One of the most unnerving computer experiences is to notice sudden unexpected internet activity from your PC when you’re not using the internet at the time.
It can be brought to your attention several ways; for example the lights on your modem might start blinking furiously, your firewall may indicate internet activity or your download/upload monitor could show that a lot of information is being received or transmitted.
When this happens to me, the first thought that goes through my mind is that a malware program may be “phoning home” to some remote PC divulging all my personal information.
Now I know this is unlikely because my PC is well protected but I know enough about security to know that it’s possible. So whenever this happens I immediately investigate what’s happening. So should you; in the following paragraphs I’ll show you how.
When you are connected to the internet you are not connected at one point but at multiple points. These different points are called ports. Data can flow in and out each of these ports. It’s a bit like the way flies get into your house. They can get in (or out) the front door, the back door, the windows or the chimney. These openings in your house are just like the ports in your computer.
There can be up to 65000 ports on your computer but normally these are shut. When you start a program that connects to the internet such as your web browser, that program opens one or more ports to make the connection.
So when you computer shows signs of unexpected internet activity what you need to do is to track down what ports are open and then identify the programs that opened those ports.
There’s a whole class of utilities called port enumerators that will do this job for you. In fact, there are more than a dozen such programs currently available. Additionally, many firewalls and most anti-trojan programs have in-built port enumerators though these are often quite basic.
I’ve looked at most of these products and found two that are outstanding:
My favorite free port enumerator is called CurrPorts from Nirsoft. It works best with Window 2000 and later though Windows 98 users can still use the product with less information displayed.
CurrPorts, like all port enumerators, shows all the ports that are currently open on your PC. It also shows you the process that opened each port and the time the port was opened. Most importantly it flags in pink, any suspicious ports.
Now “suspicious” here just means worth checking. However this flagging makes the job of interpreting results much easier for less experienced users.
CurrPorts also allows you to track down the remote site a particular port is connected to. If it’s somewhere like North Korea, China or Romania you have a problem.
If you do have a problem CurrPorts allows you to immediately shut down that port. That reduces the potential damage but of course doesn’t solve the problem. To do that you need to find the malware program responsible.
How you do that is unfortunately, beyond the scope of this article. As a quick guide I suggest you download HijackThis from the link below and follow the instructions on the same page how to paste the output to the Tom Coyote web forums.
http://www.tomcoyote.org/hjt/
The folks on the forum should be able to help you permanently get rid of the problem and it won’t cost you a cent either.
CurrPorts is a great product but it has one weakness; it doesn’t tell you the amount of data flowing in and out the open ports on your computer.
This is a really important piece of information when you are trying to track down sudden unexplained internet activity. There may be dozens of open ports on your PC but what you want to know the ones that are currently being used to transmit or receive data.
I couldn’t find any free port enumerator that provides this information but there are two shareware products that do: Port Explorer from Diamond Computer and TCPView Pro from SysInternals.
Port Explorer is the standout pick. Port Explorer works with all versions of Windows and a home license is $29.95. Simply put, it’s the best port enumerator I’ve ever used. Port Explorer does pretty well everything that CurrPorts does and more. It combines ease of use with great power; a rare quality in technical utilities.
In this context its greatest ability is to show for each open port, the amount of information being transmitted and received. The display can even be sorted on this criterion so the ports moving the most data appear at the top. This makes
identification of the culprit program really easy.
Once the cause of the internet activity has been identified Port Explorer provides a whole raft of tools to help you identify the remote computer using the port. It even includes a packet sniffer so you can see what information is being transmitted.
Both Port Explorer and CurrPorts can provide you with the information you need to identify the cause of unexpected internet activity. I suggest you check out both and go with the program that best suits your needs. Whatever, every experienced user should have a port enumerator installed on their PC ready and waiting to track down those mystery internet connections. You may only occasionally require such a product but it’s a great comfort to have one on hand when you really need it.
CurrPorts: http://www.nirsoft.net/utils/cports.html
Port Explorer: http://www.diamondcs.com.au/portexplorer/
0 comments:
Post a Comment