Logic bombs are one of the most traditional forms of malicious code attacks, and their prototype can be traced back to the Cold War between the United States and the Soviet Union in the 1980s. At that time, a technology company in the former Soviet Union stole Canada’s sophisticated control system for the construction of its own industrial facilities, but it had been secretly planted with logic bombs. Triggered at a specific time in 1982, the logic bomb sent turbines and valves out of control, creating massive pressure and causing the Siberian gas pipeline to explode.
Although with the emergence of new threats such as APT, ransomware, and supply chain attacks, logic bomb attacks seem to have disappeared and faded out of people’s vision, from the perspective of the development of network security in the digital economy era, the logic bomb attack logic has always existed. growing. After all, for sensitive information systems, once the application is delivered, it will generate huge commercial value, and at the same time, it will be protected by multiple security measures. At this time, logic bombs have become the most difficult to detect and effectively protect against attacks.
1. What is a logic bomb?
A logic bomb is a computer program that can change its operation mode and damage the target computer system when certain logic conditions are met. This kind of program is generally hidden in a software system with normal functions. In the absence of triggering conditions, the logic bomb is hidden, the system is running well, and the user does not notice any abnormality. However, once the trigger conditions are met, the logic bomb will “explode”, causing serious consequences such as hardware damage to the target system, file damage, and system paralysis. Logic bombs can be triggered in many ways, such as event triggering, time triggering, and counter triggering.
Logic bombs are called “bombs” because they are highly similar to real bombs in principle and destructive power. The detonation of real bombs requires triggering conditions, and logic bombs have similar triggering conditions. When the pre-set conditions are met, the logic bomb will start to work. Logic bombs have the same amazing destructive power as real bombs, but the targets of the two are different.
Logic bomb attacks can not only be set in the application software system of the enterprise but also hidden in the hardware system of the computing device, such as the motherboard, hard disk, and CPU. Logic bombs are usually not contagious and do not self-replicate, but the triggers that trigger logic bombs can exist in all aspects of the logic bomb carrier, with uncontrollable surprises. Also, while sometimes logic bombs are delivered through computer virus infection or other malware, more often they are implanted in systems during the development phase by insiders with privileged access to the system being attacked, making it difficult to detect.
A logic bomb is different from a virus, the distinguishing feature of a logic bomb is not how it spreads, but how it is triggered, but it can spread through a virus. However, not all logic bombs need to be dropped by viruses. In fact, many logic bombs are hidden in regular software programs by the programmer.
2. The danger of logic bombs
The trigger of a logic bomb (a logic component with memory function) is generally divided into two forms: positive trigger and negative trigger. If an event occurs, positive triggers will detonate; conversely, if an event does not occur, negative triggers may also detonate.
Negative triggers are not difficult to understand, and we can think about the insider threat facing the enterprise, which is also a common case of logic bomb. For example, a disgruntled employee suspects they are about to be fired, and so places a logic bomb on a company server that, if the creator doesn’t intervene, will execute a program at 10 a.m. that deletes the company’s valuable data. If the employee is not fired, but still maintains access to the system, they can delete the logic bomb program to prevent the bomb from triggering execution. It’s also their bargaining chip with their employers—if satisfied, they’ll stop the bomb from going off, and if they’re fired, they’ll choose to let the logic bomb go off.
Logic bombs have a wide range of hazards, including file or hard drive deletion, a ransom threat or act of retaliation, data breaches, and more. It can be considered that the harmfulness of logic bombs depends entirely on the professional skills and imagination of malicious attack designers.
Of course, there are also applications that are ostensibly similar to logic bombs but are actually harmless. For example, some programs downloaded through a free internet trial may stop working after 15 days. These programs have been notified when the user downloads, and will not cause harm and loss to the user.
People sometimes think of time bombs as a form of cyberattack, but it’s actually a subset of logic bombs. A time bomb is a logic bomb whose trigger fires at a specific time. In some respects, it may be considered the easiest type of logic bomb to implement. A time bomb trigger is similar to a physically exploding time bomb: giving attackers enough time to hide the attack reduces the likelihood of them being suspected as an attacker.
A passive trigger is a more complex variant of the time bomb concept, as its time limit can be delayed or blocked by user action to create a kind of “dead man’s switch” that occurs when the operator loses Behavioral capabilities, such as switches that operate automatically upon death, loss of consciousness, or leaving the control device, originally originated in the field of heavy machinery and later in virtual applications such as computer software. For example, if the user is inactive for a long time, It will be notified or the account will be automatically canceled.
3. How to detect and defend against logic bomb attacks
Logic bombs are a particularly harmful type of attack because the attack code itself may lie dormant for long periods of time. In general, even the best endpoint security software has a hard time detecting lurking logic bombers.
Since some logic bombs are spread by malware such as viruses, the basic safeguard against logic bombs is to follow anti-malware best practices:
1. Beware of phishing emails, please do not open and download email attachments from unknown sources.
2. Do not download or install unknown sources or unofficial applications, including browser navigation bars, which are a common malware vector.
3. Install and update antivirus/endpoint security software to keep your computer safe. At the same time, in order to prevent such software attacks, data backup and disaster recovery can be done in advance. Download backup software to protect your data. Today’s backup software is getting easier to use and smarter, like VMware Backup, Xenserver Backup, and so on.
However, protection against malware is not enough to deal with all logic bombs, especially malicious logic bomb programs set up by internal employees. Existing antivirus products also struggle to function when logic bombs are hidden in the code. The best way to detect malicious code embedded in an enterprise’s business software systems (whether deliberately by a disgruntled employee or inadvertently in the form of a third-party software library) is to have effective software development process control that incorporates secure coding practices into the development process. These practices are designed to ensure that any code passes security testing before the application is officially deployed, and to prevent malicious insiders from unilaterally modifying the code in unsafe ways.
Leave a Reply