softether malware behavior

[masterdan]

Softether has malware behavior. If we finish the process manually, it keeps coming back.
I first noticed this with some friends in 2013. Then, we found this post on the forum.

http://www.vpnusers.com/viewtopic.php?f=7&t=2286

I stoped using it for a while to see how people would react. But i haven`t seen no more reactions untill now.
So i went to test it again. The same behavior is still in the program.

Plus, it has the hability to bypass some firewalls, and connect to some really strange ips.

For example, i finished the vpnclient_x64.exe process now. Then, it comes back and connected to 130.158.6.82. Then, it tryes to connect to some extra ip. Always a strange one.

IP: 106.0.176.61
Decimal: 1778430013
Hostname: 106.0.176.61
ASN: 23974
ISP: Ministry of Education - EMISC
Organization: Ministry Of Education
Services: Confirmed proxy server
Type: Broadband
Assignment: Static IP
Blacklist: Blacklist Check
Geolocation Information

Continent: Asia
Country: Thailand th flag
State/Region: Bangkok
City: Bangkok
Latitude: 13.75 (13° 45′ 0.00″ N)
Longitude: 100.5167 (100° 31′ 0.12″ E)
Postal Code: 10200

After this, i finished the process again. Then, it asks to connect to 130.158.6.82. After this, my firewall allarms me it went to connect to 113.252.156.121.

I didn`t even TRY to ever connect into a vpn from those countries.

IP: 113.252.156.121
Decimal: 1912380537
Hostname: 113.252.156.121
ASN: 9304
ISP: Hutchison Global Communications
Organization: Hutchison Global Communications
Services: None detected
Type: Wireless Broadband
Assignment: Static IP
Blacklist: Blacklist Check
Geolocation Information

Continent: Asia
Country: Hong Kong hk flag
City: Kwun Hang
Latitude: 22.3167 (22° 19′ 0.12″ N)
Longitude: 114.2167 (114° 13′ 0.12″ E)

HOW IS THAT a software FORCES us like this? We can`t stop it from task manager and it makes some strange connections without our consent.

This is malware behavior. And the problem reproduces in several machines.
The persistent process is a trojan or rootkit behavior.
The strange connections has no explanations.

I see 2 possibilities:

1) malware in code
2) malware is not on code but THE PERSON THAT COMPILES THE EXE ADD SOMETHING INTO THE CODE.

We first need to check if the code being compiled by us will have the same behavior as the one people download in the website.

We tested this behavior on win 7 64 machines.

If someone finishes one process in his task manager, the process is meant to SHUT DOWN. Why keep comming back? In an open source software? And who is responsable for this?

Untill things clear up, i will stay with the good old plain openvpn.
if it doesn`t we will make a complete investigation and publish on our website.

Edit:

1) We will not accept this "can not finish process" behavior anyway. The person who made this decision in the software is to be blamed anyway. If i have a software in my computer, and i want to finish it, it must not come back on it`s own unless i start vpn client again.

2) We will not accept an excuse about vpnclient trying to connect while not in use. That is abusive behavior and should never happen.

[thisjun]

SoftEther VPN client is service process.
So if you want to stop the process, you have to stop the service.