Block ultrasurf

[Guest]

[iomega55]

Does anybody know how to block the use of ultrasurf?

[john_cic]

I couldn't block it with Endian Firewall.

I used Symantec Endpoint Protection - Application control policies and blocked all versions of ultrasurf using the MD5 hash of the program.

I am interested however if you find a way to block Ultrasurf using Endian Firewall

[xsidx]

I haven't tested it, but opendns should be able to block this.

[alvaroarb]

@xsidx: How exactly would opendns block this app?

[xsidx]

@xsidx: How exactly would opendns block this app?

Like i said I haven't tested it. This came up on a search I made to answer the question, and some comments where that opendns would block it, I just passed it on.

But to answer your question, Ultrasurf is a proxy browser app, which needs to connect to a proxy server, Opendns is updated daily with new proxy sites, and if this software tries to contact that proxy while you have opendns working for you, it should block the app from contacting its server, now if this app actually connects directly to the proxy server with a given IP, all you then have to do is find that ip and block it with a rule.

PS. I run opendns, and have been doing so for years now, and everytime I tested one of these programs it has been able to block it. I haven't test ultrasurf yet, but I will next week.

[xsidx]

 OPENDNS.COM FTW!!!!

Tested it today at my site and application stalled at "contacting server", it was not able to connect to its server, and it does not open IE until it connects.

I tested application on Endian 2.4.0 with opendns and it did not worked, tested also on endian with out opendns and just content filter (I did not modify my current policy) and ultrasurf worked with no problem. My guess is that this app does use dns in order to resolve the primary or several servers to establish secured tunnel and let you use proxy... but if dns is being filtered and does not allow access to resolve ip, then it will not connect to the proxy server.

Hope this helps you with your Ultrasurf problem! let us know!! 

[john_cic]

Good write up about Ultrasurf http://www.m86security.com/KB/Attachments/Ultrasurf-GUID78cf6064c4d04affa2e177bc01284be4.pdf

A little out-dated but still a good write up about Ultrasurf:

Ultrasurf is a very sophisticated piece of software. It uses a distributed
network of proxy servers, installed and maintained by volunteers around the world much
like a peer-to-peer network. It uses multiple schemes to locate the proxy servers in its
network, spanning different protocols. It uses port and protocol tunneling in order to
trick security devices into ignoring it or mishandling it. It also uses encryption and
misdirection to thwart efforts to investigate how it works.

I tried blocking the IP addresses and domain names of the proxy servers that Ultrasurf uses to no avail.  The newer versions are even more advanced and all traffic is encrypted.  I am using OpenDNS + Endian Firewall and found that Ultrasurf still works if you let it try all methods of connecting (leave it running for a  of minutes).

If you can block the application from running using Group Policy or Anti-Virus software here is a list of MD5 hashes that i have gathered so far:

Ultrasurf MD5's for all versions: (versions that have 2 MD5's are ZIP and EXE)
*********************************
# 8.1 - c7c5c826fecacfa2f7dd48a762df1b2e
# 8.2 - d2e86ccb87771e6d710ca25360585f14
# 8.3 - 224363c72b8b9722c9e0195d1877f906
# 8.4 - 44877c87a6edf1f54609c9abe8c6442a
# 8.5 - be680ab187b543cdf87f75b23892075e
# 8.6 - f53597f07ad9425d64a1eccd440e7b54
# 8.7 - b6d9db95e947705eeaa98544de5647ce
# 8.8 - 4e3a66482ef96368251d91b4f5ae0fda
# 8.9 - f556271e1338dfc224cbebf6fe8f8eae
# 9.0 - faf9418cc0d4d4ff0a78f61283a9d29a
# 9.1 - 13f51c8c42e44bcb459c62e1c0e0e93b
# 9.2 - bb97cf958f1d383e1316a0db06202e22
# 9.3 - 4b498bcac14da546f420cd08bae1894b
# 9.4 - 11bc744801b516d0b84fba5850ec8789
8aed5412df0f621e399c78a7f408c6fb
# 9.5 - 88a02758a8359def232956ef028b2b77
4ad849a04a53f8a5d93e85d186f556f6
# 9.6 - e0724a56a972c791ce0e9077368dabc8
e303bb009064e63e470326201da509d0
# 9.7 - 8600905280a3fd95b52c7ff97ac33aa2
44385142f2d89be75502cff94d63f56b
# 9.8 - 5d9565a71e262836efff071573082c17
d446a55e30e28e2568ca0163f2737614
# 9.9 - 305c26c3061829ee5d1ef29d324c9758
e420c6aa42e11cf6a6349faf9ea14bee
# 9.91 - 8c6256f180bb8096011b3fe2511d228e
92c7cbb1dbf11c1c7de9b128cd02f103
# 9.92 - b32f45b81abd9ca395ca3940250bff81
11f0901ce03eed2e71f72b754b56164c
# 9.93 - a51f0e12c82c469c7b781df0f9221cd6
e05d63120344f434fe4db0e82927db06
# 9.94 - 17406ef606e38838be0b9b30f6f73358
006aebd5f1a87c3ef5fe6eb87de353e1
# 9.95 - 2c4f127c910227386a1dab824438f5c8
d93410dbc8866fc421dbcb2a8338157c
# 9.96 - e44f5667382356fcb40994326ea462f2
79ecb08ee9f9a3b6b768619819e82e80
# 9.97 - 7bf7d7f6251d66f4022702a7fbd36748
f4310bda92aaf325cfb7e8273f7cb236
# 9.98 - 1a8e11011fb024a0d3c68955da8fa576
7a69ea0b15862846e124cd70cef1a448
# 9.99 - 48c7ebdc0c102c3abd3d2ecc8053bc71
dd45ff3b146efdc64efe9213768dd522


# Firefox add-on - 6ce151b1b0ef8430031a8e9a69f38806

Any time a student or staff try to use Ultrasurf it is blocked and the following message is displayed on their screen:

WARNING:

Ultrasurf is blocked!

You have breached %companyName% IT policy.

This has been logged.

[xsidx]

I tested it for a few mins, and it was blocked... but I'll test it tomorrow for 30 mins just to double check, I plan on running it right before i go have lunch, then ill see if it connected by the time i get back...

I did read that write up you posted, and it gave me another idea, prohibit proxy settings to user under group policies and can also prevent the program from interacting with IE. Just an Idea, I'll test it tomorrow as well.

[john_cic]

How did you go with the test?

[xsidx]

hey, I tested it on a computer under my admin account and it did work, Also I know exactly why it did not work when I tested it the first time and it was completely blocked, and this was due to the fact that I tested it on my blue network right after I had just set it up, and the day after that I realize that I wasn't allowing https on outgoing firewall rules for blue interface.

So my apologies on that, Opendns had nothing to do with it from the beginning.

I will try out these 2 test next week, and see how they go.

1. I will run a packet sniffer on Ultrasurf and that should give me the address of the 3 servers it connects to using https, and should be able to block the ip with endian.

2. If not am almost 100% sure that this app needs access to connection settings under IE to change your proxy settings for it to work, disabling access to it from group policy should stop this.
    (I noticed proxy changes to loopback ip on port 9666 in IE when you run the program.)

[write4saini]

i have blocked ultrasurf. with help off select  useragent in access policy that is firefox, internet explorer

[sixpack]

hey, i block ultrasur, just block on the firewall the port 443, because ultrasurf used this port to connect to their servers.
yeah, i know the port 443 is used to all secure conections, but you can create a rule to opened this port just to give permision to gain access to, gmail, hotmail or another web site that use this port.

sorry, my english is so bad, my real native languaje is spanish.

i hope this will be helpful  to somebody.!!!

[thaobn20]

Can you hepl me about block ultrasurf by step by step
I'm very tired, i was blocked port 443 --> ultrasurf die but gmail, any use https not worked
thanks for post