Special Edition is the blog for security testing business SE Labs. It explains how we test security products, reports on the internet threats we find and provides security tips for businesses, other organisations and home users.
Monday, 31 October 2016
Monitor Unknown Connections with Currports
Uncover dodgy connections and malicious activity with this handy, free utility.
If you've ever downloaded an unknown executable or suspect something may have subverted your defences, you need to know of any malicious connections. Written and maintained by Nir Sofer, Currports gives you a clear, interactive view of all TCP and UDP connections being made by your Windows computer. Unlike Process Monitor, which is part of the excellent Windows Sysinternals suite, Currports isn’t a massive firehose of events that needs taming to be of any use.
You can download Currports from its homepage. The link is near the bottom. If you run a 64-bit architecture, be sure to download the 64-bit version. You can run Currports from anywhere including the desktop. It will create a configuration file called cports.cfg in whichever folder you run it from (including the desktop).
Run Currports and expand the display. By default, the listing is unsorted and doesn't automatically update, but we can change that. Press Alt + 1 to set an update time of one second, Alt + 2 for two seconds and so on.
Scroll across the display to see the information offered on each connection. Each time you press CTRL+Plus (on the keypad) the columns will auto-resize themselves.
If you double click on a line, a pop-up appears giving details of the process. This basically summarises the data in each of the columns. You can highlight a piece of information, then copy and paste it into other documents etc.
If you grab a column header with the mouse, you can pull it to wherever you want. I advise pulling "Process Created On" to the very left of the display because this acts as a handy time index to events. You can also go to View -> Choose Columns and re-order them, or switch off those you don't require. If you find it difficult to follow lines across the screen, you can also mark every other line in light grey, and add gridlines from this menu.
There's another useful column way over to the right of the display. It's the Remote IP Country column. This will give you the country each remote IP address is assigned to, but it doesn’t display anything until we download the legacy GeoLite City Database. Download the Binary/xz version of the file and place it in the same directory as the same folder as Currports. Re-run Currports, move the Remote IP Country column to a place where you can see it, and you should see the column start to populate as connections are made. If not, you probably downloaded the wrong database. It's the Binary/xz format you need. You don't have to unpack it; just place it in the same directory as Currports.
To test the setup, open the Edge browser to generate lots of connections. Sure enough, the screen fills with new connections to different IP addresses as it accesses news, adverts and lots of other guff from multiple countries. The names of servers are resolved into host names where possible, as are city and country names if you downloaded the GeoLite City Database.
Currports has a range of useful options. Most control what's displayed. Particularly useful is Mark Ports of Unidentified Applications, which is set by default. Any suspicious ports are coloured pink. Suspicious in this context means no icon, no version information, and so on.
To save you from having to sit and actively monitor Currports waiting for an infection to make its move, you can set the Beep on New Ports option. This can become quite noisy on a busy system, but if you just need to know if a suspect process on a specially prepared victim system is making outside connections without you having to stare at the screen for hours, this is the option for you.
You can also log activity by selecting File -> Log Changes. This begins writing to cports.log, which is a plain text file. It logs new connections and connections that close. The log file is written to the same folder from which you started Currports.
You can also filter Currports' on-screen output. The format of a filter varies slightly depending on what you filter.
For example, to remove all instances of svchost.exe from the display, enter the following line:
To only show HTTP and HTTPS traffic and exclude all other connected processes:
You can use local, remote or both to define which end of the connection you're interested in. Similarly, the allowed protocols are TCP, UDP and TCPUDP (both).
The include directive means that everything else is excluded, so you'll need to build up the output using multiple include lines.
The icon bar gives you quick access to some useful functionality. For example, select a process, hit the red cross, and its connections will drop. This isn't recommended in normal use, but if you want to see if a piece of malware automatically re-establishes its connection it's what you need.
Select one or more processes and hit the floppy disk icon. This allows you to save all the data from those lines as a text file.
Drag and drop the target icon onto an application and it should highlight the processes for you. On a fresh installation of Windows 10 Home this didn't work, but your mileage may vary.
You can set and toggle the display filter with the next two icons. This second option is very useful in cases where you need to clear down the display to just the processes that interest you, then open it back up to all processes.
Searching for strings is accomplished with the binoculars icon, which allows you to specify case sensitivity.
Finally, you can export the entire display into HTML format, which is then opened in your default browser.
All pretty interesting stuff, but what can you do with Currports other than satisfy your curiosity?
Currports comes into its own as part of the behavioural analysis of potential malware. If you've downloaded a piece of older, unsupported application, it's immensely useful to see if it's leaking information or calling home.
Depending on the type of infection, several things may happen. A botnet client will try to contact its command server for instructions, a payload and a target list. Ransomware might also call home for an encryption key, but much of it also explores your network looking for other machines with unprotected shares to hold hostage. If it does so, you'll see multiple connection attempts to lots of other addresses on the subnet.
It's not unusual for some forms of malware to open connections to the site router while attempting to find vulnerabilities to exploit. It's easier to attack your router from the inside of the network than from the (supposedly) hardened public side. If it can install a fake certificate or subvert DNS caching, it can redirect traffic to attack servers.
Many drive-by infections need somewhere to download and run their payloads. They can't use the system directories, so tend to use your temporary directory. In a similar vein, much of today's malware likes to masquerade as legitimate system processes, such as svchost.exe. A Svchost with a process path leading to your temporary directory instead of WINDOWS\System32 is clearly not legitimate, for example. Anything out of the ordinary (Excel making connections to Romania?) should be investigated.
There are also times where all hell seems to let loose, but which are completely benign. Windows Update, for example. For this reason, it's useful to install Windows in a VM, download and set Currports running, and just get a feel for what happens during various major operating system events. Also, install an antivirus product and watch the connections fly as it updates itself.
So, there we have it: a simple, useful utility to give you a clear 1,000-foot view of the connections being made. I may have missed one or two options, but if you have any interesting uses for Currports, please feel free to post them in the comments.