Can a malware power on a computer?












85















I've just downloaded and executed a piece of malware on my computer.



I don't have much time right now, so I just powered it off (turned it off via the Start menu), hoping that it won't be able to steal any data or do malicious activities until I can nuke it from orbit.




  • Is it enough to prevent the malware to continue to carry out malicious
    activities?

  • Can the malware power on my computer?

  • Should I also unplug it and remove its battery?










share|improve this question




















  • 22





    I'm confused, if you are planning to nuke it from orbit, what does it matter if it does what it does? The more important bit is to cut off the network.

    – schroeder
    Feb 12 at 16:28








  • 33





    (putting on tinfoil hat and noting that I'm not an expert in this area) Is it possible that malware could alter to bios to have it wake at a certain time?

    – AndrolGenhald
    Feb 12 at 17:07








  • 3





    i think you need higher perms to schedule a rtc wakeup or to configure bios for WOL...

    – dandavis
    Feb 12 at 20:23






  • 3





    @dandavis and there are ways to get elevated privileges, including bypassing the entire OS. There was a DefCon presentation where malware managed to bypass all of windows, modify the ROM, then it would execute and stay in memory completely outside the OS's reach. So even if you boot into Linux, it'd still be around and have access to any data in memory. So, in short - that is not necessarily a stopgap. Although, I don't know what malware OP got.

    – VLAZ
    Feb 13 at 7:45






  • 8





    There are BIOS wakeup time functions, the malware could program them. Depends on your hardware how to avoid them. Unplugging will certainly help.

    – eckes
    Feb 13 at 11:29
















85















I've just downloaded and executed a piece of malware on my computer.



I don't have much time right now, so I just powered it off (turned it off via the Start menu), hoping that it won't be able to steal any data or do malicious activities until I can nuke it from orbit.




  • Is it enough to prevent the malware to continue to carry out malicious
    activities?

  • Can the malware power on my computer?

  • Should I also unplug it and remove its battery?










share|improve this question




















  • 22





    I'm confused, if you are planning to nuke it from orbit, what does it matter if it does what it does? The more important bit is to cut off the network.

    – schroeder
    Feb 12 at 16:28








  • 33





    (putting on tinfoil hat and noting that I'm not an expert in this area) Is it possible that malware could alter to bios to have it wake at a certain time?

    – AndrolGenhald
    Feb 12 at 17:07








  • 3





    i think you need higher perms to schedule a rtc wakeup or to configure bios for WOL...

    – dandavis
    Feb 12 at 20:23






  • 3





    @dandavis and there are ways to get elevated privileges, including bypassing the entire OS. There was a DefCon presentation where malware managed to bypass all of windows, modify the ROM, then it would execute and stay in memory completely outside the OS's reach. So even if you boot into Linux, it'd still be around and have access to any data in memory. So, in short - that is not necessarily a stopgap. Although, I don't know what malware OP got.

    – VLAZ
    Feb 13 at 7:45






  • 8





    There are BIOS wakeup time functions, the malware could program them. Depends on your hardware how to avoid them. Unplugging will certainly help.

    – eckes
    Feb 13 at 11:29














85












85








85


18






I've just downloaded and executed a piece of malware on my computer.



I don't have much time right now, so I just powered it off (turned it off via the Start menu), hoping that it won't be able to steal any data or do malicious activities until I can nuke it from orbit.




  • Is it enough to prevent the malware to continue to carry out malicious
    activities?

  • Can the malware power on my computer?

  • Should I also unplug it and remove its battery?










share|improve this question
















I've just downloaded and executed a piece of malware on my computer.



I don't have much time right now, so I just powered it off (turned it off via the Start menu), hoping that it won't be able to steal any data or do malicious activities until I can nuke it from orbit.




  • Is it enough to prevent the malware to continue to carry out malicious
    activities?

  • Can the malware power on my computer?

  • Should I also unplug it and remove its battery?







malware






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 15 at 15:12









schroeder

76.1k29169202




76.1k29169202










asked Feb 12 at 16:21









Benoit EsnardBenoit Esnard

7,42943950




7,42943950








  • 22





    I'm confused, if you are planning to nuke it from orbit, what does it matter if it does what it does? The more important bit is to cut off the network.

    – schroeder
    Feb 12 at 16:28








  • 33





    (putting on tinfoil hat and noting that I'm not an expert in this area) Is it possible that malware could alter to bios to have it wake at a certain time?

    – AndrolGenhald
    Feb 12 at 17:07








  • 3





    i think you need higher perms to schedule a rtc wakeup or to configure bios for WOL...

    – dandavis
    Feb 12 at 20:23






  • 3





    @dandavis and there are ways to get elevated privileges, including bypassing the entire OS. There was a DefCon presentation where malware managed to bypass all of windows, modify the ROM, then it would execute and stay in memory completely outside the OS's reach. So even if you boot into Linux, it'd still be around and have access to any data in memory. So, in short - that is not necessarily a stopgap. Although, I don't know what malware OP got.

    – VLAZ
    Feb 13 at 7:45






  • 8





    There are BIOS wakeup time functions, the malware could program them. Depends on your hardware how to avoid them. Unplugging will certainly help.

    – eckes
    Feb 13 at 11:29














  • 22





    I'm confused, if you are planning to nuke it from orbit, what does it matter if it does what it does? The more important bit is to cut off the network.

    – schroeder
    Feb 12 at 16:28








  • 33





    (putting on tinfoil hat and noting that I'm not an expert in this area) Is it possible that malware could alter to bios to have it wake at a certain time?

    – AndrolGenhald
    Feb 12 at 17:07








  • 3





    i think you need higher perms to schedule a rtc wakeup or to configure bios for WOL...

    – dandavis
    Feb 12 at 20:23






  • 3





    @dandavis and there are ways to get elevated privileges, including bypassing the entire OS. There was a DefCon presentation where malware managed to bypass all of windows, modify the ROM, then it would execute and stay in memory completely outside the OS's reach. So even if you boot into Linux, it'd still be around and have access to any data in memory. So, in short - that is not necessarily a stopgap. Although, I don't know what malware OP got.

    – VLAZ
    Feb 13 at 7:45






  • 8





    There are BIOS wakeup time functions, the malware could program them. Depends on your hardware how to avoid them. Unplugging will certainly help.

    – eckes
    Feb 13 at 11:29








22




22





I'm confused, if you are planning to nuke it from orbit, what does it matter if it does what it does? The more important bit is to cut off the network.

– schroeder
Feb 12 at 16:28







I'm confused, if you are planning to nuke it from orbit, what does it matter if it does what it does? The more important bit is to cut off the network.

– schroeder
Feb 12 at 16:28






33




33





(putting on tinfoil hat and noting that I'm not an expert in this area) Is it possible that malware could alter to bios to have it wake at a certain time?

– AndrolGenhald
Feb 12 at 17:07







(putting on tinfoil hat and noting that I'm not an expert in this area) Is it possible that malware could alter to bios to have it wake at a certain time?

– AndrolGenhald
Feb 12 at 17:07






3




3





i think you need higher perms to schedule a rtc wakeup or to configure bios for WOL...

– dandavis
Feb 12 at 20:23





i think you need higher perms to schedule a rtc wakeup or to configure bios for WOL...

– dandavis
Feb 12 at 20:23




3




3





@dandavis and there are ways to get elevated privileges, including bypassing the entire OS. There was a DefCon presentation where malware managed to bypass all of windows, modify the ROM, then it would execute and stay in memory completely outside the OS's reach. So even if you boot into Linux, it'd still be around and have access to any data in memory. So, in short - that is not necessarily a stopgap. Although, I don't know what malware OP got.

– VLAZ
Feb 13 at 7:45





@dandavis and there are ways to get elevated privileges, including bypassing the entire OS. There was a DefCon presentation where malware managed to bypass all of windows, modify the ROM, then it would execute and stay in memory completely outside the OS's reach. So even if you boot into Linux, it'd still be around and have access to any data in memory. So, in short - that is not necessarily a stopgap. Although, I don't know what malware OP got.

– VLAZ
Feb 13 at 7:45




8




8





There are BIOS wakeup time functions, the malware could program them. Depends on your hardware how to avoid them. Unplugging will certainly help.

– eckes
Feb 13 at 11:29





There are BIOS wakeup time functions, the malware could program them. Depends on your hardware how to avoid them. Unplugging will certainly help.

– eckes
Feb 13 at 11:29










5 Answers
5






active

oldest

votes


















123














TL;DR Yes, but it's unlikely. Just to be sure, either unplug the PC or ensure it can't connect to anything.



Several operating systems - notably Windows 10 - have the possibility of setting "automatic wakeup", using appropriate drivers and related, complicated hardware management.



As a result, IF (and that's a big if!) a malware program has gained sufficient access to have the operating system do its bidding, it has a way to simply ask the system itself to do this on its behalf.



On some systems (that the malware must be able to recognize and plan for), this holds for "true powerdown" also: additional circuitry will turn the computer on at a preselected time of the onboard Real Time Clock. In a less software-accessible manner this is available on some desktop BIOSes ("Power up automatically: [ ] Never; [ ] After power loss; [ ] Every day at a given time: :" or similar, in the BIOS setup).



Then, the system will automatically power up after some time, for example at a time when you're likely to be asleep.



Of course (unless the hardware option holds), this requires that the malware has already taken control of the system and has replaced the shutdown procedure with a mere going into sleep. The hardware option also requires significant system access.



But did it happen? Probably not. Most malware rely on being run unwittingly and being able to operate without being detected for some time. The "power off simulation" is only useful in very specific scenarios (and the hardware option is only available on comparatively few systems), and I don't think it would be worthwhile for a malware writer to worry themselves with them.



For a "targeted" malware, designed with some specific victim in mind and tailored to the specific target's capabilities, rather than the subset available on the average infected machine, all the qualifications above wouldn't come into play.






share|improve this answer





















  • 2





    You'd have a similar problem if the virus infected your BMC (it could use IPMI to power on the system). That's not much of a risk for consumer-class machines, though. BMC hardware is typically only seen on servers.

    – bta
    Feb 12 at 23:05






  • 5





    @bta Intel ME and AMD PSP on desktop systems serve essentially the same functions as an advanced BMC.

    – user71659
    Feb 13 at 0:37






  • 7





    “this requires that the malware has already (…) replaced the shutdown procedure with a mere going into sleep“ Not really for a modern x86, see the answer by Matija Nalis.

    – Melebius
    Feb 13 at 13:10











  • The windows task scheduler has access to the ACPI RTC wakeup functionality and will make use of it. Usually it only wakes up from S3 and S4 but there are systems which do not distinguish between S4 and S5 on the acpi level for wakeup. I once had such a nice (vista) machine that would start in the middle of the night to check for windows updates...

    – PlasmaHH
    Feb 14 at 10:12






  • 1





    "wake on LAN" / IME has nothing to do with windows 10, it's a hardware feature, not a software feature

    – user1067003
    Feb 14 at 11:03



















65














As others have mentioned, it is quite possible on most PC hardware, although currently not very likely (as vast majority of malware does not bother).



What others have said is not possible is however wrong. Software actually CAN wake up a computer that has been regularly powered off either via "shutdown" or "poweroff" commands (GNU/Linux) or clicking on "start" button and then "Shutdown" (MS Windows), or via manual press of power button.



The feature is called RTC wakeup, and it allows software to schedule wakeup at specific time of day. It is controlled by Real time clock chip (chip which keeps track of time while your computer is powered off, and runs off its own CR2032 battery).



If you run GNU/Linux system, the control of that functionality is provided by rtcwake(8) system command.



As a related feature, many computers also have a feature called Wake on LAN, which allows other computers and routers to power on your computer over wired ethernet network (note that this functionality has to be enabled on your computer, and whether it defaults to on depends on your BIOS).






share|improve this answer





















  • 22





    I tell people that, like Westley in The Princess Bride, a computer that is "shut down" isn't completely off. It's just mostly off. A small part of the motherboard is monitoring the "power switch" on the front of the case [routed through the power supply per @Matija Nails] , the keyboard output for a "power on" signal, and may also be watching for a distinctive packet to hit the NIC...

    – Monty Harder
    Feb 12 at 20:33






  • 2





    @MontyHarder: Those are different parts, really, and the power switch logic is likely all in hardware. The WOL part is likely implemented in firmware, so that is software.

    – MSalters
    Feb 12 at 20:47






  • 20





    Also note, since the advent of ATX power supplies in cca 1995., most of the PC computers no longer have physical off switch (you can pull the cable out, or rarely by mechanical switch at the back of ATX PSU near the AC cable). So if your computer can be "turned off" via software (by clicking on shutdown button), it can almost always also be turned on by software. So actually modern computers are never off, and what we call "off" is actually ACPI G2/S5 "soft-off" state

    – Matija Nalis
    Feb 12 at 21:25






  • 8





    @MatijaNalis - I believe all power supplies sold in the UK are legally required to have a physical switch, although no-one ever uses it under normal circumstances. This may be EU-wide.

    – xorsyst
    Feb 13 at 15:50






  • 3





    @MSalters It can't all be in hardware, because if you press the "power switch" while the computer is running, it initiates a graceful shutdown (flushing disk buffers, parking the read/write heads, etc.) before entering the "mostly off" state. I remember when that was not true (pre-ATX). It's possible there's a hardware component that tracks that state and enables "power-up" without any software, but precisely because the motherboards have Wake on LAN (and often Wake on Modem) that do require some kind of low-level processing, it's reasonable to assume they operate similarly.

    – Monty Harder
    Feb 13 at 16:16



















20














Edit: yes it can be done. As the great answer by Majita Nalis observes, modern systems have a built-in feature that lets you set a boot 'alarm' from software.



A scenario that might also be realistic is the malware gaining persistence on another device. Say your router has default credentials or a vulnerability, the malware could have spread. Someone could then power on your machine if it had wake-on-lan enabled.



But after checking WoL and RTC wakeup you're still not completely safe. Most malware will run in ring 3, and if you're really unlucky in ring 0 as a kernel module or system driver. These are both not running when the system is actually turned off, and if no clock has been set they fundamentally can no longer exercise control over the machine.



There are however execution modes below ring 0 such as SMM and other firmware, which do power management. However malware abusing this is extremely rare, the only example in the wild I could name is the NSA codename DEITYBOUNCE class malware and the LoJax likely spread by Fancy Bear.



See Forests excellent answer on how this can happen.



https://security.stackexchange.com/a/180107/121894



Do you have info on the malware such as a hash or family name? That would allow for a more detailed answer.






share|improve this answer

































    1














    The WOL packet has a particular structure; Is not said it could be sent on internet or routed on intranet to reach the target.
    A computer is powered off when the alimentation cable is disconnected or is connected but switched off.
    The RTC wakeup is nice, but i suppose it could be used only on sleep mode.
    In my personal opinion some SMM firmware features, if not properly configurated and some of them disabled as default, could be potentially dangerous for remote management.
    The best choice is unplug internet cable or disable wireless card until you're not sure to have sanitized your pc by the virus infection.






    share|improve this answer



















    • 1





      Under special conditions WOL frame could be sent over the internet as a directed IP broadcast or it could be sent from a hacked router or other device on the LAN. --- RTC alarm on ATX computers (introduced in 1995 and later widely adopted) is designed to be able to power the computer on from a completely turned off state. The ATX power supply provides standby 5 volts even when it is turned off. This is to allow functions like WOL, powering on by keyboard etc. --- SMM is being used for APM functions but theoretically it is not necessary for implementing the two wake up functions mentioned.

      – pabouk
      Feb 13 at 21:13





















    -1














    Root Kit malware can do this and much more. However, rootkits are normally used as spyware to gather information from your system without your ever being able to detect that your system is infected. Powering up your system, doing some mischief, and then powering back down would not be useful from a spyware perspective since it doesn't know and would be difficult to predict your computer usage schedule.



    A really well written root kit would not be detectable to a system that does not have equally well written anti-malware protection. In your case, the malware has been detected. Consider yourself fortunate. To protect your system from root kit malware :




    1. never, never log in as root user or administrator!! Always use 'sudo' (linux), or 'run as' (Windows) if you need to do something system wide.


    2. Make sure you have a very strong root user (administrator) password, and change this password as often as practical.







    share|improve this answer























      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "162"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f203436%2fcan-a-malware-power-on-a-computer%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      5 Answers
      5






      active

      oldest

      votes








      5 Answers
      5






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      123














      TL;DR Yes, but it's unlikely. Just to be sure, either unplug the PC or ensure it can't connect to anything.



      Several operating systems - notably Windows 10 - have the possibility of setting "automatic wakeup", using appropriate drivers and related, complicated hardware management.



      As a result, IF (and that's a big if!) a malware program has gained sufficient access to have the operating system do its bidding, it has a way to simply ask the system itself to do this on its behalf.



      On some systems (that the malware must be able to recognize and plan for), this holds for "true powerdown" also: additional circuitry will turn the computer on at a preselected time of the onboard Real Time Clock. In a less software-accessible manner this is available on some desktop BIOSes ("Power up automatically: [ ] Never; [ ] After power loss; [ ] Every day at a given time: :" or similar, in the BIOS setup).



      Then, the system will automatically power up after some time, for example at a time when you're likely to be asleep.



      Of course (unless the hardware option holds), this requires that the malware has already taken control of the system and has replaced the shutdown procedure with a mere going into sleep. The hardware option also requires significant system access.



      But did it happen? Probably not. Most malware rely on being run unwittingly and being able to operate without being detected for some time. The "power off simulation" is only useful in very specific scenarios (and the hardware option is only available on comparatively few systems), and I don't think it would be worthwhile for a malware writer to worry themselves with them.



      For a "targeted" malware, designed with some specific victim in mind and tailored to the specific target's capabilities, rather than the subset available on the average infected machine, all the qualifications above wouldn't come into play.






      share|improve this answer





















      • 2





        You'd have a similar problem if the virus infected your BMC (it could use IPMI to power on the system). That's not much of a risk for consumer-class machines, though. BMC hardware is typically only seen on servers.

        – bta
        Feb 12 at 23:05






      • 5





        @bta Intel ME and AMD PSP on desktop systems serve essentially the same functions as an advanced BMC.

        – user71659
        Feb 13 at 0:37






      • 7





        “this requires that the malware has already (…) replaced the shutdown procedure with a mere going into sleep“ Not really for a modern x86, see the answer by Matija Nalis.

        – Melebius
        Feb 13 at 13:10











      • The windows task scheduler has access to the ACPI RTC wakeup functionality and will make use of it. Usually it only wakes up from S3 and S4 but there are systems which do not distinguish between S4 and S5 on the acpi level for wakeup. I once had such a nice (vista) machine that would start in the middle of the night to check for windows updates...

        – PlasmaHH
        Feb 14 at 10:12






      • 1





        "wake on LAN" / IME has nothing to do with windows 10, it's a hardware feature, not a software feature

        – user1067003
        Feb 14 at 11:03
















      123














      TL;DR Yes, but it's unlikely. Just to be sure, either unplug the PC or ensure it can't connect to anything.



      Several operating systems - notably Windows 10 - have the possibility of setting "automatic wakeup", using appropriate drivers and related, complicated hardware management.



      As a result, IF (and that's a big if!) a malware program has gained sufficient access to have the operating system do its bidding, it has a way to simply ask the system itself to do this on its behalf.



      On some systems (that the malware must be able to recognize and plan for), this holds for "true powerdown" also: additional circuitry will turn the computer on at a preselected time of the onboard Real Time Clock. In a less software-accessible manner this is available on some desktop BIOSes ("Power up automatically: [ ] Never; [ ] After power loss; [ ] Every day at a given time: :" or similar, in the BIOS setup).



      Then, the system will automatically power up after some time, for example at a time when you're likely to be asleep.



      Of course (unless the hardware option holds), this requires that the malware has already taken control of the system and has replaced the shutdown procedure with a mere going into sleep. The hardware option also requires significant system access.



      But did it happen? Probably not. Most malware rely on being run unwittingly and being able to operate without being detected for some time. The "power off simulation" is only useful in very specific scenarios (and the hardware option is only available on comparatively few systems), and I don't think it would be worthwhile for a malware writer to worry themselves with them.



      For a "targeted" malware, designed with some specific victim in mind and tailored to the specific target's capabilities, rather than the subset available on the average infected machine, all the qualifications above wouldn't come into play.






      share|improve this answer





















      • 2





        You'd have a similar problem if the virus infected your BMC (it could use IPMI to power on the system). That's not much of a risk for consumer-class machines, though. BMC hardware is typically only seen on servers.

        – bta
        Feb 12 at 23:05






      • 5





        @bta Intel ME and AMD PSP on desktop systems serve essentially the same functions as an advanced BMC.

        – user71659
        Feb 13 at 0:37






      • 7





        “this requires that the malware has already (…) replaced the shutdown procedure with a mere going into sleep“ Not really for a modern x86, see the answer by Matija Nalis.

        – Melebius
        Feb 13 at 13:10











      • The windows task scheduler has access to the ACPI RTC wakeup functionality and will make use of it. Usually it only wakes up from S3 and S4 but there are systems which do not distinguish between S4 and S5 on the acpi level for wakeup. I once had such a nice (vista) machine that would start in the middle of the night to check for windows updates...

        – PlasmaHH
        Feb 14 at 10:12






      • 1





        "wake on LAN" / IME has nothing to do with windows 10, it's a hardware feature, not a software feature

        – user1067003
        Feb 14 at 11:03














      123












      123








      123







      TL;DR Yes, but it's unlikely. Just to be sure, either unplug the PC or ensure it can't connect to anything.



      Several operating systems - notably Windows 10 - have the possibility of setting "automatic wakeup", using appropriate drivers and related, complicated hardware management.



      As a result, IF (and that's a big if!) a malware program has gained sufficient access to have the operating system do its bidding, it has a way to simply ask the system itself to do this on its behalf.



      On some systems (that the malware must be able to recognize and plan for), this holds for "true powerdown" also: additional circuitry will turn the computer on at a preselected time of the onboard Real Time Clock. In a less software-accessible manner this is available on some desktop BIOSes ("Power up automatically: [ ] Never; [ ] After power loss; [ ] Every day at a given time: :" or similar, in the BIOS setup).



      Then, the system will automatically power up after some time, for example at a time when you're likely to be asleep.



      Of course (unless the hardware option holds), this requires that the malware has already taken control of the system and has replaced the shutdown procedure with a mere going into sleep. The hardware option also requires significant system access.



      But did it happen? Probably not. Most malware rely on being run unwittingly and being able to operate without being detected for some time. The "power off simulation" is only useful in very specific scenarios (and the hardware option is only available on comparatively few systems), and I don't think it would be worthwhile for a malware writer to worry themselves with them.



      For a "targeted" malware, designed with some specific victim in mind and tailored to the specific target's capabilities, rather than the subset available on the average infected machine, all the qualifications above wouldn't come into play.






      share|improve this answer















      TL;DR Yes, but it's unlikely. Just to be sure, either unplug the PC or ensure it can't connect to anything.



      Several operating systems - notably Windows 10 - have the possibility of setting "automatic wakeup", using appropriate drivers and related, complicated hardware management.



      As a result, IF (and that's a big if!) a malware program has gained sufficient access to have the operating system do its bidding, it has a way to simply ask the system itself to do this on its behalf.



      On some systems (that the malware must be able to recognize and plan for), this holds for "true powerdown" also: additional circuitry will turn the computer on at a preselected time of the onboard Real Time Clock. In a less software-accessible manner this is available on some desktop BIOSes ("Power up automatically: [ ] Never; [ ] After power loss; [ ] Every day at a given time: :" or similar, in the BIOS setup).



      Then, the system will automatically power up after some time, for example at a time when you're likely to be asleep.



      Of course (unless the hardware option holds), this requires that the malware has already taken control of the system and has replaced the shutdown procedure with a mere going into sleep. The hardware option also requires significant system access.



      But did it happen? Probably not. Most malware rely on being run unwittingly and being able to operate without being detected for some time. The "power off simulation" is only useful in very specific scenarios (and the hardware option is only available on comparatively few systems), and I don't think it would be worthwhile for a malware writer to worry themselves with them.



      For a "targeted" malware, designed with some specific victim in mind and tailored to the specific target's capabilities, rather than the subset available on the average infected machine, all the qualifications above wouldn't come into play.







      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited Feb 14 at 7:25

























      answered Feb 12 at 17:21









      LSerniLSerni

      18.1k34048




      18.1k34048








      • 2





        You'd have a similar problem if the virus infected your BMC (it could use IPMI to power on the system). That's not much of a risk for consumer-class machines, though. BMC hardware is typically only seen on servers.

        – bta
        Feb 12 at 23:05






      • 5





        @bta Intel ME and AMD PSP on desktop systems serve essentially the same functions as an advanced BMC.

        – user71659
        Feb 13 at 0:37






      • 7





        “this requires that the malware has already (…) replaced the shutdown procedure with a mere going into sleep“ Not really for a modern x86, see the answer by Matija Nalis.

        – Melebius
        Feb 13 at 13:10











      • The windows task scheduler has access to the ACPI RTC wakeup functionality and will make use of it. Usually it only wakes up from S3 and S4 but there are systems which do not distinguish between S4 and S5 on the acpi level for wakeup. I once had such a nice (vista) machine that would start in the middle of the night to check for windows updates...

        – PlasmaHH
        Feb 14 at 10:12






      • 1





        "wake on LAN" / IME has nothing to do with windows 10, it's a hardware feature, not a software feature

        – user1067003
        Feb 14 at 11:03














      • 2





        You'd have a similar problem if the virus infected your BMC (it could use IPMI to power on the system). That's not much of a risk for consumer-class machines, though. BMC hardware is typically only seen on servers.

        – bta
        Feb 12 at 23:05






      • 5





        @bta Intel ME and AMD PSP on desktop systems serve essentially the same functions as an advanced BMC.

        – user71659
        Feb 13 at 0:37






      • 7





        “this requires that the malware has already (…) replaced the shutdown procedure with a mere going into sleep“ Not really for a modern x86, see the answer by Matija Nalis.

        – Melebius
        Feb 13 at 13:10











      • The windows task scheduler has access to the ACPI RTC wakeup functionality and will make use of it. Usually it only wakes up from S3 and S4 but there are systems which do not distinguish between S4 and S5 on the acpi level for wakeup. I once had such a nice (vista) machine that would start in the middle of the night to check for windows updates...

        – PlasmaHH
        Feb 14 at 10:12






      • 1





        "wake on LAN" / IME has nothing to do with windows 10, it's a hardware feature, not a software feature

        – user1067003
        Feb 14 at 11:03








      2




      2





      You'd have a similar problem if the virus infected your BMC (it could use IPMI to power on the system). That's not much of a risk for consumer-class machines, though. BMC hardware is typically only seen on servers.

      – bta
      Feb 12 at 23:05





      You'd have a similar problem if the virus infected your BMC (it could use IPMI to power on the system). That's not much of a risk for consumer-class machines, though. BMC hardware is typically only seen on servers.

      – bta
      Feb 12 at 23:05




      5




      5





      @bta Intel ME and AMD PSP on desktop systems serve essentially the same functions as an advanced BMC.

      – user71659
      Feb 13 at 0:37





      @bta Intel ME and AMD PSP on desktop systems serve essentially the same functions as an advanced BMC.

      – user71659
      Feb 13 at 0:37




      7




      7





      “this requires that the malware has already (…) replaced the shutdown procedure with a mere going into sleep“ Not really for a modern x86, see the answer by Matija Nalis.

      – Melebius
      Feb 13 at 13:10





      “this requires that the malware has already (…) replaced the shutdown procedure with a mere going into sleep“ Not really for a modern x86, see the answer by Matija Nalis.

      – Melebius
      Feb 13 at 13:10













      The windows task scheduler has access to the ACPI RTC wakeup functionality and will make use of it. Usually it only wakes up from S3 and S4 but there are systems which do not distinguish between S4 and S5 on the acpi level for wakeup. I once had such a nice (vista) machine that would start in the middle of the night to check for windows updates...

      – PlasmaHH
      Feb 14 at 10:12





      The windows task scheduler has access to the ACPI RTC wakeup functionality and will make use of it. Usually it only wakes up from S3 and S4 but there are systems which do not distinguish between S4 and S5 on the acpi level for wakeup. I once had such a nice (vista) machine that would start in the middle of the night to check for windows updates...

      – PlasmaHH
      Feb 14 at 10:12




      1




      1





      "wake on LAN" / IME has nothing to do with windows 10, it's a hardware feature, not a software feature

      – user1067003
      Feb 14 at 11:03





      "wake on LAN" / IME has nothing to do with windows 10, it's a hardware feature, not a software feature

      – user1067003
      Feb 14 at 11:03













      65














      As others have mentioned, it is quite possible on most PC hardware, although currently not very likely (as vast majority of malware does not bother).



      What others have said is not possible is however wrong. Software actually CAN wake up a computer that has been regularly powered off either via "shutdown" or "poweroff" commands (GNU/Linux) or clicking on "start" button and then "Shutdown" (MS Windows), or via manual press of power button.



      The feature is called RTC wakeup, and it allows software to schedule wakeup at specific time of day. It is controlled by Real time clock chip (chip which keeps track of time while your computer is powered off, and runs off its own CR2032 battery).



      If you run GNU/Linux system, the control of that functionality is provided by rtcwake(8) system command.



      As a related feature, many computers also have a feature called Wake on LAN, which allows other computers and routers to power on your computer over wired ethernet network (note that this functionality has to be enabled on your computer, and whether it defaults to on depends on your BIOS).






      share|improve this answer





















      • 22





        I tell people that, like Westley in The Princess Bride, a computer that is "shut down" isn't completely off. It's just mostly off. A small part of the motherboard is monitoring the "power switch" on the front of the case [routed through the power supply per @Matija Nails] , the keyboard output for a "power on" signal, and may also be watching for a distinctive packet to hit the NIC...

        – Monty Harder
        Feb 12 at 20:33






      • 2





        @MontyHarder: Those are different parts, really, and the power switch logic is likely all in hardware. The WOL part is likely implemented in firmware, so that is software.

        – MSalters
        Feb 12 at 20:47






      • 20





        Also note, since the advent of ATX power supplies in cca 1995., most of the PC computers no longer have physical off switch (you can pull the cable out, or rarely by mechanical switch at the back of ATX PSU near the AC cable). So if your computer can be "turned off" via software (by clicking on shutdown button), it can almost always also be turned on by software. So actually modern computers are never off, and what we call "off" is actually ACPI G2/S5 "soft-off" state

        – Matija Nalis
        Feb 12 at 21:25






      • 8





        @MatijaNalis - I believe all power supplies sold in the UK are legally required to have a physical switch, although no-one ever uses it under normal circumstances. This may be EU-wide.

        – xorsyst
        Feb 13 at 15:50






      • 3





        @MSalters It can't all be in hardware, because if you press the "power switch" while the computer is running, it initiates a graceful shutdown (flushing disk buffers, parking the read/write heads, etc.) before entering the "mostly off" state. I remember when that was not true (pre-ATX). It's possible there's a hardware component that tracks that state and enables "power-up" without any software, but precisely because the motherboards have Wake on LAN (and often Wake on Modem) that do require some kind of low-level processing, it's reasonable to assume they operate similarly.

        – Monty Harder
        Feb 13 at 16:16
















      65














      As others have mentioned, it is quite possible on most PC hardware, although currently not very likely (as vast majority of malware does not bother).



      What others have said is not possible is however wrong. Software actually CAN wake up a computer that has been regularly powered off either via "shutdown" or "poweroff" commands (GNU/Linux) or clicking on "start" button and then "Shutdown" (MS Windows), or via manual press of power button.



      The feature is called RTC wakeup, and it allows software to schedule wakeup at specific time of day. It is controlled by Real time clock chip (chip which keeps track of time while your computer is powered off, and runs off its own CR2032 battery).



      If you run GNU/Linux system, the control of that functionality is provided by rtcwake(8) system command.



      As a related feature, many computers also have a feature called Wake on LAN, which allows other computers and routers to power on your computer over wired ethernet network (note that this functionality has to be enabled on your computer, and whether it defaults to on depends on your BIOS).






      share|improve this answer





















      • 22





        I tell people that, like Westley in The Princess Bride, a computer that is "shut down" isn't completely off. It's just mostly off. A small part of the motherboard is monitoring the "power switch" on the front of the case [routed through the power supply per @Matija Nails] , the keyboard output for a "power on" signal, and may also be watching for a distinctive packet to hit the NIC...

        – Monty Harder
        Feb 12 at 20:33






      • 2





        @MontyHarder: Those are different parts, really, and the power switch logic is likely all in hardware. The WOL part is likely implemented in firmware, so that is software.

        – MSalters
        Feb 12 at 20:47






      • 20





        Also note, since the advent of ATX power supplies in cca 1995., most of the PC computers no longer have physical off switch (you can pull the cable out, or rarely by mechanical switch at the back of ATX PSU near the AC cable). So if your computer can be "turned off" via software (by clicking on shutdown button), it can almost always also be turned on by software. So actually modern computers are never off, and what we call "off" is actually ACPI G2/S5 "soft-off" state

        – Matija Nalis
        Feb 12 at 21:25






      • 8





        @MatijaNalis - I believe all power supplies sold in the UK are legally required to have a physical switch, although no-one ever uses it under normal circumstances. This may be EU-wide.

        – xorsyst
        Feb 13 at 15:50






      • 3





        @MSalters It can't all be in hardware, because if you press the "power switch" while the computer is running, it initiates a graceful shutdown (flushing disk buffers, parking the read/write heads, etc.) before entering the "mostly off" state. I remember when that was not true (pre-ATX). It's possible there's a hardware component that tracks that state and enables "power-up" without any software, but precisely because the motherboards have Wake on LAN (and often Wake on Modem) that do require some kind of low-level processing, it's reasonable to assume they operate similarly.

        – Monty Harder
        Feb 13 at 16:16














      65












      65








      65







      As others have mentioned, it is quite possible on most PC hardware, although currently not very likely (as vast majority of malware does not bother).



      What others have said is not possible is however wrong. Software actually CAN wake up a computer that has been regularly powered off either via "shutdown" or "poweroff" commands (GNU/Linux) or clicking on "start" button and then "Shutdown" (MS Windows), or via manual press of power button.



      The feature is called RTC wakeup, and it allows software to schedule wakeup at specific time of day. It is controlled by Real time clock chip (chip which keeps track of time while your computer is powered off, and runs off its own CR2032 battery).



      If you run GNU/Linux system, the control of that functionality is provided by rtcwake(8) system command.



      As a related feature, many computers also have a feature called Wake on LAN, which allows other computers and routers to power on your computer over wired ethernet network (note that this functionality has to be enabled on your computer, and whether it defaults to on depends on your BIOS).






      share|improve this answer















      As others have mentioned, it is quite possible on most PC hardware, although currently not very likely (as vast majority of malware does not bother).



      What others have said is not possible is however wrong. Software actually CAN wake up a computer that has been regularly powered off either via "shutdown" or "poweroff" commands (GNU/Linux) or clicking on "start" button and then "Shutdown" (MS Windows), or via manual press of power button.



      The feature is called RTC wakeup, and it allows software to schedule wakeup at specific time of day. It is controlled by Real time clock chip (chip which keeps track of time while your computer is powered off, and runs off its own CR2032 battery).



      If you run GNU/Linux system, the control of that functionality is provided by rtcwake(8) system command.



      As a related feature, many computers also have a feature called Wake on LAN, which allows other computers and routers to power on your computer over wired ethernet network (note that this functionality has to be enabled on your computer, and whether it defaults to on depends on your BIOS).







      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited Feb 12 at 20:15









      Monty Harder

      48436




      48436










      answered Feb 12 at 19:48









      Matija NalisMatija Nalis

      1,405815




      1,405815








      • 22





        I tell people that, like Westley in The Princess Bride, a computer that is "shut down" isn't completely off. It's just mostly off. A small part of the motherboard is monitoring the "power switch" on the front of the case [routed through the power supply per @Matija Nails] , the keyboard output for a "power on" signal, and may also be watching for a distinctive packet to hit the NIC...

        – Monty Harder
        Feb 12 at 20:33






      • 2





        @MontyHarder: Those are different parts, really, and the power switch logic is likely all in hardware. The WOL part is likely implemented in firmware, so that is software.

        – MSalters
        Feb 12 at 20:47






      • 20





        Also note, since the advent of ATX power supplies in cca 1995., most of the PC computers no longer have physical off switch (you can pull the cable out, or rarely by mechanical switch at the back of ATX PSU near the AC cable). So if your computer can be "turned off" via software (by clicking on shutdown button), it can almost always also be turned on by software. So actually modern computers are never off, and what we call "off" is actually ACPI G2/S5 "soft-off" state

        – Matija Nalis
        Feb 12 at 21:25






      • 8





        @MatijaNalis - I believe all power supplies sold in the UK are legally required to have a physical switch, although no-one ever uses it under normal circumstances. This may be EU-wide.

        – xorsyst
        Feb 13 at 15:50






      • 3





        @MSalters It can't all be in hardware, because if you press the "power switch" while the computer is running, it initiates a graceful shutdown (flushing disk buffers, parking the read/write heads, etc.) before entering the "mostly off" state. I remember when that was not true (pre-ATX). It's possible there's a hardware component that tracks that state and enables "power-up" without any software, but precisely because the motherboards have Wake on LAN (and often Wake on Modem) that do require some kind of low-level processing, it's reasonable to assume they operate similarly.

        – Monty Harder
        Feb 13 at 16:16














      • 22





        I tell people that, like Westley in The Princess Bride, a computer that is "shut down" isn't completely off. It's just mostly off. A small part of the motherboard is monitoring the "power switch" on the front of the case [routed through the power supply per @Matija Nails] , the keyboard output for a "power on" signal, and may also be watching for a distinctive packet to hit the NIC...

        – Monty Harder
        Feb 12 at 20:33






      • 2





        @MontyHarder: Those are different parts, really, and the power switch logic is likely all in hardware. The WOL part is likely implemented in firmware, so that is software.

        – MSalters
        Feb 12 at 20:47






      • 20





        Also note, since the advent of ATX power supplies in cca 1995., most of the PC computers no longer have physical off switch (you can pull the cable out, or rarely by mechanical switch at the back of ATX PSU near the AC cable). So if your computer can be "turned off" via software (by clicking on shutdown button), it can almost always also be turned on by software. So actually modern computers are never off, and what we call "off" is actually ACPI G2/S5 "soft-off" state

        – Matija Nalis
        Feb 12 at 21:25






      • 8





        @MatijaNalis - I believe all power supplies sold in the UK are legally required to have a physical switch, although no-one ever uses it under normal circumstances. This may be EU-wide.

        – xorsyst
        Feb 13 at 15:50






      • 3





        @MSalters It can't all be in hardware, because if you press the "power switch" while the computer is running, it initiates a graceful shutdown (flushing disk buffers, parking the read/write heads, etc.) before entering the "mostly off" state. I remember when that was not true (pre-ATX). It's possible there's a hardware component that tracks that state and enables "power-up" without any software, but precisely because the motherboards have Wake on LAN (and often Wake on Modem) that do require some kind of low-level processing, it's reasonable to assume they operate similarly.

        – Monty Harder
        Feb 13 at 16:16








      22




      22





      I tell people that, like Westley in The Princess Bride, a computer that is "shut down" isn't completely off. It's just mostly off. A small part of the motherboard is monitoring the "power switch" on the front of the case [routed through the power supply per @Matija Nails] , the keyboard output for a "power on" signal, and may also be watching for a distinctive packet to hit the NIC...

      – Monty Harder
      Feb 12 at 20:33





      I tell people that, like Westley in The Princess Bride, a computer that is "shut down" isn't completely off. It's just mostly off. A small part of the motherboard is monitoring the "power switch" on the front of the case [routed through the power supply per @Matija Nails] , the keyboard output for a "power on" signal, and may also be watching for a distinctive packet to hit the NIC...

      – Monty Harder
      Feb 12 at 20:33




      2




      2





      @MontyHarder: Those are different parts, really, and the power switch logic is likely all in hardware. The WOL part is likely implemented in firmware, so that is software.

      – MSalters
      Feb 12 at 20:47





      @MontyHarder: Those are different parts, really, and the power switch logic is likely all in hardware. The WOL part is likely implemented in firmware, so that is software.

      – MSalters
      Feb 12 at 20:47




      20




      20





      Also note, since the advent of ATX power supplies in cca 1995., most of the PC computers no longer have physical off switch (you can pull the cable out, or rarely by mechanical switch at the back of ATX PSU near the AC cable). So if your computer can be "turned off" via software (by clicking on shutdown button), it can almost always also be turned on by software. So actually modern computers are never off, and what we call "off" is actually ACPI G2/S5 "soft-off" state

      – Matija Nalis
      Feb 12 at 21:25





      Also note, since the advent of ATX power supplies in cca 1995., most of the PC computers no longer have physical off switch (you can pull the cable out, or rarely by mechanical switch at the back of ATX PSU near the AC cable). So if your computer can be "turned off" via software (by clicking on shutdown button), it can almost always also be turned on by software. So actually modern computers are never off, and what we call "off" is actually ACPI G2/S5 "soft-off" state

      – Matija Nalis
      Feb 12 at 21:25




      8




      8





      @MatijaNalis - I believe all power supplies sold in the UK are legally required to have a physical switch, although no-one ever uses it under normal circumstances. This may be EU-wide.

      – xorsyst
      Feb 13 at 15:50





      @MatijaNalis - I believe all power supplies sold in the UK are legally required to have a physical switch, although no-one ever uses it under normal circumstances. This may be EU-wide.

      – xorsyst
      Feb 13 at 15:50




      3




      3





      @MSalters It can't all be in hardware, because if you press the "power switch" while the computer is running, it initiates a graceful shutdown (flushing disk buffers, parking the read/write heads, etc.) before entering the "mostly off" state. I remember when that was not true (pre-ATX). It's possible there's a hardware component that tracks that state and enables "power-up" without any software, but precisely because the motherboards have Wake on LAN (and often Wake on Modem) that do require some kind of low-level processing, it's reasonable to assume they operate similarly.

      – Monty Harder
      Feb 13 at 16:16





      @MSalters It can't all be in hardware, because if you press the "power switch" while the computer is running, it initiates a graceful shutdown (flushing disk buffers, parking the read/write heads, etc.) before entering the "mostly off" state. I remember when that was not true (pre-ATX). It's possible there's a hardware component that tracks that state and enables "power-up" without any software, but precisely because the motherboards have Wake on LAN (and often Wake on Modem) that do require some kind of low-level processing, it's reasonable to assume they operate similarly.

      – Monty Harder
      Feb 13 at 16:16











      20














      Edit: yes it can be done. As the great answer by Majita Nalis observes, modern systems have a built-in feature that lets you set a boot 'alarm' from software.



      A scenario that might also be realistic is the malware gaining persistence on another device. Say your router has default credentials or a vulnerability, the malware could have spread. Someone could then power on your machine if it had wake-on-lan enabled.



      But after checking WoL and RTC wakeup you're still not completely safe. Most malware will run in ring 3, and if you're really unlucky in ring 0 as a kernel module or system driver. These are both not running when the system is actually turned off, and if no clock has been set they fundamentally can no longer exercise control over the machine.



      There are however execution modes below ring 0 such as SMM and other firmware, which do power management. However malware abusing this is extremely rare, the only example in the wild I could name is the NSA codename DEITYBOUNCE class malware and the LoJax likely spread by Fancy Bear.



      See Forests excellent answer on how this can happen.



      https://security.stackexchange.com/a/180107/121894



      Do you have info on the malware such as a hash or family name? That would allow for a more detailed answer.






      share|improve this answer






























        20














        Edit: yes it can be done. As the great answer by Majita Nalis observes, modern systems have a built-in feature that lets you set a boot 'alarm' from software.



        A scenario that might also be realistic is the malware gaining persistence on another device. Say your router has default credentials or a vulnerability, the malware could have spread. Someone could then power on your machine if it had wake-on-lan enabled.



        But after checking WoL and RTC wakeup you're still not completely safe. Most malware will run in ring 3, and if you're really unlucky in ring 0 as a kernel module or system driver. These are both not running when the system is actually turned off, and if no clock has been set they fundamentally can no longer exercise control over the machine.



        There are however execution modes below ring 0 such as SMM and other firmware, which do power management. However malware abusing this is extremely rare, the only example in the wild I could name is the NSA codename DEITYBOUNCE class malware and the LoJax likely spread by Fancy Bear.



        See Forests excellent answer on how this can happen.



        https://security.stackexchange.com/a/180107/121894



        Do you have info on the malware such as a hash or family name? That would allow for a more detailed answer.






        share|improve this answer




























          20












          20








          20







          Edit: yes it can be done. As the great answer by Majita Nalis observes, modern systems have a built-in feature that lets you set a boot 'alarm' from software.



          A scenario that might also be realistic is the malware gaining persistence on another device. Say your router has default credentials or a vulnerability, the malware could have spread. Someone could then power on your machine if it had wake-on-lan enabled.



          But after checking WoL and RTC wakeup you're still not completely safe. Most malware will run in ring 3, and if you're really unlucky in ring 0 as a kernel module or system driver. These are both not running when the system is actually turned off, and if no clock has been set they fundamentally can no longer exercise control over the machine.



          There are however execution modes below ring 0 such as SMM and other firmware, which do power management. However malware abusing this is extremely rare, the only example in the wild I could name is the NSA codename DEITYBOUNCE class malware and the LoJax likely spread by Fancy Bear.



          See Forests excellent answer on how this can happen.



          https://security.stackexchange.com/a/180107/121894



          Do you have info on the malware such as a hash or family name? That would allow for a more detailed answer.






          share|improve this answer















          Edit: yes it can be done. As the great answer by Majita Nalis observes, modern systems have a built-in feature that lets you set a boot 'alarm' from software.



          A scenario that might also be realistic is the malware gaining persistence on another device. Say your router has default credentials or a vulnerability, the malware could have spread. Someone could then power on your machine if it had wake-on-lan enabled.



          But after checking WoL and RTC wakeup you're still not completely safe. Most malware will run in ring 3, and if you're really unlucky in ring 0 as a kernel module or system driver. These are both not running when the system is actually turned off, and if no clock has been set they fundamentally can no longer exercise control over the machine.



          There are however execution modes below ring 0 such as SMM and other firmware, which do power management. However malware abusing this is extremely rare, the only example in the wild I could name is the NSA codename DEITYBOUNCE class malware and the LoJax likely spread by Fancy Bear.



          See Forests excellent answer on how this can happen.



          https://security.stackexchange.com/a/180107/121894



          Do you have info on the malware such as a hash or family name? That would allow for a more detailed answer.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited yesterday

























          answered Feb 12 at 17:36









          J.A.K.J.A.K.

          4,488826




          4,488826























              1














              The WOL packet has a particular structure; Is not said it could be sent on internet or routed on intranet to reach the target.
              A computer is powered off when the alimentation cable is disconnected or is connected but switched off.
              The RTC wakeup is nice, but i suppose it could be used only on sleep mode.
              In my personal opinion some SMM firmware features, if not properly configurated and some of them disabled as default, could be potentially dangerous for remote management.
              The best choice is unplug internet cable or disable wireless card until you're not sure to have sanitized your pc by the virus infection.






              share|improve this answer



















              • 1





                Under special conditions WOL frame could be sent over the internet as a directed IP broadcast or it could be sent from a hacked router or other device on the LAN. --- RTC alarm on ATX computers (introduced in 1995 and later widely adopted) is designed to be able to power the computer on from a completely turned off state. The ATX power supply provides standby 5 volts even when it is turned off. This is to allow functions like WOL, powering on by keyboard etc. --- SMM is being used for APM functions but theoretically it is not necessary for implementing the two wake up functions mentioned.

                – pabouk
                Feb 13 at 21:13


















              1














              The WOL packet has a particular structure; Is not said it could be sent on internet or routed on intranet to reach the target.
              A computer is powered off when the alimentation cable is disconnected or is connected but switched off.
              The RTC wakeup is nice, but i suppose it could be used only on sleep mode.
              In my personal opinion some SMM firmware features, if not properly configurated and some of them disabled as default, could be potentially dangerous for remote management.
              The best choice is unplug internet cable or disable wireless card until you're not sure to have sanitized your pc by the virus infection.






              share|improve this answer



















              • 1





                Under special conditions WOL frame could be sent over the internet as a directed IP broadcast or it could be sent from a hacked router or other device on the LAN. --- RTC alarm on ATX computers (introduced in 1995 and later widely adopted) is designed to be able to power the computer on from a completely turned off state. The ATX power supply provides standby 5 volts even when it is turned off. This is to allow functions like WOL, powering on by keyboard etc. --- SMM is being used for APM functions but theoretically it is not necessary for implementing the two wake up functions mentioned.

                – pabouk
                Feb 13 at 21:13
















              1












              1








              1







              The WOL packet has a particular structure; Is not said it could be sent on internet or routed on intranet to reach the target.
              A computer is powered off when the alimentation cable is disconnected or is connected but switched off.
              The RTC wakeup is nice, but i suppose it could be used only on sleep mode.
              In my personal opinion some SMM firmware features, if not properly configurated and some of them disabled as default, could be potentially dangerous for remote management.
              The best choice is unplug internet cable or disable wireless card until you're not sure to have sanitized your pc by the virus infection.






              share|improve this answer













              The WOL packet has a particular structure; Is not said it could be sent on internet or routed on intranet to reach the target.
              A computer is powered off when the alimentation cable is disconnected or is connected but switched off.
              The RTC wakeup is nice, but i suppose it could be used only on sleep mode.
              In my personal opinion some SMM firmware features, if not properly configurated and some of them disabled as default, could be potentially dangerous for remote management.
              The best choice is unplug internet cable or disable wireless card until you're not sure to have sanitized your pc by the virus infection.







              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered Feb 12 at 21:41









              LoryOneLoryOne

              191




              191








              • 1





                Under special conditions WOL frame could be sent over the internet as a directed IP broadcast or it could be sent from a hacked router or other device on the LAN. --- RTC alarm on ATX computers (introduced in 1995 and later widely adopted) is designed to be able to power the computer on from a completely turned off state. The ATX power supply provides standby 5 volts even when it is turned off. This is to allow functions like WOL, powering on by keyboard etc. --- SMM is being used for APM functions but theoretically it is not necessary for implementing the two wake up functions mentioned.

                – pabouk
                Feb 13 at 21:13
















              • 1





                Under special conditions WOL frame could be sent over the internet as a directed IP broadcast or it could be sent from a hacked router or other device on the LAN. --- RTC alarm on ATX computers (introduced in 1995 and later widely adopted) is designed to be able to power the computer on from a completely turned off state. The ATX power supply provides standby 5 volts even when it is turned off. This is to allow functions like WOL, powering on by keyboard etc. --- SMM is being used for APM functions but theoretically it is not necessary for implementing the two wake up functions mentioned.

                – pabouk
                Feb 13 at 21:13










              1




              1





              Under special conditions WOL frame could be sent over the internet as a directed IP broadcast or it could be sent from a hacked router or other device on the LAN. --- RTC alarm on ATX computers (introduced in 1995 and later widely adopted) is designed to be able to power the computer on from a completely turned off state. The ATX power supply provides standby 5 volts even when it is turned off. This is to allow functions like WOL, powering on by keyboard etc. --- SMM is being used for APM functions but theoretically it is not necessary for implementing the two wake up functions mentioned.

              – pabouk
              Feb 13 at 21:13







              Under special conditions WOL frame could be sent over the internet as a directed IP broadcast or it could be sent from a hacked router or other device on the LAN. --- RTC alarm on ATX computers (introduced in 1995 and later widely adopted) is designed to be able to power the computer on from a completely turned off state. The ATX power supply provides standby 5 volts even when it is turned off. This is to allow functions like WOL, powering on by keyboard etc. --- SMM is being used for APM functions but theoretically it is not necessary for implementing the two wake up functions mentioned.

              – pabouk
              Feb 13 at 21:13













              -1














              Root Kit malware can do this and much more. However, rootkits are normally used as spyware to gather information from your system without your ever being able to detect that your system is infected. Powering up your system, doing some mischief, and then powering back down would not be useful from a spyware perspective since it doesn't know and would be difficult to predict your computer usage schedule.



              A really well written root kit would not be detectable to a system that does not have equally well written anti-malware protection. In your case, the malware has been detected. Consider yourself fortunate. To protect your system from root kit malware :




              1. never, never log in as root user or administrator!! Always use 'sudo' (linux), or 'run as' (Windows) if you need to do something system wide.


              2. Make sure you have a very strong root user (administrator) password, and change this password as often as practical.







              share|improve this answer




























                -1














                Root Kit malware can do this and much more. However, rootkits are normally used as spyware to gather information from your system without your ever being able to detect that your system is infected. Powering up your system, doing some mischief, and then powering back down would not be useful from a spyware perspective since it doesn't know and would be difficult to predict your computer usage schedule.



                A really well written root kit would not be detectable to a system that does not have equally well written anti-malware protection. In your case, the malware has been detected. Consider yourself fortunate. To protect your system from root kit malware :




                1. never, never log in as root user or administrator!! Always use 'sudo' (linux), or 'run as' (Windows) if you need to do something system wide.


                2. Make sure you have a very strong root user (administrator) password, and change this password as often as practical.







                share|improve this answer


























                  -1












                  -1








                  -1







                  Root Kit malware can do this and much more. However, rootkits are normally used as spyware to gather information from your system without your ever being able to detect that your system is infected. Powering up your system, doing some mischief, and then powering back down would not be useful from a spyware perspective since it doesn't know and would be difficult to predict your computer usage schedule.



                  A really well written root kit would not be detectable to a system that does not have equally well written anti-malware protection. In your case, the malware has been detected. Consider yourself fortunate. To protect your system from root kit malware :




                  1. never, never log in as root user or administrator!! Always use 'sudo' (linux), or 'run as' (Windows) if you need to do something system wide.


                  2. Make sure you have a very strong root user (administrator) password, and change this password as often as practical.







                  share|improve this answer













                  Root Kit malware can do this and much more. However, rootkits are normally used as spyware to gather information from your system without your ever being able to detect that your system is infected. Powering up your system, doing some mischief, and then powering back down would not be useful from a spyware perspective since it doesn't know and would be difficult to predict your computer usage schedule.



                  A really well written root kit would not be detectable to a system that does not have equally well written anti-malware protection. In your case, the malware has been detected. Consider yourself fortunate. To protect your system from root kit malware :




                  1. never, never log in as root user or administrator!! Always use 'sudo' (linux), or 'run as' (Windows) if you need to do something system wide.


                  2. Make sure you have a very strong root user (administrator) password, and change this password as often as practical.








                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Feb 15 at 12:18









                  0tyranny 0poverty0tyranny 0poverty

                  1091




                  1091






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Information Security Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f203436%2fcan-a-malware-power-on-a-computer%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      How to change which sound is reproduced for terminal bell?

                      Title Spacing in Bjornstrup Chapter, Removing Chapter Number From Contents

                      Can I use Tabulator js library in my java Spring + Thymeleaf project?