As part of maintaining Application Recognition signatures, I often get asked by customers if we have support for blocking Ultrasurf – the free proxy based anonymizer tool that is often (miss)used for bypassing content filters in enterprises.
Unfortunately, blocking this over Network using IPS signatures is not possible since the traffic is encrypted. There has been good amount of analysis done on this and many alternative solutions have been proposed – like blocking DNS requests or connections to its servers. But most of the times its not practical to keep blocking IP’s & DNS requests, especially to something like docs.google.com.
The only way to block this thing effectively is from the end host or the Desktop on which it runs. But even that is tricky as the application itself is just one Executable and is not dependant on any registry or file information.
So, using my Ninja windows Batch scripting skillz I came up with this simple one liner which kills the application if found running on the host -
@for /f "tokens=5 delims= " %%i in ('netstat -ano -p tcp ^| find "127.0.0.1:9666"') do Taskkill /F /PID %%i
The way this command works is by looking for the process that listens port TCP 9666 on the “localhost” (127.0.0.1) which the application uses by default and then killing it. As of this writing, in the latest version this port number is hard coded and cannot be changed. Effectively, this little command when fired from a batch file will prevent Ultrasurf from running on the end host. All that needs to be done is to add a schedule task that runs this batch file every min.
So, till Ultrasurf releases a new version that can let user configure the local listening port, this should work like a charm ! :)