Software Calling Home?

[optikon]

There are many programs available for monitoring network activity. These usually have to be installed and stay resident.

However, Windows comes with a program called netstat that can be used to find out if software is connecting to the web (i.e. malware, spyware or otherwise calling home)

I created 2 batch files that use netstat to log current active connections as well as a "live" check.
The batch files*MUST* be run as admin.

If you are running software for the first time, you can run live_check while the software loads and all network activity will be logged to a text file.
Examine this file and take suspicious IP addresses to an online service like Whatismyip (http://www.whatismyip.com/ip-whois-lookup/) to find out who is behind them.

Using netstat, the batch files will record the following:

1) The local and remote address involved in the activity (IP address, ports)
2) The state of the connection (established, waiting etc..)
3) The executable that created the connection
4) The process ID involved.

Use: Run it. Check the created txt file.

Hope you find it useful, please make suggestions for improvement or post your favorite software to do this job!
Tested on my Win7 x64

See attached . . .

[Magnox]

Very useful info, thanks! It's good to know what is trying to talk. It infuriates me how much software insists on calling home even when told not to in the options. Whether I've paid for it (which I have for a lot) or not, I don't want it talking. *

* you have to laugh - I was just about to say "adobe are bad for this" when ZA popped up with Adobe's updates manager trying to get out again, even though it's been told not to.

I've always used an old, free version of ZoneAlarm (with updates disabled, the newer versions are annoying) to prevent things getting out. Unllike everything else I've tried which has fallen flat quite easily, ZA has only ever failed me once...

I was trialing a file manager, beyond the allowed time and I did subsequently buy it (cost a lot too!). Even blocked with ZA, I found later versions of the software would know they had been installed with a blacklisted key within minutes. The key was definitely not blacklisted in the program itself, so it had to be talking somehow.

I eventually tracked it down with wireshark. The software was using 'unusual' DNS requests, with the company's own DNS server returning data inserted into a valid-looking but bogus DNS response. The program was allowed local/DNS access in the firewall because I used it over the network. Very clever, and the only instance I have seen of this. The program would even search for other DNS sources on the LAN if I blocked the gateway, trying my wireless routers etc. for an answer.

I was quite impressed; simply, but highly effective leveraging of DNS!

The easy answer for me (and still be able to use the program on the LAN) was to set up my Cisco router as authoritive (internally only of course) for the company's domains, to completely intercept these bogus DNS requests. Worked great. Then I decided it was worth the ridiculous cost for a file manager and bought it.

So, anyway, there are more ways out than we might at first think...

[Elmer]

Out of curiosity, what version of ZoneAlarm are you running?

[Magnox]

Version 9.2.106.000

I think it was one of the last 'direct download' available, rather than a web installer.

Having paid for a subscription to a more recent version some time ago, I found that both the paid software and the company's behaviour annoyed me so much that I went back to the old free version. They'll never see any more money from me.

A shame, because as I said it's the only personal firewall that's never really failed. I've tried most others, paid and free, and had every one fail at some point and let software get past them without warning.

At least as far as Windows 7, which I'm sticking with for the moment.

[pickit2]

I know you want to try it

[bobcat1]

Hi

I use AVG with firewall - and he also block unwanted call's - till one time by mistake I let the AVG soft call home and they cancel my subscription due to time limit use.

All the best

Bobi

[naserturk]

Hello
I think you should test Wireshark

windows 32bit edition : https://1.eu.dl.wireshark.org/win32/Wireshark-win32-1.12.6.exe

windows 64bit edition : https://1.eu.dl.wireshark.org/win64/Wireshark-win64-1.12.6.exe

But what is wireshark ?

Wire shark is really professional free and open-source packet analyzer software with graphical user interface

you can see all traffic visible on that selected network interface, not just traffic addressed to selected interface configured addresses and broadcast/multicast traffic.

for example in your home or office yo have 12 computer and they are all in the same network some of them connected with cable and some of them by wifi its not mater
now with wire shark you can see all computers traffic between each other and internet trough your gateway
this software is one of my really useful tools on my network jobs
some time there is one infected computer in your network and it broadcasts lot of data to network and reduce your bandwidth you can simply find that machine on your network

you should test this tools and believe my you find unimaginable capabilities in this tools for finding any spying software or maybe person on your network

for more information please visit Wireshark home page at https://www.wireshark.org/

and Wikipedia page about this fantastic tool at  https://en.wikipedia.org/wiki/Wireshark 

With best regards
NaserTurk