A software can be programmed to secretly connect to the internet. This is done in background and is not visible to users unless they know how to check. “Phoning home” is a term that is used to describe a software connecting to its own server probably to send statistical data or even to verify the validity of the license. As useful as it is for software developers, it can also be a threat. Malware such as Remote Administrative Tool (RAT) trojan with reverse connection capability is able to automatically phone home and connects to the hacker giving the hacker full control over the computer.
If you are the adventurous type that downloads and play around with a lot of software especially the dangerous ones such as keygenerators, patches, hack tools, then you must be even more careful to check if it is secretly phoning home. For computer newbies, running a firewall and letting it take care of everything would be the best choice. You can choose the best firewall listed at Matousec which list Comodo Internet Security 4 as the best firewall.
There are many ways to check for application that connects to the Internet and I will share with you the method that I use which can easily help you determine if a specific software is connecting to the internet.
You probably heard about using netstat via command prompt, TCPView from Sysinternals, CurrPorts from Nirsoft but I find them a little difficult to analyze since it monitors and displays ALL applications that connects to the Internet. Sometimes I have downloaded an executable file and I would only want to check on that. The tool to use is Process Explorer.
Process Explorer is a free and portable tool by Sysinternals which is similar to Windows Task Manager but it is way more advanced. The good thing about using Process Explorer to check for connection to the Internet is the ability to easily check on a single or multiple process and not all. Simply double click on any process from the list in Process Explorer and go to the TCP/IP tab. It will show both TCP and UDP connections that is made from the process. The only drawback about using Process Explorer to check for application phoning home is the inability to save the log of connections. Once the connection has been made and closed, it will be removed from the TCP/IP tab.
If you noticed that some software are secretly connecting to the Internet and there is no way to turn it off, you can either use firewall to block the connection or add it to your HOSTS file at C:\WINDOWS\system32\drivers\etc so that it redirects the hostname to 127.0.0.1. There is limitation in using HOSTS file because it can only translate from host name to IP address. This is also one method on how software pirates block software from phoning home which checks the validity of the license if they used an illegal keygenerator to activate the software. None of the software above such as Process Explorer, Netstat, CurrPorts, TCPView and etc is able to monitor connections made by rootkit. We should definitely look at some rootkit discovery tools in future articles.