Can a malware power on a computer?
I've just downloaded and executed a piece of malware on my computer.
I don't have much time right now, so I just powered it off (turned it off via the Start menu), hoping that it won't be able to steal any data or do malicious activities until I can nuke it from orbit.
- Is it enough to prevent the malware to continue to carry out malicious
activities? - Can the malware power on my computer?
- Should I also unplug it and remove its battery?
malware
edited Feb 15 at 15:12
schroeder♦
76.1k29169202
asked Feb 12 at 16:21
Benoit EsnardBenoit Esnard
7,42943950
|
show 4 more comments
I've just downloaded and executed a piece of malware on my computer.
I don't have much time right now, so I just powered it off (turned it off via the Start menu), hoping that it won't be able to steal any data or do malicious activities until I can nuke it from orbit.
- Is it enough to prevent the malware to continue to carry out malicious
activities? - Can the malware power on my computer?
- Should I also unplug it and remove its battery?
malware
edited Feb 15 at 15:12
schroeder♦
76.1k29169202
asked Feb 12 at 16:21
Benoit EsnardBenoit Esnard
7,42943950
22
I'm confused, if you are planning to nuke it from orbit, what does it matter if it does what it does? The more important bit is to cut off the network.
– schroeder♦
Feb 12 at 16:28
33
(putting on tinfoil hat and noting that I'm not an expert in this area) Is it possible that malware could alter to bios to have it wake at a certain time?
– AndrolGenhald
Feb 12 at 17:07
3
i think you need higher perms to schedule a rtc wakeup or to configure bios for WOL...
– dandavis
Feb 12 at 20:23
3
@dandavis and there are ways to get elevated privileges, including bypassing the entire OS. There was a DefCon presentation where malware managed to bypass all of windows, modify the ROM, then it would execute and stay in memory completely outside the OS's reach. So even if you boot into Linux, it'd still be around and have access to any data in memory. So, in short - that is not necessarily a stopgap. Although, I don't know what malware OP got.
– VLAZ
Feb 13 at 7:45
8
There are BIOS wakeup time functions, the malware could program them. Depends on your hardware how to avoid them. Unplugging will certainly help.
– eckes
Feb 13 at 11:29
|
show 4 more comments
I've just downloaded and executed a piece of malware on my computer.
I don't have much time right now, so I just powered it off (turned it off via the Start menu), hoping that it won't be able to steal any data or do malicious activities until I can nuke it from orbit.
- Is it enough to prevent the malware to continue to carry out malicious
activities? - Can the malware power on my computer?
- Should I also unplug it and remove its battery?
malware
edited Feb 15 at 15:12
schroeder♦
76.1k29169202
asked Feb 12 at 16:21
Benoit EsnardBenoit Esnard
7,42943950
I've just downloaded and executed a piece of malware on my computer.
I don't have much time right now, so I just powered it off (turned it off via the Start menu), hoping that it won't be able to steal any data or do malicious activities until I can nuke it from orbit.
- Is it enough to prevent the malware to continue to carry out malicious
activities? - Can the malware power on my computer?
- Should I also unplug it and remove its battery?
malware
malware
edited Feb 15 at 15:12
schroeder♦
76.1k29169202
asked Feb 12 at 16:21
Benoit EsnardBenoit Esnard
7,42943950
edited Feb 15 at 15:12
schroeder♦
76.1k29169202
asked Feb 12 at 16:21
Benoit EsnardBenoit Esnard
7,42943950
edited Feb 15 at 15:12
schroeder♦
76.1k29169202
edited Feb 15 at 15:12
schroeder♦
76.1k29169202
edited Feb 15 at 15:12
schroeder♦
76.1k29169202
76.1k29169202
asked Feb 12 at 16:21
Benoit EsnardBenoit Esnard
7,42943950
asked Feb 12 at 16:21
Benoit EsnardBenoit Esnard
7,42943950
asked Feb 12 at 16:21
Benoit EsnardBenoit Esnard
7,42943950
7,42943950
22
I'm confused, if you are planning to nuke it from orbit, what does it matter if it does what it does? The more important bit is to cut off the network.
– schroeder♦
Feb 12 at 16:28
33
(putting on tinfoil hat and noting that I'm not an expert in this area) Is it possible that malware could alter to bios to have it wake at a certain time?
– AndrolGenhald
Feb 12 at 17:07
3
i think you need higher perms to schedule a rtc wakeup or to configure bios for WOL...
– dandavis
Feb 12 at 20:23
3
@dandavis and there are ways to get elevated privileges, including bypassing the entire OS. There was a DefCon presentation where malware managed to bypass all of windows, modify the ROM, then it would execute and stay in memory completely outside the OS's reach. So even if you boot into Linux, it'd still be around and have access to any data in memory. So, in short - that is not necessarily a stopgap. Although, I don't know what malware OP got.
– VLAZ
Feb 13 at 7:45
8
There are BIOS wakeup time functions, the malware could program them. Depends on your hardware how to avoid them. Unplugging will certainly help.
– eckes
Feb 13 at 11:29
|
show 4 more comments
22
I'm confused, if you are planning to nuke it from orbit, what does it matter if it does what it does? The more important bit is to cut off the network.
– schroeder♦
Feb 12 at 16:28
33
(putting on tinfoil hat and noting that I'm not an expert in this area) Is it possible that malware could alter to bios to have it wake at a certain time?
– AndrolGenhald
Feb 12 at 17:07
3
i think you need higher perms to schedule a rtc wakeup or to configure bios for WOL...
– dandavis
Feb 12 at 20:23
3
@dandavis and there are ways to get elevated privileges, including bypassing the entire OS. There was a DefCon presentation where malware managed to bypass all of windows, modify the ROM, then it would execute and stay in memory completely outside the OS's reach. So even if you boot into Linux, it'd still be around and have access to any data in memory. So, in short - that is not necessarily a stopgap. Although, I don't know what malware OP got.
– VLAZ
Feb 13 at 7:45
8
There are BIOS wakeup time functions, the malware could program them. Depends on your hardware how to avoid them. Unplugging will certainly help.
– eckes
Feb 13 at 11:29
22
22
I'm confused, if you are planning to nuke it from orbit, what does it matter if it does what it does? The more important bit is to cut off the network.
– schroeder♦
Feb 12 at 16:28
I'm confused, if you are planning to nuke it from orbit, what does it matter if it does what it does? The more important bit is to cut off the network.
– schroeder♦
Feb 12 at 16:28
33
33
(putting on tinfoil hat and noting that I'm not an expert in this area) Is it possible that malware could alter to bios to have it wake at a certain time?
– AndrolGenhald
Feb 12 at 17:07
(putting on tinfoil hat and noting that I'm not an expert in this area) Is it possible that malware could alter to bios to have it wake at a certain time?
– AndrolGenhald
Feb 12 at 17:07
3
3
i think you need higher perms to schedule a rtc wakeup or to configure bios for WOL...
– dandavis
Feb 12 at 20:23
i think you need higher perms to schedule a rtc wakeup or to configure bios for WOL...
– dandavis
Feb 12 at 20:23
3
3
@dandavis and there are ways to get elevated privileges, including bypassing the entire OS. There was a DefCon presentation where malware managed to bypass all of windows, modify the ROM, then it would execute and stay in memory completely outside the OS's reach. So even if you boot into Linux, it'd still be around and have access to any data in memory. So, in short - that is not necessarily a stopgap. Although, I don't know what malware OP got.
– VLAZ
Feb 13 at 7:45
@dandavis and there are ways to get elevated privileges, including bypassing the entire OS. There was a DefCon presentation where malware managed to bypass all of windows, modify the ROM, then it would execute and stay in memory completely outside the OS's reach. So even if you boot into Linux, it'd still be around and have access to any data in memory. So, in short - that is not necessarily a stopgap. Although, I don't know what malware OP got.
– VLAZ
Feb 13 at 7:45
8
8
There are BIOS wakeup time functions, the malware could program them. Depends on your hardware how to avoid them. Unplugging will certainly help.
– eckes
Feb 13 at 11:29
There are BIOS wakeup time functions, the malware could program them. Depends on your hardware how to avoid them. Unplugging will certainly help.
– eckes
Feb 13 at 11:29
|
show 4 more comments
5 Answers
5
active
oldest
votes
TL;DR Yes, but it's unlikely. Just to be sure, either unplug the PC or ensure it can't connect to anything.
Several operating systems - notably Windows 10 - have the possibility of setting "automatic wakeup", using appropriate drivers and related, complicated hardware management.
As a result, IF (and that's a big if!) a malware program has gained sufficient access to have the operating system do its bidding, it has a way to simply ask the system itself to do this on its behalf.
On some systems (that the malware must be able to recognize and plan for), this holds for "true powerdown" also: additional circuitry will turn the computer on at a preselected time of the onboard Real Time Clock. In a less software-accessible manner this is available on some desktop BIOSes ("Power up automatically: [ ] Never; [ ] After power loss; [ ] Every day at a given time: :" or similar, in the BIOS setup).
Then, the system will automatically power up after some time, for example at a time when you're likely to be asleep.
Of course (unless the hardware option holds), this requires that the malware has already taken control of the system and has replaced the shutdown procedure with a mere going into sleep. The hardware option also requires significant system access.
But did it happen? Probably not. Most malware rely on being run unwittingly and being able to operate without being detected for some time. The "power off simulation" is only useful in very specific scenarios (and the hardware option is only available on comparatively few systems), and I don't think it would be worthwhile for a malware writer to worry themselves with them.
For a "targeted" malware, designed with some specific victim in mind and tailored to the specific target's capabilities, rather than the subset available on the average infected machine, all the qualifications above wouldn't come into play.
answered Feb 12 at 17:21
LSerniLSerni
18.1k34048
2
You'd have a similar problem if the virus infected your BMC (it could use IPMI to power on the system). That's not much of a risk for consumer-class machines, though. BMC hardware is typically only seen on servers.
– bta
Feb 12 at 23:05
5
@bta Intel ME and AMD PSP on desktop systems serve essentially the same functions as an advanced BMC.
– user71659
Feb 13 at 0:37
7
“this requires that the malware has already (…) replaced the shutdown procedure with a mere going into sleep“ Not really for a modern x86, see the answer by Matija Nalis.
– Melebius
Feb 13 at 13:10
The windows task scheduler has access to the ACPI RTC wakeup functionality and will make use of it. Usually it only wakes up from S3 and S4 but there are systems which do not distinguish between S4 and S5 on the acpi level for wakeup. I once had such a nice (vista) machine that would start in the middle of the night to check for windows updates...
– PlasmaHH
Feb 14 at 10:12
1
"wake on LAN" / IME has nothing to do with windows 10, it's a hardware feature, not a software feature
– user1067003
Feb 14 at 11:03
|
show 2 more comments
As others have mentioned, it is quite possible on most PC hardware, although currently not very likely (as vast majority of malware does not bother).
What others have said is not possible is however wrong. Software actually CAN wake up a computer that has been regularly powered off either via "shutdown" or "poweroff" commands (GNU/Linux) or clicking on "start" button and then "Shutdown" (MS Windows), or via manual press of power button.
The feature is called RTC wakeup, and it allows software to schedule wakeup at specific time of day. It is controlled by Real time clock chip (chip which keeps track of time while your computer is powered off, and runs off its own CR2032 battery).
If you run GNU/Linux system, the control of that functionality is provided by rtcwake(8) system command.
As a related feature, many computers also have a feature called Wake on LAN, which allows other computers and routers to power on your computer over wired ethernet network (note that this functionality has to be enabled on your computer, and whether it defaults to on depends on your BIOS).
edited Feb 12 at 20:15
Monty Harder
48436
answered Feb 12 at 19:48
Matija NalisMatija Nalis
1,405815
22
I tell people that, like Westley in The Princess Bride, a computer that is "shut down" isn't completely off. It's just mostly off. A small part of the motherboard is monitoring the "power switch" on the front of the case [routed through the power supply per @Matija Nails] , the keyboard output for a "power on" signal, and may also be watching for a distinctive packet to hit the NIC...
– Monty Harder
Feb 12 at 20:33
2
@MontyHarder: Those are different parts, really, and the power switch logic is likely all in hardware. The WOL part is likely implemented in firmware, so that is software.
– MSalters
Feb 12 at 20:47
20
Also note, since the advent of ATX power supplies in cca 1995., most of the PC computers no longer have physical off switch (you can pull the cable out, or rarely by mechanical switch at the back of ATX PSU near the AC cable). So if your computer can be "turned off" via software (by clicking on shutdown button), it can almost always also be turned on by software. So actually modern computers are never off, and what we call "off" is actually ACPI G2/S5 "soft-off" state
– Matija Nalis
Feb 12 at 21:25
8
@MatijaNalis - I believe all power supplies sold in the UK are legally required to have a physical switch, although no-one ever uses it under normal circumstances. This may be EU-wide.
– xorsyst
Feb 13 at 15:50
3
@MSalters It can't all be in hardware, because if you press the "power switch" while the computer is running, it initiates a graceful shutdown (flushing disk buffers, parking the read/write heads, etc.) before entering the "mostly off" state. I remember when that was not true (pre-ATX). It's possible there's a hardware component that tracks that state and enables "power-up" without any software, but precisely because the motherboards have Wake on LAN (and often Wake on Modem) that do require some kind of low-level processing, it's reasonable to assume they operate similarly.
– Monty Harder
Feb 13 at 16:16
|
show 7 more comments
Edit: yes it can be done. As the great answer by Majita Nalis observes, modern systems have a built-in feature that lets you set a boot 'alarm' from software.
A scenario that might also be realistic is the malware gaining persistence on another device. Say your router has default credentials or a vulnerability, the malware could have spread. Someone could then power on your machine if it had wake-on-lan enabled.
But after checking WoL and RTC wakeup you're still not completely safe. Most malware will run in ring 3, and if you're really unlucky in ring 0 as a kernel module or system driver. These are both not running when the system is actually turned off, and if no clock has been set they fundamentally can no longer exercise control over the machine.
There are however execution modes below ring 0 such as SMM and other firmware, which do power management. However malware abusing this is extremely rare, the only example in the wild I could name is the NSA codename DEITYBOUNCE class malware and the LoJax likely spread by Fancy Bear.
See Forests excellent answer on how this can happen.
https://security.stackexchange.com/a/180107/121894
Do you have info on the malware such as a hash or family name? That would allow for a more detailed answer.
answered Feb 12 at 17:36
J.A.K.J.A.K.
4,488826
add a comment |
The WOL packet has a particular structure; Is not said it could be sent on internet or routed on intranet to reach the target.
A computer is powered off when the alimentation cable is disconnected or is connected but switched off.
The RTC wakeup is nice, but i suppose it could be used only on sleep mode.
In my personal opinion some SMM firmware features, if not properly configurated and some of them disabled as default, could be potentially dangerous for remote management.
The best choice is unplug internet cable or disable wireless card until you're not sure to have sanitized your pc by the virus infection.
answered Feb 12 at 21:41
LoryOneLoryOne
191
1
Under special conditions WOL frame could be sent over the internet as a directed IP broadcast or it could be sent from a hacked router or other device on the LAN. --- RTC alarm on ATX computers (introduced in 1995 and later widely adopted) is designed to be able to power the computer on from a completely turned off state. The ATX power supply provides standby 5 volts even when it is turned off. This is to allow functions like WOL, powering on by keyboard etc. --- SMM is being used for APM functions but theoretically it is not necessary for implementing the two wake up functions mentioned.
– pabouk
Feb 13 at 21:13
add a comment |
Root Kit malware can do this and much more. However, rootkits are normally used as spyware to gather information from your system without your ever being able to detect that your system is infected. Powering up your system, doing some mischief, and then powering back down would not be useful from a spyware perspective since it doesn't know and would be difficult to predict your computer usage schedule.
A really well written root kit would not be detectable to a system that does not have equally well written anti-malware protection. In your case, the malware has been detected. Consider yourself fortunate. To protect your system from root kit malware :
never, never log in as root user or administrator!! Always use 'sudo' (linux), or 'run as' (Windows) if you need to do something system wide.
Make sure you have a very strong root user (administrator) password, and change this password as often as practical.
answered Feb 15 at 12:18
0tyranny 0poverty0tyranny 0poverty
1091
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f203436%2fcan-a-malware-power-on-a-computer%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
TL;DR Yes, but it's unlikely. Just to be sure, either unplug the PC or ensure it can't connect to anything.
Several operating systems - notably Windows 10 - have the possibility of setting "automatic wakeup", using appropriate drivers and related, complicated hardware management.
As a result, IF (and that's a big if!) a malware program has gained sufficient access to have the operating system do its bidding, it has a way to simply ask the system itself to do this on its behalf.
On some systems (that the malware must be able to recognize and plan for), this holds for "true powerdown" also: additional circuitry will turn the computer on at a preselected time of the onboard Real Time Clock. In a less software-accessible manner this is available on some desktop BIOSes ("Power up automatically: [ ] Never; [ ] After power loss; [ ] Every day at a given time: :" or similar, in the BIOS setup).
Then, the system will automatically power up after some time, for example at a time when you're likely to be asleep.
Of course (unless the hardware option holds), this requires that the malware has already taken control of the system and has replaced the shutdown procedure with a mere going into sleep. The hardware option also requires significant system access.
But did it happen? Probably not. Most malware rely on being run unwittingly and being able to operate without being detected for some time. The "power off simulation" is only useful in very specific scenarios (and the hardware option is only available on comparatively few systems), and I don't think it would be worthwhile for a malware writer to worry themselves with them.
For a "targeted" malware, designed with some specific victim in mind and tailored to the specific target's capabilities, rather than the subset available on the average infected machine, all the qualifications above wouldn't come into play.
answered Feb 12 at 17:21
LSerniLSerni
18.1k34048
2
You'd have a similar problem if the virus infected your BMC (it could use IPMI to power on the system). That's not much of a risk for consumer-class machines, though. BMC hardware is typically only seen on servers.
– bta
Feb 12 at 23:05
5
@bta Intel ME and AMD PSP on desktop systems serve essentially the same functions as an advanced BMC.
– user71659
Feb 13 at 0:37
7
“this requires that the malware has already (…) replaced the shutdown procedure with a mere going into sleep“ Not really for a modern x86, see the answer by Matija Nalis.
– Melebius
Feb 13 at 13:10
The windows task scheduler has access to the ACPI RTC wakeup functionality and will make use of it. Usually it only wakes up from S3 and S4 but there are systems which do not distinguish between S4 and S5 on the acpi level for wakeup. I once had such a nice (vista) machine that would start in the middle of the night to check for windows updates...
– PlasmaHH
Feb 14 at 10:12
1
"wake on LAN" / IME has nothing to do with windows 10, it's a hardware feature, not a software feature
– user1067003
Feb 14 at 11:03
|
show 2 more comments
TL;DR Yes, but it's unlikely. Just to be sure, either unplug the PC or ensure it can't connect to anything.
Several operating systems - notably Windows 10 - have the possibility of setting "automatic wakeup", using appropriate drivers and related, complicated hardware management.
As a result, IF (and that's a big if!) a malware program has gained sufficient access to have the operating system do its bidding, it has a way to simply ask the system itself to do this on its behalf.
On some systems (that the malware must be able to recognize and plan for), this holds for "true powerdown" also: additional circuitry will turn the computer on at a preselected time of the onboard Real Time Clock. In a less software-accessible manner this is available on some desktop BIOSes ("Power up automatically: [ ] Never; [ ] After power loss; [ ] Every day at a given time: :" or similar, in the BIOS setup).
Then, the system will automatically power up after some time, for example at a time when you're likely to be asleep.
Of course (unless the hardware option holds), this requires that the malware has already taken control of the system and has replaced the shutdown procedure with a mere going into sleep. The hardware option also requires significant system access.
But did it happen? Probably not. Most malware rely on being run unwittingly and being able to operate without being detected for some time. The "power off simulation" is only useful in very specific scenarios (and the hardware option is only available on comparatively few systems), and I don't think it would be worthwhile for a malware writer to worry themselves with them.
For a "targeted" malware, designed with some specific victim in mind and tailored to the specific target's capabilities, rather than the subset available on the average infected machine, all the qualifications above wouldn't come into play.
answered Feb 12 at 17:21
LSerniLSerni
18.1k34048
2
You'd have a similar problem if the virus infected your BMC (it could use IPMI to power on the system). That's not much of a risk for consumer-class machines, though. BMC hardware is typically only seen on servers.
– bta
Feb 12 at 23:05
5
@bta Intel ME and AMD PSP on desktop systems serve essentially the same functions as an advanced BMC.
– user71659
Feb 13 at 0:37
7
“this requires that the malware has already (…) replaced the shutdown procedure with a mere going into sleep“ Not really for a modern x86, see the answer by Matija Nalis.
– Melebius
Feb 13 at 13:10
The windows task scheduler has access to the ACPI RTC wakeup functionality and will make use of it. Usually it only wakes up from S3 and S4 but there are systems which do not distinguish between S4 and S5 on the acpi level for wakeup. I once had such a nice (vista) machine that would start in the middle of the night to check for windows updates...
– PlasmaHH
Feb 14 at 10:12
1
"wake on LAN" / IME has nothing to do with windows 10, it's a hardware feature, not a software feature
– user1067003
Feb 14 at 11:03
|
show 2 more comments
TL;DR Yes, but it's unlikely. Just to be sure, either unplug the PC or ensure it can't connect to anything.
Several operating systems - notably Windows 10 - have the possibility of setting "automatic wakeup", using appropriate drivers and related, complicated hardware management.
As a result, IF (and that's a big if!) a malware program has gained sufficient access to have the operating system do its bidding, it has a way to simply ask the system itself to do this on its behalf.
On some systems (that the malware must be able to recognize and plan for), this holds for "true powerdown" also: additional circuitry will turn the computer on at a preselected time of the onboard Real Time Clock. In a less software-accessible manner this is available on some desktop BIOSes ("Power up automatically: [ ] Never; [ ] After power loss; [ ] Every day at a given time: :" or similar, in the BIOS setup).
Then, the system will automatically power up after some time, for example at a time when you're likely to be asleep.
Of course (unless the hardware option holds), this requires that the malware has already taken control of the system and has replaced the shutdown procedure with a mere going into sleep. The hardware option also requires significant system access.
But did it happen? Probably not. Most malware rely on being run unwittingly and being able to operate without being detected for some time. The "power off simulation" is only useful in very specific scenarios (and the hardware option is only available on comparatively few systems), and I don't think it would be worthwhile for a malware writer to worry themselves with them.
For a "targeted" malware, designed with some specific victim in mind and tailored to the specific target's capabilities, rather than the subset available on the average infected machine, all the qualifications above wouldn't come into play.
answered Feb 12 at 17:21
LSerniLSerni
18.1k34048
TL;DR Yes, but it's unlikely. Just to be sure, either unplug the PC or ensure it can't connect to anything.
Several operating systems - notably Windows 10 - have the possibility of setting "automatic wakeup", using appropriate drivers and related, complicated hardware management.
As a result, IF (and that's a big if!) a malware program has gained sufficient access to have the operating system do its bidding, it has a way to simply ask the system itself to do this on its behalf.
On some systems (that the malware must be able to recognize and plan for), this holds for "true powerdown" also: additional circuitry will turn the computer on at a preselected time of the onboard Real Time Clock. In a less software-accessible manner this is available on some desktop BIOSes ("Power up automatically: [ ] Never; [ ] After power loss; [ ] Every day at a given time: :" or similar, in the BIOS setup).
Then, the system will automatically power up after some time, for example at a time when you're likely to be asleep.
Of course (unless the hardware option holds), this requires that the malware has already taken control of the system and has replaced the shutdown procedure with a mere going into sleep. The hardware option also requires significant system access.
But did it happen? Probably not. Most malware rely on being run unwittingly and being able to operate without being detected for some time. The "power off simulation" is only useful in very specific scenarios (and the hardware option is only available on comparatively few systems), and I don't think it would be worthwhile for a malware writer to worry themselves with them.
For a "targeted" malware, designed with some specific victim in mind and tailored to the specific target's capabilities, rather than the subset available on the average infected machine, all the qualifications above wouldn't come into play.
answered Feb 12 at 17:21
LSerniLSerni
18.1k34048
edited Feb 14 at 7:25
answered Feb 12 at 17:21
LSerniLSerni
18.1k34048
answered Feb 12 at 17:21
LSerniLSerni
18.1k34048
answered Feb 12 at 17:21
LSerniLSerni
18.1k34048
18.1k34048
2
You'd have a similar problem if the virus infected your BMC (it could use IPMI to power on the system). That's not much of a risk for consumer-class machines, though. BMC hardware is typically only seen on servers.
– bta
Feb 12 at 23:05
5
@bta Intel ME and AMD PSP on desktop systems serve essentially the same functions as an advanced BMC.
– user71659
Feb 13 at 0:37
7
“this requires that the malware has already (…) replaced the shutdown procedure with a mere going into sleep“ Not really for a modern x86, see the answer by Matija Nalis.
– Melebius
Feb 13 at 13:10
The windows task scheduler has access to the ACPI RTC wakeup functionality and will make use of it. Usually it only wakes up from S3 and S4 but there are systems which do not distinguish between S4 and S5 on the acpi level for wakeup. I once had such a nice (vista) machine that would start in the middle of the night to check for windows updates...
– PlasmaHH
Feb 14 at 10:12
1
"wake on LAN" / IME has nothing to do with windows 10, it's a hardware feature, not a software feature
– user1067003
Feb 14 at 11:03
|
show 2 more comments
2
You'd have a similar problem if the virus infected your BMC (it could use IPMI to power on the system). That's not much of a risk for consumer-class machines, though. BMC hardware is typically only seen on servers.
– bta
Feb 12 at 23:05
5
@bta Intel ME and AMD PSP on desktop systems serve essentially the same functions as an advanced BMC.
– user71659
Feb 13 at 0:37
7
“this requires that the malware has already (…) replaced the shutdown procedure with a mere going into sleep“ Not really for a modern x86, see the answer by Matija Nalis.
– Melebius
Feb 13 at 13:10
The windows task scheduler has access to the ACPI RTC wakeup functionality and will make use of it. Usually it only wakes up from S3 and S4 but there are systems which do not distinguish between S4 and S5 on the acpi level for wakeup. I once had such a nice (vista) machine that would start in the middle of the night to check for windows updates...
– PlasmaHH
Feb 14 at 10:12
1
"wake on LAN" / IME has nothing to do with windows 10, it's a hardware feature, not a software feature
– user1067003
Feb 14 at 11:03
2
2
You'd have a similar problem if the virus infected your BMC (it could use IPMI to power on the system). That's not much of a risk for consumer-class machines, though. BMC hardware is typically only seen on servers.
– bta
Feb 12 at 23:05
You'd have a similar problem if the virus infected your BMC (it could use IPMI to power on the system). That's not much of a risk for consumer-class machines, though. BMC hardware is typically only seen on servers.
– bta
Feb 12 at 23:05
5
5
@bta Intel ME and AMD PSP on desktop systems serve essentially the same functions as an advanced BMC.
– user71659
Feb 13 at 0:37
@bta Intel ME and AMD PSP on desktop systems serve essentially the same functions as an advanced BMC.
– user71659
Feb 13 at 0:37
7
7
“this requires that the malware has already (…) replaced the shutdown procedure with a mere going into sleep“ Not really for a modern x86, see the answer by Matija Nalis.
– Melebius
Feb 13 at 13:10
“this requires that the malware has already (…) replaced the shutdown procedure with a mere going into sleep“ Not really for a modern x86, see the answer by Matija Nalis.
– Melebius
Feb 13 at 13:10
The windows task scheduler has access to the ACPI RTC wakeup functionality and will make use of it. Usually it only wakes up from S3 and S4 but there are systems which do not distinguish between S4 and S5 on the acpi level for wakeup. I once had such a nice (vista) machine that would start in the middle of the night to check for windows updates...
– PlasmaHH
Feb 14 at 10:12
The windows task scheduler has access to the ACPI RTC wakeup functionality and will make use of it. Usually it only wakes up from S3 and S4 but there are systems which do not distinguish between S4 and S5 on the acpi level for wakeup. I once had such a nice (vista) machine that would start in the middle of the night to check for windows updates...
– PlasmaHH
Feb 14 at 10:12
1
1
"wake on LAN" / IME has nothing to do with windows 10, it's a hardware feature, not a software feature
– user1067003
Feb 14 at 11:03
"wake on LAN" / IME has nothing to do with windows 10, it's a hardware feature, not a software feature
– user1067003
Feb 14 at 11:03
|
show 2 more comments
As others have mentioned, it is quite possible on most PC hardware, although currently not very likely (as vast majority of malware does not bother).
What others have said is not possible is however wrong. Software actually CAN wake up a computer that has been regularly powered off either via "shutdown" or "poweroff" commands (GNU/Linux) or clicking on "start" button and then "Shutdown" (MS Windows), or via manual press of power button.
The feature is called RTC wakeup, and it allows software to schedule wakeup at specific time of day. It is controlled by Real time clock chip (chip which keeps track of time while your computer is powered off, and runs off its own CR2032 battery).
If you run GNU/Linux system, the control of that functionality is provided by rtcwake(8) system command.
As a related feature, many computers also have a feature called Wake on LAN, which allows other computers and routers to power on your computer over wired ethernet network (note that this functionality has to be enabled on your computer, and whether it defaults to on depends on your BIOS).
edited Feb 12 at 20:15
Monty Harder
48436
answered Feb 12 at 19:48
Matija NalisMatija Nalis
1,405815
22
I tell people that, like Westley in The Princess Bride, a computer that is "shut down" isn't completely off. It's just mostly off. A small part of the motherboard is monitoring the "power switch" on the front of the case [routed through the power supply per @Matija Nails] , the keyboard output for a "power on" signal, and may also be watching for a distinctive packet to hit the NIC...
– Monty Harder
Feb 12 at 20:33
2
@MontyHarder: Those are different parts, really, and the power switch logic is likely all in hardware. The WOL part is likely implemented in firmware, so that is software.
– MSalters
Feb 12 at 20:47
20
Also note, since the advent of ATX power supplies in cca 1995., most of the PC computers no longer have physical off switch (you can pull the cable out, or rarely by mechanical switch at the back of ATX PSU near the AC cable). So if your computer can be "turned off" via software (by clicking on shutdown button), it can almost always also be turned on by software. So actually modern computers are never off, and what we call "off" is actually ACPI G2/S5 "soft-off" state
– Matija Nalis
Feb 12 at 21:25
8
@MatijaNalis - I believe all power supplies sold in the UK are legally required to have a physical switch, although no-one ever uses it under normal circumstances. This may be EU-wide.
– xorsyst
Feb 13 at 15:50
3
@MSalters It can't all be in hardware, because if you press the "power switch" while the computer is running, it initiates a graceful shutdown (flushing disk buffers, parking the read/write heads, etc.) before entering the "mostly off" state. I remember when that was not true (pre-ATX). It's possible there's a hardware component that tracks that state and enables "power-up" without any software, but precisely because the motherboards have Wake on LAN (and often Wake on Modem) that do require some kind of low-level processing, it's reasonable to assume they operate similarly.
– Monty Harder
Feb 13 at 16:16
|
show 7 more comments
As others have mentioned, it is quite possible on most PC hardware, although currently not very likely (as vast majority of malware does not bother).
What others have said is not possible is however wrong. Software actually CAN wake up a computer that has been regularly powered off either via "shutdown" or "poweroff" commands (GNU/Linux) or clicking on "start" button and then "Shutdown" (MS Windows), or via manual press of power button.
The feature is called RTC wakeup, and it allows software to schedule wakeup at specific time of day. It is controlled by Real time clock chip (chip which keeps track of time while your computer is powered off, and runs off its own CR2032 battery).
If you run GNU/Linux system, the control of that functionality is provided by rtcwake(8) system command.
As a related feature, many computers also have a feature called Wake on LAN, which allows other computers and routers to power on your computer over wired ethernet network (note that this functionality has to be enabled on your computer, and whether it defaults to on depends on your BIOS).
edited Feb 12 at 20:15
Monty Harder
48436
answered Feb 12 at 19:48
Matija NalisMatija Nalis
1,405815
22
I tell people that, like Westley in The Princess Bride, a computer that is "shut down" isn't completely off. It's just mostly off. A small part of the motherboard is monitoring the "power switch" on the front of the case [routed through the power supply per @Matija Nails] , the keyboard output for a "power on" signal, and may also be watching for a distinctive packet to hit the NIC...
– Monty Harder
Feb 12 at 20:33
2
@MontyHarder: Those are different parts, really, and the power switch logic is likely all in hardware. The WOL part is likely implemented in firmware, so that is software.
– MSalters
Feb 12 at 20:47
20
Also note, since the advent of ATX power supplies in cca 1995., most of the PC computers no longer have physical off switch (you can pull the cable out, or rarely by mechanical switch at the back of ATX PSU near the AC cable). So if your computer can be "turned off" via software (by clicking on shutdown button), it can almost always also be turned on by software. So actually modern computers are never off, and what we call "off" is actually ACPI G2/S5 "soft-off" state
– Matija Nalis
Feb 12 at 21:25
8
@MatijaNalis - I believe all power supplies sold in the UK are legally required to have a physical switch, although no-one ever uses it under normal circumstances. This may be EU-wide.
– xorsyst
Feb 13 at 15:50
3
@MSalters It can't all be in hardware, because if you press the "power switch" while the computer is running, it initiates a graceful shutdown (flushing disk buffers, parking the read/write heads, etc.) before entering the "mostly off" state. I remember when that was not true (pre-ATX). It's possible there's a hardware component that tracks that state and enables "power-up" without any software, but precisely because the motherboards have Wake on LAN (and often Wake on Modem) that do require some kind of low-level processing, it's reasonable to assume they operate similarly.
– Monty Harder
Feb 13 at 16:16
|
show 7 more comments
As others have mentioned, it is quite possible on most PC hardware, although currently not very likely (as vast majority of malware does not bother).
What others have said is not possible is however wrong. Software actually CAN wake up a computer that has been regularly powered off either via "shutdown" or "poweroff" commands (GNU/Linux) or clicking on "start" button and then "Shutdown" (MS Windows), or via manual press of power button.
The feature is called RTC wakeup, and it allows software to schedule wakeup at specific time of day. It is controlled by Real time clock chip (chip which keeps track of time while your computer is powered off, and runs off its own CR2032 battery).
If you run GNU/Linux system, the control of that functionality is provided by rtcwake(8) system command.
As a related feature, many computers also have a feature called Wake on LAN, which allows other computers and routers to power on your computer over wired ethernet network (note that this functionality has to be enabled on your computer, and whether it defaults to on depends on your BIOS).
edited Feb 12 at 20:15
Monty Harder
48436
answered Feb 12 at 19:48
Matija NalisMatija Nalis
1,405815
As others have mentioned, it is quite possible on most PC hardware, although currently not very likely (as vast majority of malware does not bother).
What others have said is not possible is however wrong. Software actually CAN wake up a computer that has been regularly powered off either via "shutdown" or "poweroff" commands (GNU/Linux) or clicking on "start" button and then "Shutdown" (MS Windows), or via manual press of power button.
The feature is called RTC wakeup, and it allows software to schedule wakeup at specific time of day. It is controlled by Real time clock chip (chip which keeps track of time while your computer is powered off, and runs off its own CR2032 battery).
If you run GNU/Linux system, the control of that functionality is provided by rtcwake(8) system command.
As a related feature, many computers also have a feature called Wake on LAN, which allows other computers and routers to power on your computer over wired ethernet network (note that this functionality has to be enabled on your computer, and whether it defaults to on depends on your BIOS).
edited Feb 12 at 20:15
Monty Harder
48436
answered Feb 12 at 19:48
Matija NalisMatija Nalis
1,405815
edited Feb 12 at 20:15
Monty Harder
48436
edited Feb 12 at 20:15
Monty Harder
48436
edited Feb 12 at 20:15
Monty Harder
48436
48436
answered Feb 12 at 19:48
Matija NalisMatija Nalis
1,405815
answered Feb 12 at 19:48
Matija NalisMatija Nalis
1,405815
answered Feb 12 at 19:48
Matija NalisMatija Nalis
1,405815
1,405815
22
I tell people that, like Westley in The Princess Bride, a computer that is "shut down" isn't completely off. It's just mostly off. A small part of the motherboard is monitoring the "power switch" on the front of the case [routed through the power supply per @Matija Nails] , the keyboard output for a "power on" signal, and may also be watching for a distinctive packet to hit the NIC...
– Monty Harder
Feb 12 at 20:33
2
@MontyHarder: Those are different parts, really, and the power switch logic is likely all in hardware. The WOL part is likely implemented in firmware, so that is software.
– MSalters
Feb 12 at 20:47
20
Also note, since the advent of ATX power supplies in cca 1995., most of the PC computers no longer have physical off switch (you can pull the cable out, or rarely by mechanical switch at the back of ATX PSU near the AC cable). So if your computer can be "turned off" via software (by clicking on shutdown button), it can almost always also be turned on by software. So actually modern computers are never off, and what we call "off" is actually ACPI G2/S5 "soft-off" state
– Matija Nalis
Feb 12 at 21:25
8
@MatijaNalis - I believe all power supplies sold in the UK are legally required to have a physical switch, although no-one ever uses it under normal circumstances. This may be EU-wide.
– xorsyst
Feb 13 at 15:50
3
@MSalters It can't all be in hardware, because if you press the "power switch" while the computer is running, it initiates a graceful shutdown (flushing disk buffers, parking the read/write heads, etc.) before entering the "mostly off" state. I remember when that was not true (pre-ATX). It's possible there's a hardware component that tracks that state and enables "power-up" without any software, but precisely because the motherboards have Wake on LAN (and often Wake on Modem) that do require some kind of low-level processing, it's reasonable to assume they operate similarly.
– Monty Harder
Feb 13 at 16:16
|
show 7 more comments
22
I tell people that, like Westley in The Princess Bride, a computer that is "shut down" isn't completely off. It's just mostly off. A small part of the motherboard is monitoring the "power switch" on the front of the case [routed through the power supply per @Matija Nails] , the keyboard output for a "power on" signal, and may also be watching for a distinctive packet to hit the NIC...
– Monty Harder
Feb 12 at 20:33
2
@MontyHarder: Those are different parts, really, and the power switch logic is likely all in hardware. The WOL part is likely implemented in firmware, so that is software.
– MSalters
Feb 12 at 20:47
20
Also note, since the advent of ATX power supplies in cca 1995., most of the PC computers no longer have physical off switch (you can pull the cable out, or rarely by mechanical switch at the back of ATX PSU near the AC cable). So if your computer can be "turned off" via software (by clicking on shutdown button), it can almost always also be turned on by software. So actually modern computers are never off, and what we call "off" is actually ACPI G2/S5 "soft-off" state
– Matija Nalis
Feb 12 at 21:25
8
@MatijaNalis - I believe all power supplies sold in the UK are legally required to have a physical switch, although no-one ever uses it under normal circumstances. This may be EU-wide.
– xorsyst
Feb 13 at 15:50
3
@MSalters It can't all be in hardware, because if you press the "power switch" while the computer is running, it initiates a graceful shutdown (flushing disk buffers, parking the read/write heads, etc.) before entering the "mostly off" state. I remember when that was not true (pre-ATX). It's possible there's a hardware component that tracks that state and enables "power-up" without any software, but precisely because the motherboards have Wake on LAN (and often Wake on Modem) that do require some kind of low-level processing, it's reasonable to assume they operate similarly.
– Monty Harder
Feb 13 at 16:16
22
22
I tell people that, like Westley in The Princess Bride, a computer that is "shut down" isn't completely off. It's just mostly off. A small part of the motherboard is monitoring the "power switch" on the front of the case [routed through the power supply per @Matija Nails] , the keyboard output for a "power on" signal, and may also be watching for a distinctive packet to hit the NIC...
– Monty Harder
Feb 12 at 20:33
I tell people that, like Westley in The Princess Bride, a computer that is "shut down" isn't completely off. It's just mostly off. A small part of the motherboard is monitoring the "power switch" on the front of the case [routed through the power supply per @Matija Nails] , the keyboard output for a "power on" signal, and may also be watching for a distinctive packet to hit the NIC...
– Monty Harder
Feb 12 at 20:33
2
2
@MontyHarder: Those are different parts, really, and the power switch logic is likely all in hardware. The WOL part is likely implemented in firmware, so that is software.
– MSalters
Feb 12 at 20:47
@MontyHarder: Those are different parts, really, and the power switch logic is likely all in hardware. The WOL part is likely implemented in firmware, so that is software.
– MSalters
Feb 12 at 20:47
20
20
Also note, since the advent of ATX power supplies in cca 1995., most of the PC computers no longer have physical off switch (you can pull the cable out, or rarely by mechanical switch at the back of ATX PSU near the AC cable). So if your computer can be "turned off" via software (by clicking on shutdown button), it can almost always also be turned on by software. So actually modern computers are never off, and what we call "off" is actually ACPI G2/S5 "soft-off" state
– Matija Nalis
Feb 12 at 21:25
Also note, since the advent of ATX power supplies in cca 1995., most of the PC computers no longer have physical off switch (you can pull the cable out, or rarely by mechanical switch at the back of ATX PSU near the AC cable). So if your computer can be "turned off" via software (by clicking on shutdown button), it can almost always also be turned on by software. So actually modern computers are never off, and what we call "off" is actually ACPI G2/S5 "soft-off" state
– Matija Nalis
Feb 12 at 21:25
8
8
@MatijaNalis - I believe all power supplies sold in the UK are legally required to have a physical switch, although no-one ever uses it under normal circumstances. This may be EU-wide.
– xorsyst
Feb 13 at 15:50
@MatijaNalis - I believe all power supplies sold in the UK are legally required to have a physical switch, although no-one ever uses it under normal circumstances. This may be EU-wide.
– xorsyst
Feb 13 at 15:50
3
3
@MSalters It can't all be in hardware, because if you press the "power switch" while the computer is running, it initiates a graceful shutdown (flushing disk buffers, parking the read/write heads, etc.) before entering the "mostly off" state. I remember when that was not true (pre-ATX). It's possible there's a hardware component that tracks that state and enables "power-up" without any software, but precisely because the motherboards have Wake on LAN (and often Wake on Modem) that do require some kind of low-level processing, it's reasonable to assume they operate similarly.
– Monty Harder
Feb 13 at 16:16
@MSalters It can't all be in hardware, because if you press the "power switch" while the computer is running, it initiates a graceful shutdown (flushing disk buffers, parking the read/write heads, etc.) before entering the "mostly off" state. I remember when that was not true (pre-ATX). It's possible there's a hardware component that tracks that state and enables "power-up" without any software, but precisely because the motherboards have Wake on LAN (and often Wake on Modem) that do require some kind of low-level processing, it's reasonable to assume they operate similarly.
– Monty Harder
Feb 13 at 16:16
|
show 7 more comments
Edit: yes it can be done. As the great answer by Majita Nalis observes, modern systems have a built-in feature that lets you set a boot 'alarm' from software.
A scenario that might also be realistic is the malware gaining persistence on another device. Say your router has default credentials or a vulnerability, the malware could have spread. Someone could then power on your machine if it had wake-on-lan enabled.
But after checking WoL and RTC wakeup you're still not completely safe. Most malware will run in ring 3, and if you're really unlucky in ring 0 as a kernel module or system driver. These are both not running when the system is actually turned off, and if no clock has been set they fundamentally can no longer exercise control over the machine.
There are however execution modes below ring 0 such as SMM and other firmware, which do power management. However malware abusing this is extremely rare, the only example in the wild I could name is the NSA codename DEITYBOUNCE class malware and the LoJax likely spread by Fancy Bear.
See Forests excellent answer on how this can happen.
https://security.stackexchange.com/a/180107/121894
Do you have info on the malware such as a hash or family name? That would allow for a more detailed answer.
answered Feb 12 at 17:36
J.A.K.J.A.K.
4,488826
add a comment |
Edit: yes it can be done. As the great answer by Majita Nalis observes, modern systems have a built-in feature that lets you set a boot 'alarm' from software.
A scenario that might also be realistic is the malware gaining persistence on another device. Say your router has default credentials or a vulnerability, the malware could have spread. Someone could then power on your machine if it had wake-on-lan enabled.
But after checking WoL and RTC wakeup you're still not completely safe. Most malware will run in ring 3, and if you're really unlucky in ring 0 as a kernel module or system driver. These are both not running when the system is actually turned off, and if no clock has been set they fundamentally can no longer exercise control over the machine.
There are however execution modes below ring 0 such as SMM and other firmware, which do power management. However malware abusing this is extremely rare, the only example in the wild I could name is the NSA codename DEITYBOUNCE class malware and the LoJax likely spread by Fancy Bear.
See Forests excellent answer on how this can happen.
https://security.stackexchange.com/a/180107/121894
Do you have info on the malware such as a hash or family name? That would allow for a more detailed answer.
answered Feb 12 at 17:36
J.A.K.J.A.K.
4,488826
add a comment |
Edit: yes it can be done. As the great answer by Majita Nalis observes, modern systems have a built-in feature that lets you set a boot 'alarm' from software.
A scenario that might also be realistic is the malware gaining persistence on another device. Say your router has default credentials or a vulnerability, the malware could have spread. Someone could then power on your machine if it had wake-on-lan enabled.
But after checking WoL and RTC wakeup you're still not completely safe. Most malware will run in ring 3, and if you're really unlucky in ring 0 as a kernel module or system driver. These are both not running when the system is actually turned off, and if no clock has been set they fundamentally can no longer exercise control over the machine.
There are however execution modes below ring 0 such as SMM and other firmware, which do power management. However malware abusing this is extremely rare, the only example in the wild I could name is the NSA codename DEITYBOUNCE class malware and the LoJax likely spread by Fancy Bear.
See Forests excellent answer on how this can happen.
https://security.stackexchange.com/a/180107/121894
Do you have info on the malware such as a hash or family name? That would allow for a more detailed answer.
answered Feb 12 at 17:36
J.A.K.J.A.K.
4,488826
Edit: yes it can be done. As the great answer by Majita Nalis observes, modern systems have a built-in feature that lets you set a boot 'alarm' from software.
A scenario that might also be realistic is the malware gaining persistence on another device. Say your router has default credentials or a vulnerability, the malware could have spread. Someone could then power on your machine if it had wake-on-lan enabled.
But after checking WoL and RTC wakeup you're still not completely safe. Most malware will run in ring 3, and if you're really unlucky in ring 0 as a kernel module or system driver. These are both not running when the system is actually turned off, and if no clock has been set they fundamentally can no longer exercise control over the machine.
There are however execution modes below ring 0 such as SMM and other firmware, which do power management. However malware abusing this is extremely rare, the only example in the wild I could name is the NSA codename DEITYBOUNCE class malware and the LoJax likely spread by Fancy Bear.
See Forests excellent answer on how this can happen.
https://security.stackexchange.com/a/180107/121894
Do you have info on the malware such as a hash or family name? That would allow for a more detailed answer.
answered Feb 12 at 17:36
J.A.K.J.A.K.
4,488826
edited yesterday
answered Feb 12 at 17:36
J.A.K.J.A.K.
4,488826
answered Feb 12 at 17:36
J.A.K.J.A.K.
4,488826
answered Feb 12 at 17:36
J.A.K.J.A.K.
4,488826
4,488826
add a comment |
add a comment |
The WOL packet has a particular structure; Is not said it could be sent on internet or routed on intranet to reach the target.
A computer is powered off when the alimentation cable is disconnected or is connected but switched off.
The RTC wakeup is nice, but i suppose it could be used only on sleep mode.
In my personal opinion some SMM firmware features, if not properly configurated and some of them disabled as default, could be potentially dangerous for remote management.
The best choice is unplug internet cable or disable wireless card until you're not sure to have sanitized your pc by the virus infection.
answered Feb 12 at 21:41
LoryOneLoryOne
191
1
Under special conditions WOL frame could be sent over the internet as a directed IP broadcast or it could be sent from a hacked router or other device on the LAN. --- RTC alarm on ATX computers (introduced in 1995 and later widely adopted) is designed to be able to power the computer on from a completely turned off state. The ATX power supply provides standby 5 volts even when it is turned off. This is to allow functions like WOL, powering on by keyboard etc. --- SMM is being used for APM functions but theoretically it is not necessary for implementing the two wake up functions mentioned.
– pabouk
Feb 13 at 21:13
add a comment |
The WOL packet has a particular structure; Is not said it could be sent on internet or routed on intranet to reach the target.
A computer is powered off when the alimentation cable is disconnected or is connected but switched off.
The RTC wakeup is nice, but i suppose it could be used only on sleep mode.
In my personal opinion some SMM firmware features, if not properly configurated and some of them disabled as default, could be potentially dangerous for remote management.
The best choice is unplug internet cable or disable wireless card until you're not sure to have sanitized your pc by the virus infection.
answered Feb 12 at 21:41
LoryOneLoryOne
191
1
Under special conditions WOL frame could be sent over the internet as a directed IP broadcast or it could be sent from a hacked router or other device on the LAN. --- RTC alarm on ATX computers (introduced in 1995 and later widely adopted) is designed to be able to power the computer on from a completely turned off state. The ATX power supply provides standby 5 volts even when it is turned off. This is to allow functions like WOL, powering on by keyboard etc. --- SMM is being used for APM functions but theoretically it is not necessary for implementing the two wake up functions mentioned.
– pabouk
Feb 13 at 21:13
add a comment |
The WOL packet has a particular structure; Is not said it could be sent on internet or routed on intranet to reach the target.
A computer is powered off when the alimentation cable is disconnected or is connected but switched off.
The RTC wakeup is nice, but i suppose it could be used only on sleep mode.
In my personal opinion some SMM firmware features, if not properly configurated and some of them disabled as default, could be potentially dangerous for remote management.
The best choice is unplug internet cable or disable wireless card until you're not sure to have sanitized your pc by the virus infection.
answered Feb 12 at 21:41
LoryOneLoryOne
191
The WOL packet has a particular structure; Is not said it could be sent on internet or routed on intranet to reach the target.
A computer is powered off when the alimentation cable is disconnected or is connected but switched off.
The RTC wakeup is nice, but i suppose it could be used only on sleep mode.
In my personal opinion some SMM firmware features, if not properly configurated and some of them disabled as default, could be potentially dangerous for remote management.
The best choice is unplug internet cable or disable wireless card until you're not sure to have sanitized your pc by the virus infection.
answered Feb 12 at 21:41
LoryOneLoryOne
191
answered Feb 12 at 21:41
LoryOneLoryOne
191
answered Feb 12 at 21:41
LoryOneLoryOne
191
answered Feb 12 at 21:41
LoryOneLoryOne
191
191
1
Under special conditions WOL frame could be sent over the internet as a directed IP broadcast or it could be sent from a hacked router or other device on the LAN. --- RTC alarm on ATX computers (introduced in 1995 and later widely adopted) is designed to be able to power the computer on from a completely turned off state. The ATX power supply provides standby 5 volts even when it is turned off. This is to allow functions like WOL, powering on by keyboard etc. --- SMM is being used for APM functions but theoretically it is not necessary for implementing the two wake up functions mentioned.
– pabouk
Feb 13 at 21:13
add a comment |
1
Under special conditions WOL frame could be sent over the internet as a directed IP broadcast or it could be sent from a hacked router or other device on the LAN. --- RTC alarm on ATX computers (introduced in 1995 and later widely adopted) is designed to be able to power the computer on from a completely turned off state. The ATX power supply provides standby 5 volts even when it is turned off. This is to allow functions like WOL, powering on by keyboard etc. --- SMM is being used for APM functions but theoretically it is not necessary for implementing the two wake up functions mentioned.
– pabouk
Feb 13 at 21:13
1
1
Under special conditions WOL frame could be sent over the internet as a directed IP broadcast or it could be sent from a hacked router or other device on the LAN. --- RTC alarm on ATX computers (introduced in 1995 and later widely adopted) is designed to be able to power the computer on from a completely turned off state. The ATX power supply provides standby 5 volts even when it is turned off. This is to allow functions like WOL, powering on by keyboard etc. --- SMM is being used for APM functions but theoretically it is not necessary for implementing the two wake up functions mentioned.
– pabouk
Feb 13 at 21:13
Under special conditions WOL frame could be sent over the internet as a directed IP broadcast or it could be sent from a hacked router or other device on the LAN. --- RTC alarm on ATX computers (introduced in 1995 and later widely adopted) is designed to be able to power the computer on from a completely turned off state. The ATX power supply provides standby 5 volts even when it is turned off. This is to allow functions like WOL, powering on by keyboard etc. --- SMM is being used for APM functions but theoretically it is not necessary for implementing the two wake up functions mentioned.
– pabouk
Feb 13 at 21:13
add a comment |
Root Kit malware can do this and much more. However, rootkits are normally used as spyware to gather information from your system without your ever being able to detect that your system is infected. Powering up your system, doing some mischief, and then powering back down would not be useful from a spyware perspective since it doesn't know and would be difficult to predict your computer usage schedule.
A really well written root kit would not be detectable to a system that does not have equally well written anti-malware protection. In your case, the malware has been detected. Consider yourself fortunate. To protect your system from root kit malware :
never, never log in as root user or administrator!! Always use 'sudo' (linux), or 'run as' (Windows) if you need to do something system wide.
Make sure you have a very strong root user (administrator) password, and change this password as often as practical.
answered Feb 15 at 12:18
0tyranny 0poverty0tyranny 0poverty
1091
add a comment |
Root Kit malware can do this and much more. However, rootkits are normally used as spyware to gather information from your system without your ever being able to detect that your system is infected. Powering up your system, doing some mischief, and then powering back down would not be useful from a spyware perspective since it doesn't know and would be difficult to predict your computer usage schedule.
A really well written root kit would not be detectable to a system that does not have equally well written anti-malware protection. In your case, the malware has been detected. Consider yourself fortunate. To protect your system from root kit malware :
never, never log in as root user or administrator!! Always use 'sudo' (linux), or 'run as' (Windows) if you need to do something system wide.
Make sure you have a very strong root user (administrator) password, and change this password as often as practical.
answered Feb 15 at 12:18
0tyranny 0poverty0tyranny 0poverty
1091
add a comment |
Root Kit malware can do this and much more. However, rootkits are normally used as spyware to gather information from your system without your ever being able to detect that your system is infected. Powering up your system, doing some mischief, and then powering back down would not be useful from a spyware perspective since it doesn't know and would be difficult to predict your computer usage schedule.
A really well written root kit would not be detectable to a system that does not have equally well written anti-malware protection. In your case, the malware has been detected. Consider yourself fortunate. To protect your system from root kit malware :
never, never log in as root user or administrator!! Always use 'sudo' (linux), or 'run as' (Windows) if you need to do something system wide.
Make sure you have a very strong root user (administrator) password, and change this password as often as practical.
answered Feb 15 at 12:18
0tyranny 0poverty0tyranny 0poverty
1091
Root Kit malware can do this and much more. However, rootkits are normally used as spyware to gather information from your system without your ever being able to detect that your system is infected. Powering up your system, doing some mischief, and then powering back down would not be useful from a spyware perspective since it doesn't know and would be difficult to predict your computer usage schedule.
A really well written root kit would not be detectable to a system that does not have equally well written anti-malware protection. In your case, the malware has been detected. Consider yourself fortunate. To protect your system from root kit malware :
never, never log in as root user or administrator!! Always use 'sudo' (linux), or 'run as' (Windows) if you need to do something system wide.
Make sure you have a very strong root user (administrator) password, and change this password as often as practical.
answered Feb 15 at 12:18
0tyranny 0poverty0tyranny 0poverty
1091
answered Feb 15 at 12:18
0tyranny 0poverty0tyranny 0poverty
1091
answered Feb 15 at 12:18
0tyranny 0poverty0tyranny 0poverty
1091
answered Feb 15 at 12:18
0tyranny 0poverty0tyranny 0poverty
1091
1091
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f203436%2fcan-a-malware-power-on-a-computer%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
22
I'm confused, if you are planning to nuke it from orbit, what does it matter if it does what it does? The more important bit is to cut off the network.
– schroeder♦
Feb 12 at 16:28
33
(putting on tinfoil hat and noting that I'm not an expert in this area) Is it possible that malware could alter to bios to have it wake at a certain time?
– AndrolGenhald
Feb 12 at 17:07
3
i think you need higher perms to schedule a rtc wakeup or to configure bios for WOL...
– dandavis
Feb 12 at 20:23
3
@dandavis and there are ways to get elevated privileges, including bypassing the entire OS. There was a DefCon presentation where malware managed to bypass all of windows, modify the ROM, then it would execute and stay in memory completely outside the OS's reach. So even if you boot into Linux, it'd still be around and have access to any data in memory. So, in short - that is not necessarily a stopgap. Although, I don't know what malware OP got.
– VLAZ
Feb 13 at 7:45
8
There are BIOS wakeup time functions, the malware could program them. Depends on your hardware how to avoid them. Unplugging will certainly help.
– eckes
Feb 13 at 11:29