Logic Bomb is a set of instructions secretly incorporated into a program so that if a particular condition is satisfied, they will be carried out, usually with harmful effects. It’s a malicious program that is triggered when a logical condition is met; such as after a number of transactions have been processed, or on a specific date (also called a time bomb). Logic Bombs – also known as slag code – are dormant until/unless those conditions are satisfied. While their uses are typically malicious – think a disgruntled employee leaving a present after being let go. Logic bombs can also be used in trial software to end free access after a certain period. A virus can act as a logic bomb if by example the virus waits until a specific date to run its destructive payload. Happy Birthday Joshi was a boot sector virus from 1990 that is able to infect hard drives. On January 5 of any year, the screen will turn green and the text “TYPE HAPPY BIRTHDAY JOSHI” will appear. The system will not respond until “HAPPY BIRTHDAY JOSHI” is typed. The 2003 CSI/FBI Computer Crime and Security Survey reports that disgruntled employees is the second likely source of attacks (77%), preceded only by hackers (82%). From 1980 to 1985, some software developers imbedded logic bomb into their software, set to destroy the software itself if the license was not renewed. Of course, today this practice is illegal, but people are still using logic bombs in other contexts to achieve their ends.
Triggering: The triggering is what relates this type of code to a real bomb. When setting up a bomb attacker would like to have some time to run away before it explodes. This could be done by setting a timer or by sending a radio signal to the bomb when attacker is out of danger. The same principle applies to a logic bomb. Attacker may plant a slag code somewhere in the financial system and tell it to “explode” 6 months from the current date. If attacker stills an employee at the target organization, then the attacker can add another 6 months to the counter, but if attacker been fired then the destructive payload will be unleashed. The most common triggers are
Specific date/time: The payload will be executed when the system clock is equal or higher than the specified date/time.
Countdown: This Works like the specific date/time trigger but does not rely on the system clock. Instead the trigger implements its own timer bases on the number of seconds elapsed since the logic bomb was activated. This is somewhat harder to implement, but also harder to diffuse. Most slag codes relying on a specific date/time trigger can be tricked by changing the internal clock of the system. This trick doesn’t really diffuse the bomb but can buy the defuse some time to find a way to actually disable it. In this case, changing the internal clock won’t alter the timer implemented into the slag code, so it won’t do any good. ·
Third party triggering: A time bomb can also be triggered by external scheduler software like Windows Scheduler or the Linux Cron. These kinds of slag codes are particularly easy to make since the triggering code is already available for the attackers. Attacker can, by example, create a batch file that formats the system drive and schedules it to run in a few weeks. ·
Reset: This trigger must be combined with one of the first three triggers. It’s simply a way to extend the time before the logic bomb actually goes off. For example in the movie Safe House an ex-government agent played by Patrick Stewart has life threatening information about his former employer. He puts in place a time bomb that sends all the information to different magazines and newspaper if he doesn’t enter the correct password each day. ·
State Changing: This one checks for changes on a specific entity before running the payload. If attackers name still in the HR database? If attackers account still active? Etc. It can monitor everything, to registry keys, passwords files, database entry, system configuration, etc. This type of attack can be launched from outside the company if the programmer manages to check an external web site for state changing.