Logic Bombs – CompTIA Network+ N10-007 – 4.4

Logic bombs are difficult to identify and can cause significant damage. In this video, you’ll learn about logic bombs and how some real-world logic bombs caused problems for organizations.

<< Previous Video: Insider Threats Next: Rogue Access Points >>

A logic bomb is a very specific kind of malware that’s waiting for an event to occur. And when that event occurs, it’s usually something devastating that happens. That’s why we call it a bomb, because it usually is deleting or removing information from systems. This is something that’s often left by somebody who has a grudge.

Maybe it’s someone who was fired from an organization or somebody that would like to do harm to another organization. These are often time bombs where you’re waiting for a particular date and time to occur. And that’s when the bomb goes off. Or it may be based on something that a user does.

It waits for a backup process to occur, for example, and then the bomb goes off. This is very difficult to identify, because it won’t match a known signature that might be an anti-virus or anti-malware software. And it’s usually installed by somebody who has administrative access to the system.

One example of a real world logic bomb occurred on March 19th of 2013 in South Korea. An email was sent to people inside of media organizations and banks. And it came as a bank email. It looked legitimate, and people clicked the links that were inside that email and malware was installed onto those systems.

Then a day later, on March the 20th at 2:00 PM local time exactly, the malware logic bomb exploded and effectively deleted the boot records and rebooted the systems on those devices, which meant when those systems rebooted at 2:00, it showed that a boot device was not found and that you needed to install an operating system on the hard disk.

Many computers were affected, and a number of ATMs were affected as well, preventing anyone from accessing any of their funds through any of those ATMs. A more dangerous logic bomb occurred on December 17th, 2016 at exactly 11:53 PM. This was in the Ukraine at a high voltage substation where a logic bomb began turning off the electrical circuits in the electrical system.

It got into the systems that were controlling whether power was being provided to particular parts of the Ukraine, and began disabling those power systems at a pre-determined time. This logic bomb was specifically written for the Ukraine SCADA networks. These are the Supervisory Control and Data Acquisition Networks that control the infrastructure for electricity.

Normally those types of systems are completely disconnected from anything else, so this became a very difficult problem to solve and prevent any type of logic bomb from occurring in the future. Since it’s difficult to identify a logic bomb using traditional anti-virus or traditional anti-malware signatures, one way that you can stop a logic bomb is by implementing a process and a procedure for change.

You know that this system is not going to change unless someone has gone through the process for change control, and then you have to monitor that nobody has made any changes. If a file changes inside a SCADA system, it should alert and inform you that changes have been made.

If there is a host-based intrusion detection– for instance, tripwires, a very common piece of software for that– it can identify the administrators that somebody has changed something on that computer. And of course, you can provide constant auditing of these systems so that you can perform your own tests to make sure that nothing has changed with the operating system or any of the applications that are running on any of those devices.