Developer: Software to beat Chinese censors isn't malicious

Software designed to beat Chinese censorship may behave in ways that seem suspect, but it is all part of the application's strategy to fool the Great Firewall of China, according to one programmer of the software.   "There are many built-in tricks that do all kinds of things to confuse the firewall," said David Tian, a scientist for NASA who works spare-time on UltraSurf, the free software designed to promote unrestricted Internet access for citizens of China persecuted for being members of Falun Gang, the religious group the Chinese government is trying to suppress.   How the Chinese Internet is different from yours Some of those tricks were pointed out last month at the Black Hat security conference by researchers who interpreted the odd behaviors as counterproductive to the anti-censorship goal and as perhaps malicious. After about a month, Tian recently responded to a request made during the conference for reaction to the research.   UltraSurf is a proxy network that masks where traffic is being sent to and received from in an effort to keep the Chinese government's Internet filters from detecting forbidden communication. It calls for users to download an UltraSurf client, which sends and receives traffic via a network of proxies set up and maintained by UltraReach, a subgroup under the Global Internet Freedom Consortium.   Kyle Williams, security director of XeroBank, an Internet privacy vendor, said in his Black Hat conference briefing that UltraSurf automatically attempts to make HTTPS encrypted connections to servers unrelated to the UltraSurf proxy network.   "How does it know I got an invalid server if the traffic is really end-to-end encrypted?" Williams said. He also noted these odd behaviors: -- When the client appears to connect to an IP address within a private network, it probes sequentially close IP addresses as well, Williams said. -- When an UltraSurf client seeks a non-existent URL via HTTPS, it receives a response from an UltraSurf server -- UltraSurf taps a Google Reader RSS feed for updates that Williams interprets as lists of targets for the software to probe. -- Commercial anti-virus software detects UltraSurf as a Trojan.   Tian addressed each behavior, but the overriding theme of his answers was that UltraSurf does an ever-changing variety of strange things in order to fool the Great Firewall of China. The response from UltraSurf servers to attempts to reach non-existent URLs is due to the proxy network sending back a notification. It proxies all the communication including SSL so any response will be from a proxy, Tian said.   When UltraSurf appears to probe private IP space, it is actually sending out ruse connection attempts. "We send pretend connections out and the purpose is to confuse the Great Firewall and possibly local firewalls," he said.   Chinese authorities monitor UltraSurf carefully and try to identify signatures that can be used to set filters, so the software sends out useless traffic to make noise that makes it difficult to characterize the legitimate traffic, he said.