So far, we had not yet totally blocked the application but we could detect it through SEPM v11. We shall be waiting for Symantec to assist us in dealing with this application in the near future.
I did some quick testing with Ultrasurf and found out it will use port 80 or port 443 to send traffic out. One solution is to create a firewall rule to block all applications except Firefox and Internet Explorer (or any other specific app you wanted to allow) from sending traffic out on port 80 or 443. However since so many applications use port 80 or 443 this may not be doable.
In addition, I created an Application Control policy that will block Ultrasurf from running. I have attached the policy. You can simply import this into SEPM and then assign it to the group you want to block Ultrasurf.
Hello, Please try below document for "How to block UltraSurf using Application and Device Control" http://www.symantec.com/docs/TECH184200
Hello, I think that the best option for block any versions of Ultrasurf is use the IPS technology. I'm working on how to block Ultrasurf using a IPS Signature in SEP. I could say the results more late.
I added 20 md5 from different version of ultra surf but some version still working
How can I do?
Points to consider: 1. Maybe this application is not yet widely used and since not being a real threat in itself poses no risk. 2. You should also consider the political view of the country where Symantec is being used. Blocking an application that supports your freedom to do whatever with your PC. It is like saying that browsing a certain website is against the law. (This is how petitions starts :P) I got this idea from the site. 3. We already have a solution. [wink,wink]