can I prevent internet connectivity in my machine by corrupting some Windows networking api dll?

2

I am interested in ways to achieve bulletproof reversible disabling of internet connection. E.g. I figure that if I just run "ipconfig /release" the smart trojan could reenable connection by doing the equivalent of "ipconfig /renew" via appropriate Windows api. Perhaps other programmatic methods of turning off connection could be defeated similarly by the trojan.

So would corrupting some underlying Windows dll work? First of all, is it even possible, without booting under Linux? Second, if it is possible, what dll would be a good target to mess up to get rid of networking while not affecting other essential Windows functionality?

ETA: thanks for the responses. I don't want to discuss the disabling the adapter approach because... because this question is not about that and because if I can programmatically enable/disable something, then so can the trojan. The idea with removing network connectivity is not doable because there is no physical way to shut off wifi adapter in my machine.

Downthread uSlackr said that Windows "will fix any system file". So, how would it fix it? Does it have backups in some identifiable location that could also be corrupted?

Are there other problems with the feasibility of this approach, other than Windows restoring the files?

ETA2: on second thought, would the wifi adapter's driver file, as opposed to the dlls of Windows itself, be a more convenient target?

EndangeringSpecies

Posted 2012-03-05T16:22:42.900

Reputation: 593

Question was closed 2012-07-18T00:07:08.790

1Just disable your network adapter and you won't have any problems. If you're truly concerned, there is no non-destructive (read: way to enable/disable dynamically) way to do what you ask. If you're willing to do so, create a Windows image using RT7Lite, and remove all essential networking components. – Breakthrough – 2012-03-05T16:35:55.770

Windows will fix any system file you corrupt. Physically disconnecting from the network is not reversible without physical access. – uSlackr – 2012-03-05T16:41:42.923

uSlackr, thanks for the response, please see additional questions in main body – EndangeringSpecies – 2012-03-05T17:04:49.603

if I can programmatically enable/disable something, then so can the trojan -- I doubt that trojans go that far. Probably switching the device off in BIOS would be enough. For a windows only approach, I would first disable automatic driver installation (I think policy editor allows doing that) and then uninstall the network device. – Frg – 2012-03-05T17:18:23.733

How about just remove the infection? – Ramhound – 2012-03-05T17:36:48.050

That should do it, Stop the device, which really should be enough, then rename the .sys file for the device, then toss a dummy back in its place. Make a batch/switch to turn it on and off, and just have the changes be human made (different). Put on tin foil hat and your all set. I have not seen talk of , or descriptions yet of a vrius that would bother to think they even needed to turn net itself on :-) Turning off the device (or switch on the modem) would be like taking the keys away from the car they drove in on :-) – Psycogeek – 2012-03-05T19:56:54.040

Answers

2

Disable the network adapter and there will be no access of any kind. All windows functions will work but no network access of any kind. If you need local communications, you will need another protocol. Not sure how booting to a Linix OS would help.

Given your reply perhaps you could share your goal. If you can't disable or turn off, please explain. Do you need TCP/IP?

As to teh malware turning something on, please explain how it would do so if there was no access? Does the malware arrive via a different vector? USB, CD, Etc? Also, the malware would need to have a component that enables the adapter. While some will have a component that tries to use a dialup connection, enabling a NIC is an unusual approach.

You could also set your IP to an address on a different subnet. If router and Internet are 192.168.x.x then set your IP to 10.10.10.X and set a subnet 255.255.255.0 and gateway on 10.10.10.X

Dave M

Posted 2012-03-05T16:22:42.900

Reputation: 12 811

2my goal is to achieve disabling of the network which is easy to reverse for me and hard to reverse for the attacker. The attacker already knows about programmatic enabling and disabling adapters, so the trojan might try doing that to restore connection. But the attacker does not know that the only way to restore the connection on my machine is "clap your hands twice during full moon and run MagicRestore" – EndangeringSpecies – 2012-03-05T17:16:25.983

Using an IP on a different network is easy to change and unlikley any attacker could guess the "correct" IP. It is quick and easy to do. Again, please explain how the attack arrives so everyone can understand the requirement more clearly. – Dave M – 2012-03-05T17:32:41.967

"attacker" is "malware" software on my machine that may try connecting to the web without my notice, for reasons either malicious or "helpful" (think Microsoft). For the purposes of this thread internet connection is through wifi network which is not under my control. Whereas I am aware of existence of various approaches to handling this issue, the approach I am discussing right now is, specifically, ways to "programmatically" shut down wifi internet access in a way that cannot be reversed by malware written by people unfamiliar with my system. Even if the malware is called "Windows" :) – EndangeringSpecies – 2012-03-05T18:25:41.467

If you have enough control to delete/change system files you can manage the WiFi connection in most cases. Are you saying you have no contriol over the software/hardware WiFi on the actual computer? – Dave M – 2012-03-05T19:54:02.410

Asked: 2012-03-05T16:22:42.900

Viewed: 172 times

Active: 2012-03-05T17:12:58.563