Is Ultrtasurf safe to use or not?

[Jagg]

Back in 2009 there were some claimns about it being a Chinese gov. trojan
but it is still avaialbe and there is no new info on it since 2009.

Malwarebytes and a few others claim it is a trojan but the majority of AV
does not. All the big names scanners do not detect it as a trojan. It was
scanned at virus total and got something like 5 postiives out of 41
scanners. That is not very convincing numbers so what's the real deal with
UltraSurf? Was it just a competitors smear campaing or what?

http://www.ultrareach.com/

http://en.wikipedia.org/wiki/Ultrasurf

[Dustin]

Jagg <jagg@it.invalid> wrote in
news:1bfa3iesaf0hj.1f77jb3neybus.dlg@40tude.net:

> Malwarebytes and a few others claim it is a trojan but the majority
> of AV does not. All the big names scanners do not detect it as a

You'd have to be more specific. A logfile sample would be of great value.
Or, better yet, you should post to the malwarebytes forum. you can find
it here:

http://forums.malwarebytes.org/


--
Why drink the water from my hand?
Contagious as you think I am
Just tilt my sun towards your domain
Your cup runneth over again

[David H. Lipman]

From: "Jagg" <jagg@it.invalid>

> On Mon, 13 Jun 2011 03:19:53 GMT, Dustin wrote:
>
>> Jagg <jagg@it.invalid> wrote in
>> news:1bfa3iesaf0hj.1f77jb3neybus.dlg@40tude.net:
>>
>>> Malwarebytes and a few others claim it is a trojan but the majority
>>> of AV does not. All the big names scanners do not detect it as a
>>
>> You'd have to be more specific. A logfile sample would be of great value.
>> Or, better yet, you should post to the malwarebytes forum. you can find
>> it here:
>>
>> http://forums.malwarebytes.org/
>
> I see Softpedia used to host it but no longer do and the same with CNET.
> Either someone has done a good smear camnpaign on it or it really is a
> trojan. I would like to know 100% one way or another. I do have a MBAM log
> file but is it on another PC right now and will post it later. Here are
> some links of interest though and you could dload Ultrasurf and scan it
> yourself because it does warrant investigation due to the fact there are
> probably thousands of people using it with no idea it may be a trojan
> because most AV does not flag it as such.
>
> http://www.ultrareach.com/usercenter_en.htm
>
> http://www.how-to-hide-ip.info/2009/...surf-a-trojan/
>
> http://www.rosoftdownload.com/downlo...ows/ultrasurf/
> "RoSoftDownload.com team has tested UltraSurf against viruses, spyware,
> adware, trojan, backdoors and was found to be 100% clean of any form of
> malware..
> Our editors will test this application periodically to assure that it
> remains clean.
> Click the link below to view the entire antivirus report."
>
> http://www.wilderssecurity.com/showthread.php?t=288844
> "I have been using UltraSurf for years and never had a problem. Recently,
> NOD32 reports it as :
>
> UltraSurf 10.04.exe - a variant of Win32/Packed.Themida potentially
> unwanted application
>
> I have sent it for analysis but that doesn't help my case.
>
> Can someone confirm what is this?
>
> Answer is NO. It is packed with Themida software. Actually Themida is a
> software protection product designed to prevent software from being
> "cracked" and does use encryption, therefore, is very difficult for any
> anti-virus to confirm one way or another if its malware.
>
> Un-fortunately, Themida is highly used by virus writers, keylogger writers,
> etc., to conceal their malware. That is why Anti-Virus vendors detect
> Themida packed application as PUA. You have to be sure if the application
> packed with Themida is legit application or actually a malware. If you are
> absolutely sure that packed application is legit then go for it else keep
> one hand distance from that application."
>
> http://www.wilderssecurity.com/showt...ight=UltraSurf
> "As many of you are aware, there was a thread about dissecting Ultrasurf.
> We found significant malware behavior, and worst of all we found that
> ultrasurf promotes man in the middle attacks by allowing any ssl cert, even
> mismatched and self-signed certs and preventing the user from seeing a
> popup about it.
>
> Ultrasurf is designed to be a free http proxy tool, and it is somewhat, but
> this is a cover for it to be a virus / malware that is nearly stealth and
> undetectable to normal virus scanners because of it's heuristic avoidance
> and encrypted payloads.
>
> At this time we recommend everyone to delete ultrasurf and download a free
> copy of VBA32 antivirus which will correctly identify it, as all other
> antivirus software does not."


Apparently this is grey area software. An annonymizing proxy client that has been used
maliciously (to what extent I do not know).

http://www.virustotal.com/file-scan/...198-1307934742

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp

[Jagg]

and this...

http://www.threatexpert.com/reports....asurf&x=11&y=9

[Jagg]

On Mon, 13 Jun 2011 14:14:22 -0400, David H. Lipman wrote:

> > Apparently this is grey area software. An annonymizing proxy client that has been used
> maliciously (to what extent I do not know).


After further investigation I see the same app can be found using a couple
of program names too so I guess I should treat it with suspicion but I have
found plenty of posts that claim it is not malicious too and just looks
that way because of how it works.

How about your-freedom?

https://www.your-freedom.net/index.php?id=home

[David H. Lipman]

From: "Jagg" <jagg@it.invalid>

> On Mon, 13 Jun 2011 14:14:22 -0400, David H. Lipman wrote:
>
>>> Apparently this is grey area software. An annonymizing proxy client that has been
>>> used
>> maliciously (to what extent I do not know).
>
> After further investigation I see the same app can be found using a couple
> of program names too so I guess I should treat it with suspicion but I have
> found plenty of posts that claim it is not malicious too and just looks
> that way because of how it works.
>
> How about your-freedom?
>
> https://www.your-freedom.net/index.php?id=home
>

Drop me an email and I'll give you another option. Just remove ~nospam~.


--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp