This tutorial will tell you how to test if you are infected with worms, trojans and other types of malware. You’ll also learn how to run dos programs in a for loop ….
Lets say we wanted to loop over and over watching for port 80 connections (perhaps we are looking for a worm and trying to find out where it connects to, or we want to investigate all connections that our computer is making without our permission/knowledge). This is a typical method of investigating for spyware infections…
Port 80 is a web server, and most worms and malware connect via HTTP (a web server on port 80), or HTTPS (an encrypted webserver on port 443). In reality though spyware can connect to any port, these are simply the most common. We could simply look for “TCP” connections and find which ports they are using. Anyway, assuming it’s port 80 you are looking for:
In Linux, you’d simply type:
shell>watch "netstat -ano |grep ':80'"
In winblow$ though, there isn’t such a command as “watch” by default. There is a several hacks available on the resource cd, but that’s not a default install for most users… So, lets expand our example and pretend we want to see all connections to port 80, on a windows box:
netstat -ano | find ":80"
for /L %1 in (0,0,0) do netstat -ano|find ":80"
But this scrolls by like a jack rabbit on crack when I open up a browser, so we’ll slow it down with a ping in between each loop using the && operator
We’ll ping the multicast address of 188.8.131.52 once (-n 1) and then wait 2000 milliseconds (2 seconds, -w 2000). This is a hack that allows us to pause for 2 seconds:
ping -n 1 -w 2000 184.108.40.206
And to use the loop, the command and the pause all together:
for /L %i in (0,0,0) do netstat -ano|find ":80" && @ping -n 1 -w 2000 220.127.116.11
It’s slow now, and readable, but it’s ugly still and will be difficult to monitor casually, so I’m going to use @, cls and NUL to erase data I don’t want see, making changes easier to see, so final tweaks:
for /L %i in (0,0,0) do @cls && netstat -ano|find ":80" && @ping -n 1 -w 2000 18.104.22.168 >NUL && @cls
And a few seconds later, if we keep monitoring (wait for the TCP connections that I initiated to time out):
Find out what port you are looking for and it will tell you what ip address it’s communicating to.
For example, if you were watching for all TCP connections you’d instead say:
for /L %i in (0,0,0) do @cls && netstat -ano | find "TCP" && @ping -n 1 -w 2000 22.214.171.124 >NUL && @cls
And just a few seconds later after most of the connects have timed out:
for /L %i in (0,0,0) do @cls && netstat -ano | find ":22" && @ping -n 1 -w 2000 126.96.36.199 >NUL && @cls
for /L %i in (0,0,0) do @cls && netstat -ano | find ":21" && @ping -n 1 -w 2000 188.8.131.52 >NUL && @cls
for /L %i in (0,0,0) do @cls && netstat -ano | find ":3389" && @ping -n 1 -w 2000 184.108.40.206 >NUL && @cls
Be creative and you can use a loop to find and monitor for useful information, such as all TCP connections, that are not Ipv6 (here I use another find, but this time I use it to remove [::], which is an ipv6 connection:
for /L %i in (0,0,0) do @cls && netstat -ano|find "TCP"|find /V "::" && @ping -n 1 -w 2000 220.127.116.11 >NUL && @cls
Simply replace the green text with whatever commands/parameters you want to monitor and this dos 1 liner will monitor it for you in real time. You can adjust the ping -n 1 -w 2000 18.104.22.168 line to be some other number if you want screen updates to happen faster or slower. Each 1000 ms is a second. So to do a 10 second wait: ping -n 1 -w 10000 22.214.171.124
So … we found a connection and don’t know what it’s to. What do you do? First, use task manager and look at the Process ID. We’ll use the line above and look for the PID of 1116.
We can see that 1116 in the PID column is safe, it’s our virus scanner (Google AvastSvc.exe to verify and make sure you have avast.com free antivirus installed.)
We can also look at the established connections using nslookup to find out who owns the ip address. That will often give a great clue as to what you are connected to. Scroll up and look at the established connection for 126.96.36.199, who owns it and why is process id 2648 (chrome web browser) connected to it?
Common sense should tell me to go look at my chrome browser and see what might be https (netstat shows it’s connected on port 443, which is https), but lets assume that it’s not chrome and it’s some program in the background that is connecting to some ip address without my knowledge, here is how I’d find out who that remote ip address is:
This says that the root domain is 1e100.net, and if I do a lookup on http://whois.sc or any other domain lookup tool it tells me that it’s owned by google. As I’m connected to gmail on https, this established connection makes perfect sense and I don’t need to investigate further.