Monitor Unknown Connections with Currports


Uncover dodgy connections and malicious activity with this handy, free utility.

If you’ve ever downloaded an unknown executable or suspect something may have subverted your defences, you need to know of any malicious connections. Written and maintained by Nir Sofer, Currports gives you a clear, interactive view of all TCP and UDP connections being made by your Windows computer. Unlike Process Monitor, which is part of the excellent Windows Sysinternals suite, Currports isn’t a massive firehose of events that needs taming to be of any use.

You can download Currports from its homepage. The link is near the bottom. If you run a 64-bit architecture, be sure to download the 64-bit version. You can run Currports from anywhere including the desktop. It will create a configuration file called cports.cfg in whichever folder you run it from (including the desktop).

Setting Up
Run Currports and expand the display. By default, the listing is unsorted and doesn’t automatically update, but we can change that. Press Alt + 1 to set an update time of one second, Alt + 2 for two seconds and so on.

Scroll across the display to see the information offered on each connection. Each time you press CTRL+Plus (on the keypad) the columns will auto-resize themselves.

If you double click on a line, a pop-up appears giving details of the process. This basically summarises the data in each of the columns. You can highlight a piece of information, then copy and paste it into other documents etc.

If you grab a column header with the mouse, you can pull it to wherever you want. I advise pulling “Process Created On” to the very left of the display because this acts as a handy time index to events. You can also go to View -> Choose Columns and re-order them, or switch off those you don’t require. If you find it difficult to follow lines across the screen, you can also mark every other line in light grey, and add gridlines from this menu.

There’s another useful column way over to the right of the display. It’s the Remote IP Country column. This will give you the country each remote IP address is assigned to, but it doesn’t display anything until we download the legacy GeoLite City Database. Download the Binary/xz version of the file and place it in the same directory as the same folder as Currports. Re-run Currports, move the Remote IP Country column to a place where you can see it, and you should see the column start to populate as connections are made. If not, you probably downloaded the wrong database. It’s the Binary/xz format you need. You don’t have to unpack it; just place it in the same directory as Currports.

To test the setup, open the Edge browser to generate lots of connections. Sure enough, the screen fills with new connections to different IP addresses as it accesses news, adverts and lots of other guff from multiple countries. The names of servers are resolved into host names where possible, as are city and country names if you downloaded the GeoLite City Database.

Setting Options
Currports has a range of useful options. Most control what’s displayed. Particularly useful is Mark Ports of Unidentified Applications, which is set by default. Any suspicious ports are coloured pink. Suspicious in this context means no icon, no version information, and so on.

To save you from having to sit and actively monitor Currports waiting for an infection to make its move, you can set the Beep on New Ports option. This can become quite noisy on a busy system, but if you just need to know if a suspect process on a specially prepared victim system is making outside connections without you having to stare at the screen for hours, this is the option for you.

You can also log activity by selecting File -> Log Changes. This begins writing to cports.log, which is a plain text file. It logs new connections and connections that close. The log file is written to the same folder from which you started Currports.

You can also filter Currports’ on-screen output. The format of a filter varies slightly depending on what you filter.

For example, to remove all instances of svchost.exe from the display, enter the following line:

exclude:process:svchost.exe

To only show HTTP and HTTPS traffic and exclude all other connected processes:

include:remote:tcp:80
include:remote:tcp:443

You can use local, remote or both to define which end of the connection you’re interested in.  Similarly, the allowed protocols are TCP, UDP and TCPUDP (both).

The include directive means that everything else is excluded, so you’ll need to build up the output using multiple include lines.

Nice Touches
The icon bar gives you quick access to some useful functionality. For example, select a process, hit the red cross, and its connections will drop. This isn’t recommended in normal use, but if you want to see if a piece of malware automatically re-establishes its connection it’s what you need.

Select one or more processes and hit the floppy disk icon. This allows you to save all the data from those lines as a text file.

Drag and drop the target icon onto an application and it should highlight the processes for you. On a fresh installation of Windows 10 Home this didn’t work, but your mileage may vary.

You can set and toggle the display filter with the next two icons. This second option is very useful in cases where you need to clear down the display to just the processes that interest you, then open it back up to all processes. 

This is a Security Bloggers Network syndicated blog post authored by Jon Thompson. Read the original post at: SPECIAL EDITION