2
I am interested in ways to achieve bulletproof reversible disabling of internet connection. E.g. I figure that if I just run "ipconfig /release" the smart trojan could reenable connection by doing the equivalent of "ipconfig /renew" via appropriate Windows api. Perhaps other programmatic methods of turning off connection could be defeated similarly by the trojan.
So would corrupting some underlying Windows dll work? First of all, is it even possible, without booting under Linux? Second, if it is possible, what dll would be a good target to mess up to get rid of networking while not affecting other essential Windows functionality?
ETA: thanks for the responses. I don't want to discuss the disabling the adapter approach because... because this question is not about that and because if I can programmatically enable/disable something, then so can the trojan. The idea with removing network connectivity is not doable because there is no physical way to shut off wifi adapter in my machine.
Downthread uSlackr said that Windows "will fix any system file". So, how would it fix it? Does it have backups in some identifiable location that could also be corrupted?
Are there other problems with the feasibility of this approach, other than Windows restoring the files?
ETA2: on second thought, would the wifi adapter's driver file, as opposed to the dlls of Windows itself, be a more convenient target?
1Just disable your network adapter and you won't have any problems. If you're truly concerned, there is no non-destructive (read: way to enable/disable dynamically) way to do what you ask. If you're willing to do so, create a Windows image using RT7Lite, and remove all essential networking components. – Breakthrough – 2012-03-05T16:35:55.770
Windows will fix any system file you corrupt. Physically disconnecting from the network is not reversible without physical access. – uSlackr – 2012-03-05T16:41:42.923
uSlackr, thanks for the response, please see additional questions in main body – EndangeringSpecies – 2012-03-05T17:04:49.603
if I can programmatically enable/disable something, then so can the trojan -- I doubt that trojans go that far. Probably switching the device off in BIOS would be enough. For a windows only approach, I would first disable automatic driver installation (I think policy editor allows doing that) and then uninstall the network device. – Frg – 2012-03-05T17:18:23.733
How about just remove the infection? – Ramhound – 2012-03-05T17:36:48.050
That should do it, Stop the device, which really should be enough, then rename the .sys file for the device, then toss a dummy back in its place. Make a batch/switch to turn it on and off, and just have the changes be human made (different). Put on tin foil hat and your all set. I have not seen talk of , or descriptions yet of a vrius that would bother to think they even needed to turn net itself on :-) Turning off the device (or switch on the modem) would be like taking the keys away from the car they drove in on :-) – Psycogeek – 2012-03-05T19:56:54.040