A software can be programmed to secretly connect to the internet. This is done in background and is not visible to users unless they know how to check. “Phoning home” is a term that is used to describe a software connecting to its own server probably to send statistical data or even to verify the validity of the license. As useful as it is for software developers, it can also be a threat. Malware such as Remote Administrative Tool (RAT) trojan with reverse connection capability is able to automatically phone home and connects to the hacker giving the hacker full control over the computer.
If you are the adventurous type that downloads and play around with a lot of software especially the dangerous ones such as keygenerators, patches, hack tools, then you must be even more careful to check if it is secretly phoning home. For computer newbies, running a firewall and letting it take care of everything would be the best choice. You can choose the best firewall listed at Matousec which list Comodo Internet Security 4 as the best firewall.
There are many ways to check for application that connects to the Internet and I will share with you the method that I use which can easily help you determine if a specific software is connecting to the internet.
You probably heard about using netstat via command prompt, TCPView from Sysinternals, CurrPorts from Nirsoft but I find them a little difficult to analyze since it monitors and displays ALL applications that connects to the Internet. Sometimes I have downloaded an executable file and I would only want to check on that. The tool to use is Process Explorer.
Process Explorer is a free and portable tool by Sysinternals which is similar to Windows Task Manager but it is way more advanced. The good thing about using Process Explorer to check for connection to the Internet is the ability to easily check on a single or multiple process and not all. Simply double click on any process from the list in Process Explorer and go to the TCP/IP tab. It will show both TCP and UDP connections that is made from the process. The only drawback about using Process Explorer to check for application phoning home is the inability to save the log of connections. Once the connection has been made and closed, it will be removed from the TCP/IP tab.
If you noticed that some software are secretly connecting to the Internet and there is no way to turn it off, you can either use firewall to block the connection or add it to your HOSTS file at C:\WINDOWS\system32\drivers\etc so that it redirects the hostname to 127.0.0.1. There is limitation in using HOSTS file because it can only translate from host name to IP address. This is also one method on how software pirates block software from phoning home which checks the validity of the license if they used an illegal keygenerator to activate the software. None of the software above such as Process Explorer, Netstat, CurrPorts, TCPView and etc is able to monitor connections made by rootkit. We should definitely look at some rootkit discovery tools in future articles.
Related posts:
What about usiing “Find” in the registry editor looking for URL’s. This wouldn’t affect the 3rd party driver update apps.
I get nothing in the TCP/IP tab for any process, including Firefox and file transfer programs that are currently processing network transfers. Can’t figure it out. I shut down my Firewall and tried again: nothing.
nice one Ray. I just checked it out.
FWIW, in my (admittedly limited) understanding, there are multiple ways that programs can connect, and blocking program access via firewalls won’t stop all of these ways though some firewalls are more vigilant than others. The only *real* way is to block the connection specifically, either through the hosts file or your firewall.
So, for instance, telling your firewall to block xyz.exe won’t always prevent xyz.exe from connecting (through various means) to wxy.com BUT telling your firewall NOT to connect to wxy.com (or redirecting wxy.com to null) *should* always work.
HIPS don’t always help, either, (depending upon the program) though (a good) Behavior Blocker should.
In other words, you may not have as much protection as you might think.
Thank you very much Raymond!
I block souspicious software by the Firewall to access internet.
ive learned something new again raymond. we shouldn’t be complacent to the software we’re about to use most especially when we are always connected to the internet. Phoning home…i’ll remember that. thanks a lot for ur info.
good third party firewalls have this info. most of the times even if you have activated the HIPS and process protection they notify you about it, process explorer is a handy utility and infact best to know this and control all the processes thanks
You guys are so smart and im so dumb please tell me what to do about the following?
my cd player ejects the disk automatically right in the middle of diablo 2-warcraft or other games and i lose all up to that point and have to start the game over.
the question:
how do i stop this?
TCPView is the most appropriate app for this.
I have a question for you Raymond, and this is probably the best time to ask it.
I’m most likely getting a laptop running Windows 7 soon (hopefully the battery problems won’t be an issue). Do you know of any software similar to Little Snitch for Windows? While I love that it handles outgoing network connections, alerting me whenever a program wants to make an outgoing connection (mainly calling home), I also particularly like it’s Network Monitor, which pops up on the top-right corner of the screen whenever there’s network activity. It shows the servers a program is connecting to and also has a list of the servers a program has already connected to. Do you have any suggestions?
So obvious! Haha – thanks for the reminder. Always nice to learn something “new” about Process Explorer
THANKS !
“The only drawback…is the inability to save the log of connections.”
That too is what’s missing from TCPView but was once a feature of TCPView Pro, bundled with one of their premium suites. Since their acquisition by MS, I thought it would be only logical they would release the app with logging. No. And long ago I gave up asking why when not one of my emails was ever answered.
A quick story: I once upgraded a high-dollar premium video editor and began to notice some new net activity. Turns out a *service* was installed, set to Automatic startup type (System account), with a persistent connection to their server farm. Whether the editor was running or not! Why, I asked them? Well, to enable “additional features.” Thank you; firewall deny rule built.
how about wireshark ;)?
The best solution is to set up a unix box (Firewall plus whireshark or snort) between the Windows machine and the internet and monitor/block traffic :)
@gofree: Unfortunately no. As far as I know, Kaspersky Proactive defense can be bypassed.
Isn’t the anti-virus like KIS enough?
Very interesting Raymond ! Thanks for this tip.
As I use Process Explorer for a while, I’ve tried to check some legitimate sofware I use and in some case, in “Remote Adress”, Process Explorer show only something like “localhost:1110″ with “State”: Established … How can we interpret this ?
Thank you in advance.
Great tip. I generally use TCP view by sysinternals.
is there a program that shows the amount of data transferred to a certain URL…sometimes my network monitoring program will show that a lot of data is being uploaded to the internet for about 5-10 minutes and then it stops before i can track down whats happening…
Raymond, one more thing, Is it possible to see the full path of the remote URL ..like i was downloading adobe, then the web installer didnt tell me from what URL it is downloading
Wont the active connection listed in firewall logs ?
I use Windows 7 firewall control! I tried to use Comodo firewall but I got a lot of BSODs.
Thanks raymond. I have been using process explorer for quite a few times nw and neever knew this before. Itwas helpful.