Logic Bomb: what they are and how to prevent them
Estimated reading time: 6 minutes
A logic bomb, also called slug code , is a piece of code inserted into an application, virus or malware that implements a malicious function after a certain time limit or under conditions specifications.
These “bombs” are often used via viruses, worms and Trojans to better manage your time and do maximum damage before you are noticed . They perform actions such as corrupting or altering data, reformatting a hard drive, and deleting important files.
In this article I want to explain what a logic bomb is and offer some suggestions for preventing damage.
What is a logic bomb virus?
A logic bomb is often embedded in a virus or otherwise in an executable file. It consists of malicious code that triggers an attack when specific conditions are met. Conditions can be positive (something that happens) or negative (something that doesn’t happen). In the first case an example is that of opening a program, however, an example of a negative condition is a user who does not log in.
Logic bombs are often installed by someone with high level access, such as a sysadmin. Such a person can wreak havoc by setting these codes on multiple systems and programming them to “explode” simultaneously when a certain event occurs. For example, they could trigger when a certain employee is removed from the salary database, ie when he is fired.
The term slag code refers to manipulated code that makes an otherwise safe program malicious. The logic bomb time versions are the most common ones and use the passage of a certain amount of time as a positive condition.
Whatever the name used, the method of attack is clearly the same: the code remains dormant in the infected software until it is triggered . Common attacks involve data corruption, file deletion and hard drive wiping .
How does it work
How a logic bomb works depends on who designed it. Each logic bomb is unique, which is why they are difficult to track . They are usually customized to be as undetectable as possible. They are often disguised to look like a typical computer virus or embedded in other types of malware such as worms . Worms and viruses are different, but logic bombs don’t care about the distinction – they can cause damage through both.
Is a logic bomb actually malware? Since they are part of other programs, no, but they usually have malicious intent. This is why slag codes are so difficult to detect. Furthermore, being “only” code, potentially insertable anywhere, mitigating the risk is more complicated.
The best thing to do, as an end user who might be involved in a logic bomb attack, is to keep an eye out and ask your company’s IT experts to do the necessary checks if in doubt. The risk is to unintentionally trigger the bomb trying to find it.
Examples of attacks
Logic bombs can subtly change a snippet of code so that it appears technically normal to an automated threat detection system, while it would appear highly suspicious to the human eye. In 2016, a freelance programmer voluntarily caused a recurring spreadsheet malfunction at a subsidiary of the Siemens company. The subsidiary continued to hire him to solve the problem he had caused himself (Source). In this case, the employees did not suspect anything until a lucky coincidence forced the malicious code to come out.
Even companies can use logic bombs to hack their customers . In 2005, Sony was embroiled in a scandal for releasing CDs that triggered a logic bomb when inserted into a computer. The slag code contained on the CDs installed a rootkit that blocked the PC’s ability to copy CDs. (Source)
Another high-profile case occurred in the early 2000s, when a UBS Global employee, angered by a salary dispute, planted a logic bomb that caused more than $ 3 million worth of damage . A clear sign that a very small code snippet can cause a great deal of damage. (Source)
In 2013, a time bomb attack in South Korea wiped out the hard drives of several banks and broadcasting companies. The group responsible for the attack put the time bomb inside a piece of malware that ended up infecting over 32,000 systems . The bombs all exploded together, causing chaos across the country. (Source)
Where did they come from and how to prevent logic bombs
As we have also seen in the examples, logic bombs are typically distributed within a closed network, such as that of a company or branch. One of the likely sources is a disgruntled employee with administrator access , so careful monitoring of staff outbound activities should reveal any suspicious activity . But that’s not all, logic bombs can also be placed in email attachments and suspicious file downloads , so users should be vigilant when choosing which files to download.
As we saw when we talked about phishing and social engineering , the most hackable part of a system are often the users. This is why a preventive campaign is always an excellent choice. Taking care of the staff also means offering specific training through ethical phishing services.
In addition to prevention, it’s good to limit administrative privileges to a select group of employees so that someone is less likely to cause serious damage to your network with a logic bomb. This preventative method also reduces the number of suspects in the event of an attack, making belonging to that specific group of employees in itself a deterrent against internal attacks.
The solution proposed by SOD
Where prevention fails and hackers win, it is the ideal field for implementing advanced monitoring and analysis systems.
SOD offers, for example, a SIEM system in the SOC as a Service solution. The SIEM constantly collects information on what is happening in the network . This information is then enriched with contextual metadata to standardize and manage it better. Already this is capable of triggering alarms if some suspicious events occur. But if this were not enough, the SOC also has a “ User and Entity Behavior Analysis ” (UEBA) tool that analyzes user behavior and, thanks to the interaction of an AI, is able to identify suspicious behavior. .
If you want to know more about the SOC service we offer, or if you have any questions about how SOD can help you keep your business safe, don’t hesitate to contact us. We will be happy to answer any questions.
- The SOAR benefits: simplifying investigation and response
- Security Code Review: How the service works
- Integration of the automated response: the automations in SOCaaS
- Coordination between CTI and SOC: how to further raise the defenses
- New Cloud Server: redundant internet
- Quality certificate for the SOCaaS of SOD
- Managed Detection and Response: a new preventive approach
- CLUSIT: our collaboration for better services
- Backup as a Service (17)
- Cloud Conference (3)
- Cloud CRM (1)
- Cloud Server/VPS (22)
- Conferenza Cloud (4)
- ICT Monitoring (5)
- Log Management (2)
- News (21)
- ownCloud (4)
- Privacy (7)
- Secure Online Desktop (14)
- Security (170)
- Web Hosting (15)
- What CISOs Can Do About Brand Impersonation Scam Sites February 3, 2023Apply these nine tips to proactively fight fraudulent websites that use your brand to rip people off.
- Iran-Backed Actor Behind 'Holy Souls' Cyberattack on Charlie Hebdo, Microsoft Says February 3, 2023The January attack was in retaliation for the satirical French magazine's decision to launch a cartoon contest to lampoon Iran's Supreme Leader.
- Scores of Redis Servers Infested by Sophisticated Custom-Built Malware February 3, 2023At least 1,200 Redis servers worldwide have been infected with "HeadCrab" cryptominers since 2021.
- How the Cloud Is Shifting CISO Priorities February 3, 2023The greatly expanding attack surface created by the cloud needs to be protected.
- MITRE Releases Tool to Design Cyber-Resilient Systems February 3, 2023Engineers can use the Cyber Resiliency Engineering Framework Navigator to visuzalize their cyber-resiliency capabilities.
- Hornetsecurity Combats QR Code Phishing With Launch of New Technology February 2, 2023
- Korelock Launches IOT Smart Lock Technology Company February 2, 2023Denver-based business secures Series A Funding through partnerships with Iron Gate Capital and Kozo Keikaku Engineering.
- Cyberattack on Fintech Firm Disrupts Derivatives Trading Globally February 2, 2023The Russia-linked LockBit ransomware group claims to be behind the attack that fouled automated transactions for dozens of clients of financial technology firm ION Group.
- 6 Examples of the Evolution of a Scam Site February 2, 2023Examining some key examples of recently found fraud sites that target the lucrative retail shoe industry helps us understand how brand impersonation sites evolve.
- Rising 'Firebrick Ostrich' BEC Group Launches Industrial-Scale Cyberattacks February 2, 2023The group's wanton attacks demonstrate that business email compromise is everything a hacker can want in one package: low risk, high reward, quick, easy, and low effort.
- Trovent Security Advisory 2203-01 / Micro Focus GroupWise transmits session ID in URL January 31, 2023Posted by Stefan Pietsch on Jan 30# Trovent Security Advisory 2203-01 # ##################################### Micro Focus GroupWise transmits session ID in URL ################################################# Overview ######## Advisory ID: TRSA-2203-01 Advisory version: 1.0 Advisory status: Public Advisory URL: https://trovent.io/security-advisory-2203-01 Affected product: Micro Focus GroupWise Affected version: prior to 18.4.2 Vendor: Micro Focus, https://www.microfocus.com...
- APPLE-SA-2023-01-24-1 tvOS 16.3 January 27, 2023Posted by Apple Product Security via Fulldisclosure on Jan 26APPLE-SA-2023-01-24-1 tvOS 16.3 tvOS 16.3 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213601. AppleMobileFileIntegrity Available for: Apple TV 4K (all models) and Apple TV HD Impact: An app may be able to access user-sensitive data Description: This issue was addressed […]
- [SYSS-2022-047] Razer Synapse - Local Privilege Escalation January 27, 2023Posted by Oliver Schwarz via Fulldisclosure on Jan 26Advisory ID: SYSS-2022-047 Product: Razer Synapse Manufacturer: Razer Inc. Affected Version(s): Versions before 3.7.0830.081906 Tested Version(s): 3.7.0731.072516 Vulnerability Type: Improper Certificate Validation (CWE-295) Risk Level: High Solution Status: Open Manufacturer Notification: 2022-08-02 Solution Date: 2022-09-06 Public Disclosure:...
- t2'23: Call For Papers 2023 (Helsinki, Finland) January 24, 2023Posted by Tomi Tuominen via Fulldisclosure on Jan 23Call For Papers 2023 Tired of your bosses suspecting conference trips to exotic locations being just a ploy to partake in Security Vacation Club? Prove them wrong by coming to Helsinki, Finland on May 4-5 2023! Guaranteed lack of sunburn, good potential for rain or slush. In […]
- Re: HNS-2022-01 - HN Security Advisory - Multiple vulnerabilities in Solaris dtprintinfo and libXm/libXpm January 24, 2023Posted by Marco Ivaldi on Jan 23Hello again, Just a quick update. Mitre has assigned the following additional CVE IDs: * CVE-2023-24039 - Stack-based buffer overflow in libXm ParseColors * CVE-2023-24040 - Printer name injection and heap memory disclosure We have updated the advisory accordingly: https://github.com/hnsecurity/vulns/blob/main/HNS-2022-01-dtprintinfo.txt Regards, Marco
- APPLE-SA-2023-01-23-8 Safari 16.3 January 24, 2023Posted by Apple Product Security via Fulldisclosure on Jan 23APPLE-SA-2023-01-23-8 Safari 16.3 Safari 16.3 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213600. WebKit Available for: macOS Big Sur and macOS Monterey Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: The issue was addressed with […]
- APPLE-SA-2023-01-23-7 watchOS 9.3 January 24, 2023Posted by Apple Product Security via Fulldisclosure on Jan 23APPLE-SA-2023-01-23-7 watchOS 9.3 watchOS 9.3 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213599. AppleMobileFileIntegrity Available for: Apple Watch Series 4 and later Impact: An app may be able to access user-sensitive data Description: This issue was addressed by enabling hardened […]
- APPLE-SA-2023-01-23-6 macOS Big Sur 11.7.3 January 24, 2023Posted by Apple Product Security via Fulldisclosure on Jan 23APPLE-SA-2023-01-23-6 macOS Big Sur 11.7.3 macOS Big Sur 11.7.3 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213603. AppleMobileFileIntegrity Available for: macOS Big Sur Impact: An app may be able to access user-sensitive data Description: This issue was addressed by enabling […]
- APPLE-SA-2023-01-23-5 macOS Monterey 12.6.3 January 24, 2023Posted by Apple Product Security via Fulldisclosure on Jan 23APPLE-SA-2023-01-23-5 macOS Monterey 12.6.3 macOS Monterey 12.6.3 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213604. AppleMobileFileIntegrity Available for: macOS Monterey Impact: An app may be able to access user-sensitive data Description: This issue was addressed by enabling hardened runtime. CVE-2023-23499: […]
Estimated reading time: 6 minutes L'impatto crescente delle minacce informatiche, su sistemi operativi privati op… https://t.co/FimxTS4o9G
Estimated reading time: 6 minutes The growing impact of cyber threats, on private or corporate operating systems… https://t.co/y6G6RYA9n1
Tempo di lettura stimato: 6 minuti Today we are talking about the CTI update of our services. Data security is… https://t.co/YAZkn7iFqa
Estimated reading time: 6 minutes Il tema della sicurezza delle informazioni è di grande attualità in questo peri… https://t.co/tfve5Kzr09
Estimated reading time: 6 minutes The issue of information security is very topical in this historical period ch… https://t.co/TP8gvdRcrF