SEMTEC The SE MN preK-12 Technology Coordinators
Welcome to SEMTEC! Home of SE MN Educational Technology Leaders!
googlyfroogy.exe & UltraSurf
Has anyone else run into this application? I just saw it in action this morning, runs off of a small executable file and is the latest way our students are getting past the internet filtering. I haven't figured out a way to block it yet. We are using 8e6 filtering with our ISP and I've tried blocking the Ultrasurf.com site but the application allows it to skip right past. Any help would be appreciated. They certainly are some creative youngsters.
Views: 248
- Attachments:
-
-
googlyfroogy.exe, 424 KB
-
Replies to This Discussion
-
Permalink Reply by Brian Bartley on
-
I haven't yet. figured out what port it is using to get out. It appears to be using port 80 but I'm not sure yet. Will post here when I find out.
-
-
Brian Bartley said:I haven't yet. figured out what port it is using to get out. It appears to be using port 80 but I'm not sure yet. Will post here when I find out.
-
-
I'm pretty sure this is using port 9666 so now I'm seeing what we can do with that.
-
Permalink Reply by Bryan Berg on
-
Stewartville uses 8e6 as well (and D-E likely will be as well, shortly). We'll play around with this and see what we can find out!
-
-
Well I tried blocking all traffic on port 9666 at the firewall and that has no effect at all. I've been looking at a bunch of message boards and have read a lot of info, none of it helpful so far.
-
-
OK. The word from 8e6 Technologies themselves is provided in the PDF below.
Right now, it's not blockable via the content filter. I think the only way to stop it is if you have set up a rule on your computers to only allow a certain list of executables to run. Since the UltraSurf program wouldn't be in that list, it wouldn't be able to run. But if those kinds of rules aren't set up on your computers, they may be a real chore to get set up. Windows Group Policy can be set up for this (http://www.tomshardware.com/forum/217950-46-prevent-running-unautho...), but I'm not sure how that could be done in a Novell Environment. For an individual computer there's "Trust-No-Exe".
The silver lining from the testing we did - even though it blows through the Content Filter by using TCP/IP tunneling - the UltraSurf servers seem to be unsupportive of porn sites (the handful we tried didn't go through!). It's an interesting concept for a program. Apparently developed so folks behind restrictive national firewalls (like living in China) could get out and view information from outside what was allowed in the country! - Attachments:
-
-
Ultrasurf.pdf, 235 KB
-
-
-
Note that Ultrasurf.pdf document provided in my previous note goes through the architecture of UltraSurf, why it exists, how it's maintained, etc...
It also has some strategies for blocking it's use, but none of the ones listed seem like they'd be very effective or (in the case of blocking google docs) desirable.
-
-
Oh - UltraSurf won't run on Linux or Macintosh...so maybe that's another way to stop it....throw out all your PC's and get Macs or Linux boxes! :-)
Sorry...needed some humor!
-
-
ROTFLMAO, Thanks Bryan, I'm going to take a look at TRUST-NO-EXE and see if that will work for the lab computers for now. I should be able to use Novell to push the things out that I want. I agree it is a very cool program, I will probably keep it on a flash drive to use when I'm behind other filtering applications like at DE or Stewartville. Have a good one. :)
-
-
Found something that might work in conjuction with Zen Works regarding the limiting of executables on a machine:
http://www.novell.com/coolsolutions/tip/3544.html
-
Permalink Reply by Aaron Bergstralh on
-
A few notes on this:
-Ultrasurf doesn't use port 80 but it does use 445(https). It also tries to use external DNS servers, google docs, and a few other tactics.
-You can use Windows Group Policy to do the same thing as trust-no-exe (Google path based software restriction policies). This solution would work (In most cases) as long as the users aren't local administrators and you can define every exe on your systems that people should be able to run. While this might work it isn't always practical especially for computers used in programming classes where you create executable files.
-If you are targeting one exe hash based software restriction policies would also work but you need a source exe and you would need to update the policy for each version. A smart student would just use a hex editor to add a few bytes to the file and create a unique version which would be very hard to detect.
-Windows also had name based software restriction policies but they are almost useless because all you have to do is rename u94.exe to winword.exe and you've just bypassed the system.
-One technique that might be effective at the firewall level is to create a rate limiting rule that drops all http/https packets for 30 seconds or so from a particular machine if it tries to access an unauthorized DNS server. This would hopefully cause a timeout and force ultrasurf into an error state. This method wouldn't be effective for machines that already have a cache file but given that ultrasurf stores the file in the users %temp% path it would be a fairly easy thing to eliminate with a logon script. I am hesitant to try this on WETC's production firewall but I'll give it a try in my test environment to see how it goes.
About
© 2024 Created by Bryan Berg.
Powered by
