The easiest way to locate hidden spyware is to investigate the mechanisms spyware uses to hide and do its work. As covered in Lesson 1, a lot of spyware communicates back to its creators via the Internet. An easy way to verify communication is occurring is to view all of the current, active network connections on your computer using Active Ports. Active Ports is an essential tool that lists all incoming and outgoing connections for all the active network connections, such as your Internet dial-up or broadband connection.

Before continuing, make sure you exit all open applications on your computer and wait for at least one minute. Doing this makes the data you're about to see easier to decipher.

The Active Ports window in Figure 2-1 is split into a number of columns, the most important of which are:

• Process: Lists the filenames of all programs that currently have active network connections.
• Path: Lists the exact location of each process.
• Remote IP: Lists the IP address of the server to which the process is connected.
• State: Shows whether the process is making a connection to the server or waiting to answer an incoming connection request.

Figure 2-1: Active Ports main window.

Enlarge image

Using the output from Active Ports, it's easy to see whether any rogue processes are making network connections. Even more useful is the ability to watch for new connections being made. As an example, open Microsoft Internet Explorer and wait until your home page loads (if your home page is a blank page, browse to a Web site you normally use). Quickly switch back to Active Ports, and you'll see a new entry in the window highlighted in green similar to Figure 2-1. The process name is iexplore.exe, and the IP address of the Web server that hosts your home page also appears in the list. After the page has loaded, a few seconds pass and the Active Ports entries that were highlighted in green turn red. This signifies that the connection is now closing.

Active Ports highlights new connections in bright green, and terminating connections in bright red.

If spyware is present on your computer and is communicating to a remote server, you'd spot it in this list. The best method for investigating this is to close all applications, open one Internet Explorer window, and then watch the Active Ports output for a while. If spyware is communicating with a remote server, it usually gives itself away here.

If you use Norton Antivirus, you may find that Active Ports (and other similar, legitimate tools) are detected as spyware. This is actually a false-positive, and can be safely ignored. These tools are not spyware and do not contain malicious code.

Alternatives to Active Ports

You may find the following tools helpful alternatives to Active Ports (some students taking this class have reported that Active Ports doesn't with Windows ME):

• FPort from Foundstone
• TCPView from Sysinternals

The Sysinternals site has some other very useful utilities on it, including Handle. Handle will show you exactly which processes are opening what files on your system. (Note: The Handle link is for Win2k and XP only. There is a Windows 95/98 specific section on the left hand side of the Sysinternals page.)

Microsoft Windows itself will quite often seem to make network connections at random. The only way to separate these legitimate connections from malicious, spyware connections is through experience. You'll learn some useful tips later in this lesson.