A logic bomb is one of the most difficult types of malicious software to protect against. In this video, you’ll learn about logic bombs and how real-world logic bombs have been used to create issues with our communication, financial, and power distribution networks.
A logic bomb is a very specific kind of malware that’s waiting for an event to occur and when that event occurs, it’s usually something devastating that happens. That’s why we call it a bomb, because it usually is deleting or removing information from systems. This is something that’s often left by somebody who has a grudge. Maybe it’s someone who was fired from an organization or somebody that would like to do harm to another organization.
These are often time bombs, where you’re waiting for a particular date and time to occur and that’s when the bomb goes off or it may be based on something that a user does. It waits for a backup process to occur, for example, and then the bomb goes off. This is very difficult to identify, because it won’t match a known signature that might be an anti-virus or anti-malware software and it’s usually installed by somebody who has administrative access to the system.
One example of a real world logic bomb occurred on March 19th of 2013 in South Korea. An email was sent to people inside of media organizations and banks and it came as a bank email. It looked legitimate and people clicked the links that were inside that email and malware was installed onto those systems.
Then a day later, on March the 20th at 2:00 p.m. Local time exactly, the malware logic bomb exploded and effectively deleted the boot records and rebooted the systems on those devices, which meant when those systems rebooted at 2 o’clock, it showed that a boot device was not found and that you needed to install an operating system on the hard disk. Many computers were affected and a number of ATMs were affected as well, preventing anyone from accessing any of their funds through any of those ATMs.
A more dangerous logic bomb occurred on December 17th 2016 at exactly 11:53 p.m. This was in the Ukraine at a high voltage substation, where a logic bomb began turning off the electrical circuits in the electrical system. It got into the systems that were controlling whether power was being provided to particular parts of the Ukraine and began disabling those power systems at a pre-determined time.
This logic bomb was specifically written for the Ukraine SCADA networks. These are the supervisory control and data acquisition networks that control the infrastructure for electricity. Normally those types of systems are completely disconnected from anything else. So this became a very difficult problem to solve and prevent any type of logic bomb from occurring in the future.
Since it’s difficult to identify a logic bomb using traditional anti-virus or traditional anti-malware signatures, one way that you can stop a logic bomb is by implementing a process and a procedure for change. You know that this system is not going to change unless someone has gone through the process for change control, and then you have to monitor that nobody has made any changes.
If a file changes inside a SCADA system, it should alert and inform you that changes have been made. If there’s a host based intrusion detection, for instance tripwires, a very common piece of software for that, it can identify the administrators that somebody has changed something on that computer and of course, you can provide constant auditing of these systems so that you can perform your own tests to make sure that nothing has changed with the operating system or any of the applications that are running on any of those devices.