89

I've just downloaded and executed a piece of malware on my computer.

I don't have much time right now, so I just powered it off (turned it off via the Start menu), hoping that it won't be able to steal any data or do malicious activities until I can nuke it from orbit.

  • Is it enough to prevent the malware to continue to carry out malicious activities?
  • Can the malware power on my computer?
  • Should I also unplug it and remove its battery?
schroeder
  • 125,553
  • 55
  • 289
  • 326
Benoit Esnard
  • 13,979
  • 7
  • 65
  • 65
  • 22
    I'm confused, if you are planning to nuke it from orbit, what does it matter if it does what it does? The more important bit is to cut off the network. – schroeder Feb 12 '19 at 16:28
  • 33
    _(putting on tinfoil hat and noting that I'm not an expert in this area)_ Is it possible that malware could alter to bios to have it wake at a certain time? – AndrolGenhald Feb 12 '19 at 17:07
  • 3
    i think you need higher perms to schedule a rtc wakeup or to configure bios for WOL... – dandavis Feb 12 '19 at 20:23
  • What if the malware executed in a laptop with a soldered battery at 100% charge? – enon Feb 12 '19 at 22:41
  • 3
    @dandavis and there are ways to get elevated privileges, including bypassing the entire OS. There was a DefCon presentation where malware managed to bypass all of windows, modify the ROM, then it would execute and stay in memory completely outside the OS's reach. So even if you boot into Linux, it'd still be around and have access to any data in memory. So, in short - that is not necessarily a stopgap. Although, I don't know what malware OP got. – VLAZ Feb 13 '19 at 07:45
  • 10
    There are BIOS wakeup time functions, the malware could program them. Depends on your hardware how to avoid them. Unplugging will certainly help. – eckes Feb 13 '19 at 11:29
  • 2
    How do we know that the malware hasn't already turned your computer on to post this question? Really, Benoit is fast asleep and this is sophisticated benevolent ISSE point-scoring malware. :-p – tudor -Reinstate Monica- Feb 17 '19 at 09:55
  • 1
    "so I just powered it off (turned it off via the Start menu)" If you're running Windows 10, it's quite likely the computer is in a suspended/hibernate state instead of completely shut down. – Mast Feb 17 '19 at 23:03
  • @enon: Simple, desolder the battery. – Vikki Feb 18 '19 at 04:50

5 Answers5

129

TL;DR Yes, but it's unlikely. Just to be sure, either unplug the PC or ensure it can't connect to anything.

Several operating systems - notably Windows 10 - have the possibility of setting "automatic wakeup", using appropriate drivers and related, complicated hardware management.

As a result, IF (and that's a big if!) a malware program has gained sufficient access to have the operating system do its bidding, it has a way to simply ask the system itself to do this on its behalf.

On some systems (that the malware must be able to recognize and plan for), this holds for "true powerdown" also: additional circuitry will turn the computer on at a preselected time of the onboard Real Time Clock. In a less software-accessible manner this is available on some desktop BIOSes ("Power up automatically: [ ] Never; [ ] After power loss; [ ] Every day at a given time: :" or similar, in the BIOS setup).

Then, the system will automatically power up after some time, for example at a time when you're likely to be asleep.

So:

  • there is RTC powerup hardware support, or more (integrated management systems, common on enterprise computers)
    • the malware must already have taken control of the system, since RTC functions usually require administrator/root level access.
  • RTC powerup HW support not present, or not used:
    • if the malware has taken control of the system, it can have replaced the shutdown procedure with a mere going into sleep, and set up things to exit sleep mode at a later time.

But did either of these options happen? Probably not. Most malware rely on being run unwittingly and being able to operate without being detected for some time. The "power off simulation" is only useful in very specific scenarios (and the hardware option is only available on comparatively few systems), and I don't think it would be worthwhile for a malware writer to worry themselves with them. They usually go with the third and easiest option:

  • some of the usual automatic power-up or logon sequences (autoexec, boot scripts, scheduled tasks, run services and so on) is subverted so that additional code, namely, the malware, is silently run.

For a "targeted" malware, designed with some specific victim in mind and tailored to the specific target's capabilities, rather than the subset available on the average infected machine, all the qualifications above wouldn't come into play.

LSerni
  • 22,670
  • 4
  • 51
  • 60
  • 2
    You'd have a similar problem if the virus infected your BMC (it could use IPMI to power on the system). That's not much of a risk for consumer-class machines, though. BMC hardware is typically only seen on servers. – bta Feb 12 '19 at 23:05
  • 5
    @bta Intel ME and AMD PSP on desktop systems serve essentially the same functions as an advanced BMC. – user71659 Feb 13 '19 at 00:37
  • 7
    _“this requires that the malware has already (…) replaced the shutdown procedure with a mere going into sleep“_ Not really for a modern x86, see [the answer by Matija Nalis](https://security.stackexchange.com/a/203450/145686). – Melebius Feb 13 '19 at 13:10
  • The windows task scheduler has access to the ACPI RTC wakeup functionality and will make use of it. Usually it only wakes up from S3 and S4 but there are systems which do not distinguish between S4 and S5 on the acpi level for wakeup. I once had such a nice (vista) machine that would start in the middle of the night to check for windows updates... – PlasmaHH Feb 14 '19 at 10:12
  • 1
    "wake on LAN" / IME has nothing to do with windows 10, it's a hardware feature, not a software feature – user1067003 Feb 14 '19 at 11:03
  • This is not just Windows 10. Decades ago, your BIOS already had "wake on alarm", which starts your PC at a specified time. And your operation system can set this alarm time. You do not neccessarily need a sleep mode for it, if your malware just runs on a normal pc startup as well. – allo Feb 14 '19 at 15:21
  • "unplug the PC" -> can the malware plug it back? ;) – frarugi87 Feb 18 '19 at 10:35
66

As others have mentioned, it is quite possible on most PC hardware, although currently not very likely (as vast majority of malware does not bother).

What others have said is not possible is however wrong. Software actually CAN wake up a computer that has been regularly powered off either via "shutdown" or "poweroff" commands (GNU/Linux) or clicking on "start" button and then "Shutdown" (MS Windows), or via manual press of power button.

The feature is called RTC wakeup, and it allows software to schedule wakeup at specific time of day. It is controlled by Real time clock chip (chip which keeps track of time while your computer is powered off, and runs off its own CR2032 battery).

If you run GNU/Linux system, the control of that functionality is provided by rtcwake(8) system command.

As a related feature, many computers also have a feature called Wake on LAN, which allows other computers and routers to power on your computer over wired ethernet network (note that this functionality has to be enabled on your computer, and whether it defaults to on depends on your BIOS).

Monty Harder
  • 476
  • 3
  • 6
Matija Nalis
  • 2,265
  • 13
  • 19
  • the mobo doesn't watch the power switch, the PSU does. the mobo simply connects the small button pin header to the 24-pin atx connector. – dandavis Feb 12 '19 at 20:22
  • 23
    I tell people that, like Westley in The Princess Bride, a computer that is "shut down" isn't completely off. It's just mostly off. A small part of the motherboard is monitoring the "power switch" on the front of the case [routed through the power supply per @Matija Nails] , the keyboard output for a "power on" signal, and may also be watching for a distinctive packet to hit the NIC... – Monty Harder Feb 12 '19 at 20:33
  • 2
    @MontyHarder: Those are different parts, really, and the power switch logic is likely all in hardware. The WOL part is likely implemented in firmware, so that is software. – MSalters Feb 12 '19 at 20:47
  • 21
    Also note, since the advent of [ATX power supplies](https://en.wikipedia.org/wiki/ATX) in cca 1995., most of the PC computers no longer have physical off switch (you can pull the cable out, or rarely by mechanical switch at the back of ATX PSU near the AC cable). So if your computer can be "turned off" via software (by clicking on shutdown button), it can almost always also be turned on by software. So actually modern computers are never off, and what we call "off" is actually [ACPI G2/S5](https://en.wikipedia.org/wiki/Advanced_Configuration_and_Power_Interface#Power_states) "soft-off" state – Matija Nalis Feb 12 '19 at 21:25
  • 1
    Wake on lan works only when you have control of another machine on the same LAN that is *powered on*. Note that by "powered on" I don't necessarily mean fans and disks noisingly spinning. Any device that has enough electricity and activity to issue an LAN packet, be it an IoT device on batteries, can issue a WoL packet – usr-local-ΕΨΗΕΛΩΝ Feb 13 '19 at 12:53
  • 9
    @MatijaNalis - I believe all power supplies sold in the UK are legally required to have a physical switch, although no-one ever uses it under normal circumstances. This may be EU-wide. – xorsyst Feb 13 '19 at 15:50
  • 3
    @MSalters It can't all be in hardware, because if you press the "power switch" while the computer is running, it initiates a graceful shutdown (flushing disk buffers, parking the read/write heads, etc.) before entering the "mostly off" state. I remember when that was not true (pre-ATX). It's possible there's a hardware component that tracks that state and enables "power-up" without any software, but precisely because the motherboards have Wake on LAN (and often Wake on Modem) that do require some kind of low-level processing, it's reasonable to assume they operate similarly. – Monty Harder Feb 13 '19 at 16:16
  • @MatijaNalis: They put the switches back. Look on the back of the computer. There's a 1 0 switch next to the cord in. Toggle it to 0 to hard power off. – Joshua Feb 13 '19 at 20:46
  • @MatijaNalis with backup batteries that last for two hours while the machine's on, pulling the cable isn't an option either... – John Dvorak Feb 14 '19 at 00:46
  • There is one "power switch" and a PSU switch (more a safety feature). Old PCs had a real power switch after the PSU as well. – allo Feb 14 '19 at 15:23
  • 1
    Really old PCs only had the real power switch. On my first one, it was a big red lever, which you could switch, preferably after running `park` from the command line to park the hard drives head. – GolezTrol Feb 15 '19 at 12:51
  • @Joshua I have a brand new Lenovo, two 2-year old HPs and a 3 year old Dell here and none of them have hard power switches. I believe your device has to meet a certain soft standby power limit, or you can put a hard power switch to meet it. – user71659 Feb 16 '19 at 04:41
20

Edit: yes it can be done. As the great answer by Majita Nalis observes, modern systems have a built-in feature that lets you set a boot 'alarm' from software.

A scenario that might also be realistic is the malware gaining persistence on another device. Say your router has default credentials or a vulnerability, the malware could have spread. Someone could then power on your machine if it had wake-on-lan enabled.

But after checking WoL and RTC wakeup you're still not completely safe. Most malware will run in ring 3, and if you're really unlucky in ring 0 as a kernel module or system driver. These are both not running when the system is actually turned off, and if no clock has been set they fundamentally can no longer exercise control over the machine.

There are however execution modes below ring 0 such as SMM and other firmware, which do power management. However malware abusing this is extremely rare, the only example in the wild I could name is the NSA codename DEITYBOUNCE class malware and the LoJax likely spread by Fancy Bear.

See Forests excellent answer on how this can happen.

https://security.stackexchange.com/a/180107/121894

Do you have info on the malware such as a hash or family name? That would allow for a more detailed answer.

J.A.K.
  • 4,783
  • 13
  • 30
1

The WOL packet has a particular structure; Is not said it could be sent on internet or routed on intranet to reach the target. A computer is powered off when the alimentation cable is disconnected or is connected but switched off. The RTC wakeup is nice, but i suppose it could be used only on sleep mode. In my personal opinion some SMM firmware features, if not properly configurated and some of them disabled as default, could be potentially dangerous for remote management. The best choice is unplug internet cable or disable wireless card until you're not sure to have sanitized your pc by the virus infection.

LoryOne
  • 19
  • 1
  • 1
    Under special conditions WOL frame could be sent over the internet as a directed IP broadcast or it could be sent from a hacked router or other device on the LAN. --- RTC alarm on ATX computers (introduced in 1995 and later widely adopted) is designed to be able to power the computer on from a completely turned off state. The ATX power supply provides standby 5 volts even when it is turned off. This is to allow functions like WOL, powering on by keyboard etc. --- SMM is being used for APM functions but theoretically it is not necessary for implementing the two wake up functions mentioned. – pabouk - Ukraine stay strong Feb 13 '19 at 21:13
-1

Root Kit malware can do this and much more. However, rootkits are normally used as spyware to gather information from your system without your ever being able to detect that your system is infected. Powering up your system, doing some mischief, and then powering back down would not be useful from a spyware perspective since it doesn't know and would be difficult to predict your computer usage schedule.

A really well written root kit would not be detectable to a system that does not have equally well written anti-malware protection. In your case, the malware has been detected. Consider yourself fortunate. To protect your system from root kit malware :

  1. never, never log in as root user or administrator!! Always use 'sudo' (linux), or 'run as' (Windows) if you need to do something system wide.

  2. Make sure you have a very strong root user (administrator) password, and change this password as often as practical.