• Happy holidays, folks! Thanks to each and every one of you for being part of the Tom's Hardware community!

Question Malware using disabled network card and disabled Bluetooth?

Status
Not open for further replies.

Oblivion77

Honorable
Jul 6, 2018
238
2
10,585
Dear all

I have an offline laptop which I use to backup my data.

1.
I have disconnected the laptop from my own network.
I have turned off the wifi function in Windows.
I have disabled network card and Network adapters in device manager.

Does the following malware exist?
A malware that gives backdoor access to my laptop using the laptops own network card – while still showing in Windows that:
Wifi function is off
Network card and Network adapters are disabled in device manager
The laptop being offline

2.
I have turned off Bluetooth function in Windows
I have disabled Bluetooth in device manager.

Does the following malware exist?
A malware that gives backdoor access to my laptop using the laptops own Bluetooth hardware – while still showing in Windows that:
Bluetooth function is off
Bluetooth disabled in device manager

3.
Would it reguire exceptional skill to create such a malware? Like NSA level?

Thank you
 
Last edited:
Dear all

When I press the power button on my laptop, it gets logged in Windows Event Viewer.

That way I know that the laptop has not been turned on by anyone other than me.

Then I saw that it's possible to clear these logs. So . . . . .

1.
What happens to the cleared logs in Event Viewer – are they completely gone?

2.
Are there other ways to find out if the laptop was turned on by someone other than me?

Thank you
 
Look in Reliability History/Monitor.

However, that said, if you are concerned about others turning on the laptop and accessing the apps, data, etc.
just set up a strong password to prevent others from logging into the laptop.

Even though the logs can be cleared that can be a permission granted only to the admin account.

You can set up other protections as well. E.g., setting to prevent booting via a USB drive.

In any case unless the user has a log on and actually logs in there is no way that I know of to determine if the laptop was physically powered on or not.

Overall, more information is needed with respect to the situation/environment and your security concerns.
 
Look in Reliability History/Monitor.
That does not show when system was turned on, or similar stuff?

However, that said, if you are concerned about others turning on the laptop and accessing the apps, data, etc.
just set up a strong password to prevent others from logging into the laptop.
Already has strong password
You can set up other protections as well. E.g., setting to prevent booting via a USB drive.
That was a great idea

Thank you
 
Presuming the user didn't start a background task under a system account to clear out the event logs (which... at that point you're computer is hosed and you should probably use the nuclear option), they'll leave an "Winlogon" event, ID 7002 entry for logging out at some point. However, the event only gives you the user's SID. To get the name, open "cmd" (make sure it's not PowerShell or Terminal) as an administrator and type in: wmic useraccount where sid="[insert SID here]" get name

Though if your account is the only one or is typically the only one using the computer, then it'll just show up as your name.
 
Already has strong password

It would appear that if another individual was turning on AND using the laptop that the password must be predictable or has been compromised. If this is a larger threat, like you have something in there someone is after it could well be this individual installed a keylogger or something while they had access to the PC.

I would change the password to something stronger and see if that other suspected individual logs in again.

Don't really know the age and type of laptop but can the battery be removed? If you take the battery and charger and hide them the laptop is basically a door stop without them.
 
  • Like
Reactions: Oblivion77
There is only one account / admin account
The password is very long and unique and with various symbols
Presuming the user didn't start a background task under a system account to clear out the event logs (which... at that point you're computer is hosed and you should probably use the nuclear option), they'll leave an "Winlogon" event, ID 7002 entry for logging out at some point. However, the event only gives you the user's SID. To get the name, open "cmd" (make sure it's not PowerShell or Terminal) as an administrator and type in: wmic useraccount where sid="[insert SID here]" get name

Though if your account is the only one or is typically the only one using the computer, then it'll just show up as your name.
That was a great idea aswell. Unless they have some kind of auto-delete set up, that deletes the log that shows they logged out. But that would be even more excessive than it already is...
 
Using the Command Prompt, Powershell, or some other coding language is just another way to cull out the data.

Many third party tools and utilities do much the same thing only dressed up a bit to provide an easier (?) end user interface or some variations in how the resulting data is presented.

Often more "eye candy" than anything else only with a price tag on what you could get yourself for little effort at no cost.

The code simply goes to the raw source data to search, filter, and repackage the information. DOS, Powershell, and other programming languages can be used.

Windows/Microsoft does so with many of their utilities. Still third party tools are created for and by those persons requiring a more customized look at things.

"Deleted in the folder?"

Yes

Similar code could be used to find and delete start and stop entries from the data wherever the data resides. Be the data in readable human form (text) or otherwise. Knowing how or being able to find the data is the first step. Not always an easy step.

That said, if someone has the skills to go into your computer, find, and delete data representing system starts, shutdowns, etc. by getting around admin logins and strong passwords then you probably cannot do much about that. Maybe lock the system into a safe perhaps when you are not using the laptop.

Frankly, discovering unidentified starts and stops is of limited value. Some could simply be related to update restarts and so forth. Or buggy software.

If someone is going to all that effort then I would be much more concerned about what may be being done between the startup and shutdown.....

Especially if a work laptop and your work involves sensitive matters - e.g., healthcare information, legal, financial.

In which case you should notifiy your employer's IT staff about such concerns.

Otherwise, if the laptop is personal I would not be concerned too much if at all. Barring someone covertly using the laptop for illegal and/.or immoral reasons.

That, within your circles, is only something you can address.
 
  • Like
Reactions: Oblivion77
Dear all

I have an offline laptop which I use to backup my data.

1.
I have disconnected the laptop from my own network.
I have turned off the wifi function in Windows.
I have disabled network card and Network adapters in device manager.

Does the following malware exist?
A malware that gives backdoor access to my laptop using the laptops own network card – while still showing in Windows that:
Wifi function is off
Network card and Network adapters are disabled in device manager
The laptop being offline

2.
I have turned off Bluetooth function in Windows
I have disabled Bluetooth in device manager.

Does the following malware exist?
A malware that gives backdoor access to my laptop using the laptops own Bluetooth hardware – while still showing in Windows that:
Bluetooth function is off
Bluetooth disabled in device manager

3.
Would it reguire exceptional skill to create such a malware? Like NSA level?

Thank you
1. No. Not without physical access to the laptop.

2. No.

3. No. Physical access overcomes all precautions outlined. Otherwise, if completely off-line with no "virtual" access, the device is safe.

Why do you ask?
 
Interesting....

Key being where, when, and how ESET obtains that information.

Noted that IP addresses are part of the Inspection Report.

Does ESET work, for example, f the device is not/was not connected to the network?
 
Hi ralston all i can say is you can see all the devices that go through my hub the top device in bold type which is in bold type is the only item connected by ethernet to the hub , all others are wi fi
 
I see a lot of Event Viewer, powershell, etc, etc.
All Windows specific.

What about if someone powers it up and boots from a Linux USB?
No trace in Windows at all, but all data on the drive is accessible.
 
I see a lot of Event Viewer, powershell, etc, etc.
All Windows specific.

What about if someone powers it up and boots from a Linux USB?
No trace in Windows at all, but all data on the drive is accessible.
I am aware of this method aswell.
I would disable "boot from USB" in bios

Other suggestions?

Thank you
 
1. No. Not without physical access to the laptop.

2. No.

3. No. Physical access overcomes all precautions outlined. Otherwise, if completely off-line with no "virtual" access, the device is safe.

Why do you ask?
Thank you for your reply

What if someone got access to the laptop, and transfered the mentioned malware from an USB?

Would it reguire exceptional skill to create such a malware? Like NSA level?
 
Let's keep all this to *one* thread and *only* one thread. Every possible aspect of the same supposed problem does not merit an entirely new thread.

And that's *all* this stuff.
 
Last edited:
Thank you for your reply

What if someone got access to the laptop, and transfered the mentioned malware from an USB?

Would it reguire exceptional skill to create such a malware? Like NSA level?
Yes, if someone has physical access to the laptop, then they could transfer malware to the device.

No, that does not take exceptional skills.

Second time these questions have been answered.

Are these specific questions or just a general concern?
 
Dear all

In recent times, there has been many stories about spycameras being placed in illicit places to spy on people when they are renting a room etc.

I was visiting a place one time, and that place had radiator valves like this, with a display:
https://dam.which.co.uk/SR20717-0011-00-front-2000x1500.jpg

My questions are:

1.
What is this kind of display / screen called?

2.
Could a spycamera record / film through the display from the other side?

Thank you
 
Status
Not open for further replies.