There’s not much point (from a cybercriminal’s perspective), in infecting a computer with malware unless the information which it’s been designed to capture, ends up in the nasty hands of the criminal.
Generally speaking then, it’s reasonable to say that the most important function of malware (again, from a cybercriminals perspective) is to “phone home” with the information it’s been designed to steal. It’s hardly surprising that much of the malware infecting the Internet does just that.
You can, if you like, trust that your AV solution will tip you off to any nasty behavior occurring in the background. But, as a follower of the “better safe than sorry” school of thought, trusting in any AV solution to safeguard my systems in all instances, just doesn’t compute with me. There are no perfect AV solutions.
All to often, “new” malware has already rampaged through the Internet (despite the best AV providers have to offer), before average users become aware. As a result, I’ve long made it a practice to monitor my open ports and Internet connections frequently, throughout a browsing session.
At first glance you might think port checking is time consuming and not worth the effort. But it is worth the effort, and it’s not time consuming – it often takes no more than a few seconds. More to the point, in my view, it is a critical component of the layered defense approach to Internet security that regular readers of this site are familiar with.
There are a number of free real-time port analyzers available for download, and the following is a brief description of each. If you are familiar and comfortable with using the Windows command structure, then you may want to try the command line utility Netstat, which displays protocol statistics and current TCP/IP connections. This utility and the process, are covered later in this article.
CurrPorts (this is the port tool I use daily), allows you to view a list of ports that are currently in use, and the application (keep in mind, that malware, for all practical purposes – is an application) that is using those ports. You can close a selected connection as well as terminating the process using it.
In addition, you can export all, or selected items, to an HTML or text report. Additional information includes the local port name, local/remote IP address, highlighted status changes and more.
Shown in this screen capture – Browser is not running. No remote connections. Looks like I’m safe.
Shown in this screen capture – Browser is running. Thirty remote connections, all of which are legitimate.
View current active ports and their starting applications
Close selected connections and processes
Save a text/ HTML report
Info on local port name, local/remote IP address, highlighted status changes
Download at: NirSoft (you’ll need to cursor down the page to the download link).
Process and Port Analyzer is a real time process, port and network connections analyzer which will allow you to find which processes are using which ports. A good little utility that does what it says it will do.
View currently running processes along with the full path and file which started it
View the active TCP Listeners and the processes using them
View the active TCP and UDP connections along with Process ID
Double click on a process to view the list of DLL’s
Download at: http://sourceforge.net
Windows includes a command line utility which will help you determine if you have Spyware/Botware running on your system. Netstat displays protocol statistics and current TCP/IP connections.
I use this utility as a test, to ensure that the anti-malware tools and Firewall running on my systems are functioning correctly, and that there are no open outgoing connections to the Internet that I am not aware of.
How to use Netstat:
You should close all open programs before you begin the following process if you are unsure which ports/connections are normally open while you are connected to the Internet. On the other hand, if you are familiar with the ports/connections that are normally open, there is no need to close programs.
There are a number of methods that will take you to a command prompt, but the following works well.
Click Start>Run>type “cmd” – without the quotes>click OK> this will open a command box.
In Windows 8 – type “cmd” at the Metro screen.
From the command prompt, type Netstat –a (be sure to leave a space), to display all connections and listening ports.
You can obtain additional information by using the following switches.
Type Netstat -r to display the contents of the IP routing table, and any persistent routes.
The -n switch tells Netstat not to convert addresses and port numbers to names, which speeds up execution.
The Netstat -s option shows all protocol statistics.
The Netstat-p option can be used to show statistics for a specific protocol or together with the -s option to show connections only for the protocol specified.
The -e switch displays interface statistics.
Running Netstat occasionally is a prudent move, since it allows you to double check which applications are connecting to the Internet.
If you find there are application connections to the Internet, or open ports, that you are unfamiliar with, a Google search should provide answers.
Steve Gibson’s website, Shields Up, is a terrific source of information where you can test all the ports on your machine as well as testing the efficiency of your Firewall. I recommend that you take the Firewall test; you may be surprised at the results!
12 responses to “Who’s Phoning Home On Your Internet Connection? Find Out With CurrPorts and, Process and Port Analyzer”
Reblogged this on Share At Ease.
Thanks for the reblog, (e)ECLAIR. Always appreciated.
My pleasure! 🙂
Psst…Steve Gibson was my security hero for the longest time. I used to think it was only page on the internet that had anything to do with security. Back then..it probably was..
As usual – you’re dead on the money. Steve was a real pioneer in the security field.
Finding a page where the author knew what he was talking about was a real challenge – back in the day. You could always count on Steve to set you straight.
Learned a huge amount from following Steve. We, long term followers, owe him bunches.
I have been using Current Ports for a couple of years now, on your recommendation. As you say, it isn’t time consuming to monitor it at all, very straightforward and customizable as well. I always have it running when cruising the internet. Well worth the download for anyone, for mine.
Agreed. You and I have discussed this one more than a few time.
It’s a simple thing, and yet, it provides such important information. Like you, I wouldn’t run on the Net without knowing who’s connecting to me.
These are all great tools and a worthwhile additions to a well-configured firewall. It amazes me how firewalls and anti-virus default settings are lax in some areas since companies know people will associate an extra second as a mark against the product, even if that extra second performs important functions.
One other thing I do is disable my LAN or wifi connection when I’m not doing something that requires me being connected to the internet. I have shortcuts setup to make it easy for me to turn the connections on and off Some malware will try to pick a moment of lull (inactivity for x minutes) to do it’s dirty work, reasoning there’s less chance of the user being at the machine at that moment and noticing anything going on.
You and I think very much alike. I like your idea of shortcuts to disconnect from the Net when not required. I’ll give that a try.
Back when I ran with ZoneAlarm, I made it a practice to “block” connections using the built-in blocking feature.
Great comment – thank you.
I also disconnect from the net when connection is not needed. Luckily my Acer laptop has a button to do just that, so no shortcut required; button is illuminated when connected so its a cinch to remember. Can’t understand why more manufacturers don’t provide this feature.
It’s such a simple, but yet, very effective precaution. Like you, I fail to understand the lack of an “off” switch.
At one time I used to turn off my router, which was a pain in the behind since the switch is at the back and not easily reachable.
Pingback: Spotflux – Surf The Web Anonymously With This Free VPN | Bill Mullins' Weblog – Tech Thoughts