Is it safe to rely on network connection icons at the notification area?

Is it possible for malicious software to hide the real notification icons, putting fake icons that indicate there is no data data transmission occuring when in fact there is data transmission occuring at that time?

What sort of APIs could be called or software tools could be used that at a low level, below the common malware infections, show the true state of a network connection?

Sometimes I don't know if I can trust even the network card LEDs.

Hernán Eche

Posted 2011-11-09T19:31:11.140

Reputation: 190

Are you experiencing specific issues that lead you to believe that what the indicator icons and lights are telling you something incorrect? – music2myear – 2011-11-09T19:37:16.140

@music2myear I've told people to rely on that , but I realized that it perhaps it's not reliable at all. – Hernán Eche – 2011-11-09T19:41:41.920

1The odds are highly UNlikely that the icons and indicators are incorrect. Most viruses that do high levels of network communication do not attempt to hide the communication at this level, assuming, correctly, that most people don't look at their network indicator lights. – music2myear – 2011-11-09T19:45:01.090

Ya, to modify the icon, you'll not only need admin credentials, but you'll also need to bypass the Windows Resource Protection services. But if you can do that, you've got much larger options available to you. – surfasb – 2011-11-10T04:36:35.157

Answers

The most fail-safe method of determining actual network communication status is to use a packet inspector on a second computer connected to the same network. Using a tool such as Wireshark you can filter all communications for the IP address of the suspect machine, and then view, in real time, or by log analysis, what sort of communication is occuring at any given time.

Because this setup involves a second machine, it would be nearly impossible to conceal the actual network communication of the suspect machine.

A bigger question you ought to ask, though, is why would anybody hack your computer?

If indeed there is a malicious tool on your computer communicating over the network interface and using various methods to conceal that communication, it is much more likely you've simply got some sort of spam bot or worm software that was installed, not by hackers, but through more pedestrian and common forms of malware infection: opening the wrong file, downloading the wrong file, visiting a site on an infected server, etc.

music2myear

Posted 2011-11-09T19:31:11.140

Reputation: 34 957

I understand the point, and this is a correct answer. About your question, I don't like to think only in term of odds/probability, because the new, is always (by definition), improbable – Hernán Eche – 2011-11-09T19:52:24.920

I know for certain that in some versions of windows (vista and seven, I think) Atheros drivers won't even show that there is a network connection available.

Basically, you should not rely on the animations and icons to determine if there's network connection or data transmission.

In some cases, even the LEDs can't be trusted to correctly show what's going on.

The best way to sole the problem is to use a network analyzer, like Wireshark which will show you exactly what goes in and what goes out.

AndrejaKo

Posted 2011-11-09T19:31:11.140

Reputation: 16 459

1Wireshark ask the SO API for information, it use some dll's I think, then perpahs we can't trust Wireshark either – Hernán Eche – 2011-11-09T19:38:52.267

2Using Wireshark on a second machine will generally be a more trustworthy method. See my post above. I disagree with AndrejaKo though that most of the time the icons and indicator lights ought not be trusted. – music2myear – 2011-11-09T19:42:16.007