Apparently they are doing this using SSL inspection (outbound SSL proxy) as opposed to using application signatures. Outbound SSL proxies introduce a new range of hassles. It would be better if they could detect the application (ahem) and block it that way:

The new filtering engine of Astaro’s version 7.4 also allows users to filter and control secure web traffic (HTTPS). With inferior web security solutions, users can circumvent the security policy simply by accessing sites over HTTPS, which encrypts the session between the client browser and the target destination. Astaro’s version 7.4 intercepts encrypted HTTPS traffic and examines the content for malware, stops spyware infections, and controls what types of sites can be accessed.

In addition to (instead of?) of blocking Ultrasurf at the network level, one could control such applications at the desktop level. Sophos does this with panache. Using a whitelisting program like Bit9 or Lumension also turns this into a non-issue. If there are other ways to solve this problem, let me know.

Only 3 out of 38 companies identified Ultrasurf 9.3 as malware. Fortinet, Prevx1 and Quick Heal of India.

Contrast that with this Virustotal scan of UltraSurf 8.8 from 3/13/2008 where 9 of 31 companies labeled the executable as malicious.

Blocking these apps at the desktop is an elegant solution if you have the right product. Sophos does this well. Their application control is baked into their endpoint security client and centrally managed from their enterprise console. The applications will never get a chance to be accessed, installed, executed locally or remotely, e.g. a user cannot launch Ultrasurf from a thumbdrive if the machine has a Sophos client installed with the correct policy.

Here’s how you set it up:

Click on the “Application Control” policy in Sophos Enterprise Console.

Select “Proxy Application” (you could select “Security Tools”, “Remote Management” or many others)

Click the arrows to move the apps to “Blocked’’

That’s it. You then drag and drop this policy to the user groups you need to control. The on-access AV engine blocks access at the code level. If a user tries to run a blocked application from a thumb-drive, rename the file, download it, Sophos will block and report it.

You can also make a dynamic policy by blocking “All added by Sophos in the future”. Any new app Sophos adds to the category will be blocked at your endpoints automatically. Here are the applications Sophos has in their list.

30-Day Sophos Free Trial

Ultrasurf uses “140300000101″ for SSL ehlo messages. If you can block this signature with the your firewall you can block ultrasurf. To do this follow these steps:

1. Create a custom object in Firewall/Application Object section. Lets say the name of the object is “Ultra”
2. Application object type must be “Custom object”
3. Match Type must be “Exact Match”
4. Input Representation must be “Hexadecimal”
5. Then add Content “140300000101″

Then go to Object Policy/Application Firewall Policy Settings:

1. Policy name: write whatever you want
2. Policy type “Custom Policy”
3. Adress Source “Any”, Destionation “Any”
4. Service Source “Any”, Destionation “Any”
5. Exclusion Adrsss “None”
6. Application Object “Ultra Object” **Select the object which you write in the first section
7. Action “Reset/Drop”
8. Users/Group Included “All”, Excluded “None”
9. Schedule “Always On”
10. Enable loging “Check”
11. Redundancy Filters “Use Global settings checked”
12. Connection Side “Client Side”
13. Direction “Basic” Both

Dont forget to enable the Application Firewall feature. This is a bit easier to do on a Palo Alto firewall since the application is already identified natively by the box, you just have to block it in one of your threat profile policies.