An Internet tool to shield Chinese dissidents from their government seems to do just the opposite and also probes in the US, Canada and Taiwan, according to research presented at Black Hat.
UltraSurf software is promoted as a means to proxy Internet traffic so that when it arrives at its destination forensic experts can't figure out where it came from.
But observation of UltraSurf at work reveals that it also automatically attempts to make HTTPS encrypted connections to unrelated servers, said Kyle Williams, security director of XeroBank, an Internet privacy vendor, who has researched the software.
Among the sites it has probed without user intervention is acquisitions.army.mil, he said, a US Army URL that would be sure to attract the attention of the Great Firewall of China, the Internet filtering infrastructure the Chinese government uses to restrict the Internet access of its citizens.
The proxy system that versions of UltraSurf has used included six entry proxies, half in California and half in Taiwan, and six exit proxies, half in the US, two in China and two one in Taiwan, Williams says. A Chinese dissident sending traffic to an entry node in the US or Taiwan and receiving traffic from the US and Taiwan would also flag attention, he said.
The software used to have a two-hop proxy but that has been downgraded to one hop, he said.
The software is available free from UltraReach, whose website doesn't list an address or management team. It says the company is "dedicated to providing technologies and service for people to exchange information on Internet freely and safely" and was founded "by a group of successful entrepreneurs, renowned scientists and engineers in Silicon Valley."
UltraReach hasn't responded to a request left at its website for an interview about the software.
The software is promoted on the website of Global Internet Freedom Consortium, a group whose website describes its purpose this way: "Our mission is to build a pioneering online platform that breaks down the Great Firewalls blocking the free flow of information penetrating into, moving within, and originating from closed societies (eg China and Iran) via the Internet."
UltraSurf does some other puzzling things. For instance, if one of the HTTPS requests hits an invalid URL, the request is redirected to UltraSurf's page. "How does it know I got an invalid server if the traffic is really end-to-end encrypted?" Williams said.
UltraSurf has an auto-update feature that uses Google Reader RSS feeds to receive a Google Docs URL where it downloads encrypted payloads. Williams says he thinks the payloads are lists of target addresses for the software to probe.
In experimenting with UltraSurf in virtual machines, he has had the software succeed in accessing IP addresses with what seem to be internal IP addresses, making it seem that the software has successfully accessed another network. Once this happens, the software checks a few more addresses in that range as if to discover more about the apparent internal network, he says.
UltraSurf doesn't launch any attacks, but seems to be doing Internet reconnaissance, Williams says. Reconnaissance traffic sent by earlier versions of the software had Trojans attached that set off alerts from mainstream anti-virus software. He says he doesn't know what the Trojans did and at the time they were part of the software package anti-virus vendors might not have had signatures for them. "They might not have been known then," he said.
Williams says he plans further research into UltraSurf.