Posts
(This item is an update to an article
that first appeared in the October 2005 issue of this
newsletter)
One of the most unnerving computer
experiences is to notice sudden unexpected internet
activity from your PC when you're not using the
internet at the time.
It can be brought to your attention
several ways. For example, the lights on your modem or
router might start blinking furiously, or your firewall
may indicate internet activity, or your download/upload
monitor could show that a lot of information is being
received or transmitted.
When this happens to me, the first
thought that goes through my mind is that a malware
program may be "phoning home" to some remote PC,
divulging all my personal information.
Now I know this is unlikely because
my PC is well protected, but I know enough about
security to know that it's possible. So whenever this
happens I immediately investigate what's happening, and
you should do the same. In the following paragraphs
I'll show you how.
When you are connected to the
internet you are not connected at one point but at
multiple points. These different points are called
ports. Data can flow into and out of each of these
ports. It's a bit like the way flies get into your
house. They can get in (or out) through the front door,
the back door, the windows or the chimney. These
openings in your house are just like the ports in your
computer.
There can be up to 65000 ports on
your computer, but normally these are shut. When you
start a program such as your web browser that connects
to the internet, that program opens one or more ports
to make the connection.
So
when your computer shows signs of unexpected internet
activity, you need to determine what ports are open and
then identify the programs that opened those
ports.
There's a whole class of utilities
called "port enumerators" that will do this job for
you. In fact, there are more than a dozen such programs
currently available. Additionally, many firewalls and
anti-trojan programs have in-built port enumerators,
though these are often quite basic.
I've looked at most of these products
and found one freeware product that is outstanding.
It's a tiny 50KB program that doesn't require
installation, called CurrPorts [1] from Nir Sofer over
at Nirsoft. It works best with Windows NT and later,
though Windows 98 users can still use the product with
less information displayed.
CurrPorts, like all port enumerators,
shows all the ports that are currently open on your PC.
It also shows you the process that opened each port and
the time the port was opened. Most importantly, it
flags, in pink, any suspicious ports.
Now
"suspicious" here just means worth checking. However,
this flagging makes the job of interpreting results
much easier for less experienced users.
And if you install CurrPorts sister
program from Nirsoft called IPNetInfo [2], you can
right click on a suspicious connection and track down
the location and owner of the remote site. If it's
somewhere like North Korea, China or Romania, you
almost certainly have a problem.
If you do have a problem CurrPorts
allows you to immediately shut down that port. That
reduces the potential damage but of course doesn't
solve the problem. To do that you need to find the
malware program responsible.
How
you do that is, unfortunately, beyond the scope of this
article. As a quick guide I suggest you download
HijackThis from this link http://www.tomcoyote.org/hjt/ and follow
the instructions on the same page how to paste the
output to the Tom Coyote web forums. The folks on the
forum should be able to help you permanently get rid of
the problem and it won't cost you a cent
either.
So folks, download CurrPorts now so
that the next time you have unexplained internet
activity you'll know exactly what to do about
it.
[1] CurrPorts:
http://www.nirsoft.net/utils/cports.html
Freeware, Windows NT->Vista plus Win 98 with some
limitations, No installation required, 50KB.
[2] IPNetInfo:
http://www.nirsoft.net/utils/ipnetinfo.html
Freeware, Windows 98->Vista, No installation
required, 48KB.
1 comment:
Nice article.
With Regards
Vish
Post a Comment