A logic bomb is a very
specific kind of malware that's
waiting for an event to occur.
And when that event occurs, it's
usually something devastating
that happens.
That's why we call it a
bomb, because it usually
is deleting or removing
information from systems.
This is something
that's often left
by somebody who has a grudge.
Maybe it's someone who was
fired from an organization
or somebody that
would like to do harm
to another organization.
These are often time
bombs where you're
waiting for a particular
date and time to occur.
And that's when
the bomb goes off.
Or it may be based on
something that a user does.
It waits for a backup process
to occur, for example,
and then the bomb goes off.
This is very
difficult to identify,
because it won't match
a known signature that
might be an anti-virus
or anti-malware software.
And it's usually
installed by somebody
who has administrative
access to the system.
One example of a
real world logic bomb
occurred on March 19th
of 2013 in South Korea.
An email was sent to people
inside of media organizations
and banks.
And it came as a bank email.
It looked legitimate, and
people clicked the links
that were inside that
email and malware was
installed onto those systems.
Then a day later, on
March the 20th at 2:00
PM local time exactly,
the malware logic bomb
exploded and effectively
deleted the boot records
and rebooted the systems
on those devices, which
meant when those systems
rebooted at 2:00,
it showed that a boot
device was not found
and that you needed to
install an operating
system on the hard disk.
Many computers were affected,
and a number of ATMs
were affected as well,
preventing anyone
from accessing
any of their funds
through any of those ATMs.
A more dangerous logic bomb
occurred on December 17th, 2016
at exactly 11:53 PM.
This was in the Ukraine at
a high voltage substation
where a logic bomb began turning
off the electrical circuits
in the electrical system.
It got into the systems that
were controlling whether power
was being provided to
particular parts of the Ukraine,
and began disabling
those power systems
at a pre-determined time.
This logic bomb was specifically
written for the Ukraine SCADA
networks.
These are the Supervisory
Control and Data Acquisition
Networks that control the
infrastructure for electricity.
Normally those types of
systems are completely
disconnected from anything else,
so this became a very difficult
problem to solve and prevent
any type of logic bomb
from occurring in the future.
Since it's difficult to
identify a logic bomb using
traditional anti-virus or
traditional anti-malware
signatures, one way that
you can stop a logic bomb
is by implementing a process
and a procedure for change.
You know that this
system is not going
to change unless
someone has gone
through the process
for change control,
and then you have to
monitor that nobody
has made any changes.
If a file changes
inside a SCADA system,
it should alert and inform you
that changes have been made.
If there is a host-based
intrusion detection--
for instance, tripwires, a
very common piece of software
for that--
it can identify
the administrators
that somebody has changed
something on that computer.
And of course, you can
provide constant auditing
of these systems so that you
can perform your own tests
to make sure that nothing has
changed with the operating
system or any of
the applications
that are running on
any of those devices.
