A LOGIC BOMB is a malicious piece of code that executes when a predetermined set of conditions have been met. It is usually accompanied with other types of malware, collectively known as payloads, that invoke at later dates to guarantee the author of the logic bomb’s success. Criteria needed for a such threat to “detonate” are usually time-related, but this in no way should be considered a limitation to its design.
It is not uncommon to experience a logic bomb in an enterprise or corporate environment. This is especially true for when employees are reprimanded, furloughed, terminated or skipped over for a promotion. Before access to the organization’s premises can be revoked, the disgruntled employee may embed code within a system that will trigger upon a specific event.
A logic bomb can be implemented in many different ways. The Embedded SQL approach is arguably the most popular, in which code will lay dormant for a specified period of time. Once invoked, it begins to alter the database in which was deployed.
Notable logic bomb attacks occurred at least three times in South Korea, between 2010 and 2013, and targeted banks and broadcasting companies. The targets in those cases were machines with some version of the Windows operating system installed on them. This should come as no surprise since most malware developers favor Windows over Unix-based systems. The most recent of these attacks saw payloads that were activated through timers closely synced to the times on the targeted systems.
At exactly 2PM (14:00 in Military Time) on March 12, 2013, the logic bomb was invoked and began performing the tasks it was created to do. It began deleting the file systems on every machine. It was also discovered that certain data packets were transported to an external location, leading some experts to believe that the deletion of the file systems were meant to cover the hacker’s tracks. This, however, has yet to be proven.
Finally, the attack ended with the deletion of each machine’s Master Boot Record (MBR), corrupting the operating system and forcing the system to reboot. Users who tried booting their systems afterward were greeted with an error message prompting them to install their operating system. The amount of data that was recovered from this attack was never released, but the goal of the attacker was clear: The sourcing of information and level of structural damage meant that a subsequent attack may very well occur.
Individuals can also be the victims of a logic bomb. As in the instance above, these are normally users with Windows devices, and common methods of baiting them into initializing such attacks are usually centered around phishing. It is important to emphasize that a logic bomb doesn’t necessarily require installation. It just needs to be downloaded into a system—preferably away from files and software that users regularly interact with. With a stable Internet connection, the code can be triggered remotely.
Logic Bomb Prevention
As with most forms of malware, so long as they do not exist at the level of the operating system, the installation and use of an antivirus (AV) program goes a long way. These programs will often prevent active elements in your email from self-executing. If you do not desire to use an antivirus program, you need to make sure that any freeware and shareware installed on your computer is authenticated. This can be done checking the md5 checksum of a download.
Additionally, you should always avoid installing pirated software. These installs are usually riddled with malware and take advantage of a user’s desperation for accessing to expensive software. Besides this, it is always a good idea to use spam and phishing filters in emails. This will limit external access to your system.