HOWTO: check if malware is secretly connecting to the internet

Here's a quick command-line hack that you can run on your Windows boxes to see if there are any unsavory apps running in the background and making internet connections without your knowledge. Just run the following to trace applications which are opening sockets while you're not using the machine:

  • Start->Run->cmd
  • netstat -b 5 >activity.txt (In XP, use -o instead of -b)
  • Wait a few minutes, then press Ctrl-C
  • type activity.txt | more (or open activity.txt in wordpad)

This will repeatedly run netstat every 5 seconds until you hit Ctrl-C, logging all active TCP/UDP connections (legitimate or otherwise) to the activity.txt file. The -b flag will also show the name of the binary .exe file that's making the connection. In XP, the -o flag will do similar, showing the process id. If you see any connections being made that don't look legit, either to strange ip addresses or by processes that look fishy, you can check the task manager to kill it, and then run your virus scanner / anti-malware software to clean things up. [via] Link

Posted by Jason Striegel | Sep 23, 2007 07:07 PM
Windows | Permalink | Comments (1) Bookmark and Share

Recent Entries

Comments

Newest comments listed first.

Posted by: shawnwaite on September 25, 2007 at 7:31 AM

great tip.. thanks, i wanted to know a bit more, so i found out how to translate your PID to an application name, use..
c:\tasklist | findstr 1564

Leave a comment



Bloggers

Welcome to the Hacks Blog!

Brian Jepson.Brian Jepson


Jason Striegel.Jason Striegel


Philip Torrone.Phillip Torrone



See all of the books in the Hacks Series!

Suggest a Hack

Request a Hack

Advertise here.

Categories

Archives

Recent Posts

www.flickr.com
photos in Hacks More photos in Hacks

Most read entries (last 30 days)

Recent comments