CLOSED: Evidence that SoftEther VPN Service exe has embedded malware

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
Slartibartfarst
Posts: 5
Joined: Fri Sep 27, 2013 9:49 am

CLOSED: Evidence that SoftEther VPN Service exe has embedded malware

Post by Slartibartfarst » Fri Sep 27, 2013 10:33 am

WARNING: Evidence that SoftEther VPN Service exe has embedded malware.

Thought I should report that the Windows Service called SoftEther VPN Client (program executable is vpnclient_x64.exe) is sending outbound messages to IP address 80.82.64.193 - a suspicious site that is blocked by Malwarebytes. These outbound messages are being sent even when the SoftEther VPN Client Manager is NOT connected to a VPNGate node - i.e., when it is inactive.
Also 80.82.64.193 (dea.anonymouse.me) is often listed on the VPNGate Hostname list in the VPN Client Manager GUI.

I asked on the Malwarebytes support forum why Malwarebytes is blocking outgoing VPN Gate IP address 80.82.64.193 (WHOIS says Host dea.anonymouse.me Country Netherlands).
They advised that this IP address was on their blocked list, because:
____________________
That IP is on a range of servers that are known to recently be participating or housing threats that can potentially harm someones computer and why the IP is blocked.
IP Address 80.82.64.193= ET-RBN Known Russian Buisness Network IP with malicious detections as of Today-9-27-2013
It would seem your software is allowing you to connect to IP's that can be malicious.
____________________

I had been running VPNGate using installer vpngate-client-2013.07.20-build-9091.127245.zip

So, I fully uninstalled/expunged the SoftEther VPN and all related VPN Gate system files, and clean reinstalled from vpngate-client-2013.09.27-build-9387.127802.zip (downloaded from http://download.vpngate.jp/common/cd.as ... 127802.zip)

However, the outbound requests to IP Address 80.82.64.193 continued as before.

This would seem to indicate that the installer package may have malware embedded in it, resident in the SoftEther VPN Service exe, and that it is ALWAYS ACTIVE when the Service is running.

Hope this makes sense or is of use.
Last edited by Slartibartfarst on Mon Oct 23, 2017 9:15 pm, edited 1 time in total.

dnobori
Posts: 228
Joined: Tue Mar 05, 2013 10:04 am

Re: Evidence that SoftEther VPN Service exe has embedded mal

Post by dnobori » Sat Sep 28, 2013 5:17 am

Hi,

I am Daiyuu Nobori, a developer of SoftEther VPN and VPN Gate.
Since your report is very serious, thus we double-checked all distributed program files with both Kaspersky and Microsoft Security Essentials, but no malware code was found.
We are developing and distributing the programs carefully, and we believe that there is no chance for either malware or virus to infect on the program files.

Probably there are two kinds of possibilities on your computer.

1) Your computer has already have malware which is not related to SoftEther VPN.

2) You are using VPN Gate Client, and you have enabled the VPN Relay Function on VPN Gate Client. It means that you agreed to provide your computer's line and bandwidth as a volunteer.
Please see: http://www.vpngate.net/en/join_client.aspx

If it is case #1, you should remove your existing malware. It is not related to VPN Gate.

If it is case #2, your VPN Gate Client process is allowing to any VPN Gate Users to be relayed. The VPN Relay Function on your computer is serving as a volunteer. This relaying function is disabled by default, but you could activate it manually and explicitly.
Please see http://www.vpngate.net/en/join_client.aspx page, and if so, you should disable the relaying function on the configuration screen (which is the same screen you enabled previously).

Slartibartfarst
Posts: 5
Joined: Fri Sep 27, 2013 9:49 am

Re: Evidence that SoftEther VPN Service exe has embedded mal

Post by Slartibartfarst » Sat Sep 28, 2013 5:20 pm

dnobori wrote:
> 1) Your computer has already have malware which is not related to SoftEther VPN.

> 2) You are using VPN Gate Client, and you have enabled the VPN Relay
> Function on VPN Gate Client.
=============================
Hello Daiyuu,
Thankyou for your response.
I must apologise if I did not make myself clear.
(a) The *outbound* traffic to the blocked IP address 80.82.64.193 is being made by the Windows Service called SoftEther VPN Client (program executable is vpnclient_x64.exe).

(b) The *outbound* traffic to the IP address 80.82.64.193 is being blocked by a licenced copy of Malwarebytes , a highly reputable anti-malware programe that is running on my PC and which has malicious website blocking enabled.

(c) The IP address 80.82.64.193 is blocked by Malwarebytes because it is a known malicious site (as described in my opening post).

(d) The blocked malicious IP address 80.82.64.193 (dea.anonymouse.me) is listed as a valid Hostname on the VPNGate Hostname list in the VPN Client Manager GUI. (And I see it is still there on the list tonight, as I write this.)

Thus, the issue is NOT whether my PC has a virus, but:
(i) WHY is vpnclient_x64.exe consistently trying to connect with the malicious IP address 80.82.64.193 (dea.anonymouse.me)?

(ii) WHY has the VPN Gate project got the malicious IP address 80.82.64.193 (dea.anonymouse.me) as a valid node on the Hostname list in the VPN Client Manager GUI?

Though it is probably irrelevant, I can confirm that:
1. NO malware: after scanning my PC on a regular basis with Malwarebytes AND with Microsoft Security Essentials (virus checker) - which are both running on my PC - there has been no indication of any recent threat by any malware, nor is there any evidence that the PC has been successfully attacked by malware.

2. VPN Gate Relay Service has not been and is not enabled on this PC, so that avenue is closed.

I was trying to be helpful by pointing out the issue regarding this malicious IP address. It is not bothering me, because Malwarebytes is successfully blocking vpnclient_x64.exe repeated calls to the malicious IP address 80.82.64.193 (dea.anonymouse.me).

However, if the VPN Gate software is doing this to other unsuspecting users (who DO NOT have realtime malicious website blocking by Malwarebytes or similar software), and if the VPN Gate project continues to publicise the malicious IP address 80.82.64.193 (dea.anonymouse.me) as a valid VPN Gate node (Hostname), then it seems likely that an awful lot of VPN Gate users are likely to become infected by malware via the malicious IP address 80.82.64.193 (dea.anonymouse.me).

But don't bother doing anything about it if you know for sure that the malicious IP address 80.82.64.193 (dea.anonymouse.me) is actually not malicious.

dnobori
Posts: 228
Joined: Tue Mar 05, 2013 10:04 am

Re: Evidence that SoftEther VPN Service exe has embedded mal

Post by dnobori » Sat Sep 28, 2013 5:32 pm

Hi,

Please open the VPN Gate Client and see the VPN Gate Server List.

Can you find the IP address "80.82.64.193" on the server list?

Slartibartfarst
Posts: 5
Joined: Fri Sep 27, 2013 9:49 am

Re: Evidence that SoftEther VPN Service exe has embedded mal

Post by Slartibartfarst » Sun Sep 29, 2013 6:26 am

dnobori wrote:
> Please open the VPN Gate Client and see the VPN Gate Server List.
> Can you find the IP address "80.82.64.193" on the server list?
===============================================
Hello dnobori,
Could you please report this security issue to your supervisor and/or the network security manager.
An examination of the network logs will show the frequency of malicious IP address 80.82.64.193 (dea.anonymouse.me) acting as a volunteer server in the VPN Gate network.

To repeat, the issues would seem to be:
(i) WHY is/was vpnclient_x64.exe consistently trying to connect with the malicious IP address 80.82.64.193 (dea.anonymouse.me)?

(ii) WHY had the VPN Gate project got the malicious IP address 80.82.64.193 (dea.anonymouse.me) as a valid node on the Hostname list in the VPN Client Manager GUI?

The implications are that:
(a) The vpnclient_x64.exe has apparently somehow been compromised and used as a bot to poll the malicious IP address 80.82.64.193 (dea.anonymouse.me).

(b) The security of the VPN Gate network has been compromised (QED), as it has apparently allowed at least ONE malicious IP address - viz 80.82.64.193 (dea.anonymouse.me) - to act as a volunteer network node. Where there is one, there is likely to be more. VPN Gate security procedures would have presumably blocked malicious IP address 80.82.64.193 (dea.anonymouse.me) from acting as a server, IF those security procedure had been implemented properly. They may not have been so implemented, and thus may need urgent review. This is an apparently REAL security threat/risk, as opposed to a potential one, and it needs to be analysed and treated ASAP is the VPN Gate project is to maintain credibility/viability for its purpose. Security is everything in a VPN system.

The fact that you have responded with the points and questions as above in this thread would seem to indicate that you are not familiar with the operation of high security networks. I would suggest that, because it is a security risk, this matter needs to be reported with some urgency to the appropriate VPN Gate network security manager.

I would not expect a developer to necessarily understand this nor take responsibility for addressing the explicit network security threat/risk.
This is why I say: Could you please report this security issue to your supervisor and/or the network security manager.

Good luck.

dnobori
Posts: 228
Joined: Tue Mar 05, 2013 10:04 am

Re: Evidence that SoftEther VPN Service exe has embedded mal

Post by dnobori » Sun Sep 29, 2013 9:19 am

Hi Slartibartfarst,

I confirmed that "80.82.64.193" is an IP address which is used by one of the volunteer servers of VPN Gate.
This host is running on Netherlands, and seems to be hosted by "dea.anonymouse.me" .


> (i) WHY is/was vpnclient_x64.exe consistently trying to connect with the malicious IP
> address 80.82.64.193 (dea.anonymouse.me) ?

The VPN Gate Client Plug-in continuously attempts to fetch the latest server list with Indirect Server List Transfer Protocol, via already running VPN Gate volunteer servers. The VPN Gate Client Plug-in randomly chooses a relaying server to use from the entire volunteer servers list. The IP address "80.82.64.193" is one of the current-running VPN Gate volunteer servers, therefore a VPN Gate Client Plug-in communicates with this IP address if the plug-in chooses to use this host from the entire server list. This mechanism is similar to Skype P2P communication. This mechanism is not dangerous even if one of the volunteer servers is malicious, because only metadata (server lists) are subject to be transmitted over the P2P network.


> (ii) WHY had the VPN Gate project got the malicious IP address 80.82.64.193
> (dea.anonymouse.me) as a valid node on the Hostname list in the VPN Client Manager GUI?

The VPN Gate project has never obtained the IP address "80.82.64.193" .

Anyone on the world can become a volunteer. Becoming a volunnter doesn't require VPN Gate Project's approval.

If an owner of IP address "1.2.3.4" wants to become a volunteer, then he can install VPN Gate Relaying Server on his computer. Then the IP address "1.2.3.4" will be registered on the server list, and that IP address will appear on the server-list screen of VPN Gate Client users.

The reason why there is a VPN Gate volunteer host is running on the IP address "80.82.64.193" is because the owner of "80.82.64.193" decided and installed VPN Gate Relaying Server on that IP address.

Please see the http://www.vpngate.net/en/about_us.aspx page.
It explains that "Each Public VPN Relay Server of VPN Gate are not hosted at University of Tsukuba. These VPN servers are hosted by each volunteer. These are distributed over the world" .


Technically, it is easy to ban the IP address "80.82.64.193" from the registered volunteer list of VPN Gate, however we have no evidences that the IP address "80.82.64.193" is a malicious or illegal host. Currently we confirm no security risk while the IP address "80.82.64.193" is running as a volunteer server. If you have a concrete proof that the IP address "80.82.64.193" is really a harmful host and should be banned from the VPN Gate volunteer servers list, please show it here. Otherwise, we have no reason to ban it.

Slartibartfarst
Posts: 5
Joined: Fri Sep 27, 2013 9:49 am

Re: Evidence that SoftEther VPN Service exe has embedded mal

Post by Slartibartfarst » Sun Sep 29, 2013 10:54 am

dnobori wrote:
...
> The reason why there is a VPN Gate volunteer host is running on the IP address
> "80.82.64.193" is because the owner of "80.82.64.193" decided and
> installed VPN Gate Relaying Server on that IP address.
>
> Please see the http://www.vpngate.net/en/about_us.aspx page.
> It explains that "Each Public VPN Relay Server of VPN Gate are not hosted at
> University of Tsukuba. These VPN servers are hosted by each volunteer. These are
> distributed over the world" .
>
>
> Technically, it is easy to ban the IP address "80.82.64.193" from the
> registered volunteer list of VPN Gate, however we have no evidences that the IP
> address "80.82.64.193" is a malicious or illegal host. Currently we confirm
> no security risk while the IP address "80.82.64.193" is running as a
> volunteer server. If you have a concrete proof that the IP address
> "80.82.64.193" is really a harmful host and should be banned from the VPN
> Gate volunteer servers list, please show it here. Otherwise, we have no reason to ban
> it.
=========================================
What a great reply! Thankyou for checking the network logs as I suggested.
I gather from what you are saying that:
(a) It does not matter whether a volunteer server is malicious, since it cannot affect/compromise the inbuilt anonymity or security of the network, either way. (I had not understood that to be the case, before.)

(b) Therefore there is no need to block a malicious IP address from becoming a volunteer server. (That would make sense, if (a) were true.)

The fact that Malwarebytes recently blocked only IP address "80.82.64.193" on my PC as being a known malicious address would seem to be quite a positive thing for VPN Gate, as it indicates that the rest (i.e., the greater majority) of volunteer servers were bona fide non-malicious servers - or at least, were not on any international blacklist of malicious servers.

As I said, it doesn't bother me anyway, as Malwarebytes blocks blacklisted malicious servers in real time, on my PC, but the knowledge that VPN Gate technology renders malicious volunteer servers harmless whilst still being able to use them in the network AND retain anonymity and security should be encouraging news for all VPN Gate users. I'm not sure how that technology works, but it is impressive if that is what it does!

dnobori
Posts: 228
Joined: Tue Mar 05, 2013 10:04 am

Re: Evidence that SoftEther VPN Service exe has embedded mal

Post by dnobori » Sun Sep 29, 2013 11:06 am

I suppose that your understood is correct.

Even if the same IP address of a volunteer server of VPN Gate is doing malicious activities to the Internet, and the IP address is listed on the black-list, such a volunteer server is unable to compromise any VPN Gate users.

Consider the situation that a Skype super-node is working on an IP address which is marked as malicious by a security tool of a vendor. If you install the security tool on your PC, and you run Skype which is incidentally connected to the Skype super-node, then the security tool will pop-up the warning that the Skype process is sending a packet to the IP address which is marked as malicious. However, it is natural, and you are not under the risk that that malicious IP address's host will attack on your PC. The IP address's host is just relaying Skype P2P packets as a super-node, and no ability to compromise your client PC which run Skype.

If you feel that you don't want to "be relayed via" the IP address which is on the malicious black-list, you can block it by any security filtering tools.

Slartibartfarst
Posts: 5
Joined: Fri Sep 27, 2013 9:49 am

Re: Evidence that SoftEther VPN Service exe has embedded mal

Post by Slartibartfarst » Sun Sep 29, 2013 12:30 pm

Thankyou for explaining that about the super-nodes.
Yes, Malwarebytes automatically blocks the malicious IP address for that volunteer server anyway, on my PC. So I cannot use that server.

Post Reply