Review Network Connections
Last updated
Last updated
Spyware will eventually need to transmit the collected data (such as screenshots, passwords, keystrokes, etc.) to a remote location, the . While it is not possible to be able to predict when such transmission will occur, it is possible that some spyware will establish a permanent connection with the server, or that it will connect frequently enough for you to catch it.
In order to do check for ongoing connections you can, for example, record the whole network traffic using and later inspect the stored results. However, a more interesting approach is to use tools that not only monitor the network activity, but that can also tie them to running processes. Generally, you should look for unusual processes connecting to suspicious IP addresses.
One popular tool to do this is , also from the Sysinternals Suite by Microsoft.
The tool is pretty straightforward: it lists all established network connections and provide information on the originating process, and the destination. You will likely be surprised to observe the amount of network connections active even with seemingly idle systems. Most often you will see network activity from background processes for example for Microsoft services, Google Chrome, Adobe Reader, Skype, etc.
For example, in the screenshot above we can see a running iexplore.exe process that not only has been flagged as injected, but seems to be actively attempting to connect to the Remote IP 216.6.0.28. Because there is no visible Internet Explorer running on the system it is definitely suspicious to see active network connections from it. TCPView would appear like following on the same infected system:
(Note: these tools show display attempted connections to remote locations even if the computer is at the moment disconnected from the Internet).
This suggests that the injected iexplore.exe was very suspiciously attempting to connect to an IP address located in Syria. Indeed, for the purpose of demonstration, we used an old copy of DarkComet RAT that was found used in Syria around 2011.
Another tool we can use to observe active network connections is CrowdInspect, which we showcased in the previous section on . The information provided by CrowdInspect is very similar to that provided by TCPView.
When you are suspicious of an active connection, you can (preferably from a separate computer) look up the IP address and try to determine who it belongs to and whether it is known to be good or bad, using for instance online tools like or . For example, a simple WHOIS lookup for that IP address would return:
Even a simple search of the IP address over your preferred search engine might reveal useful information. Additionally, you might want to consider using threat research services such as or to see if they have any information on the IP addresses or domain names you come across.
