A logic bomb is a very
specific kind of malware
that's waiting for
an event to occur
and when that event occurs, it's
usually something devastating
that happens.
That's why we call it a
bomb, because it usually
is deleting or removing
information from systems.
This is something
that's often left
by somebody who has a grudge.
Maybe it's someone who was
fired from an organization
or somebody that
would like to do harm
to another organization.
These are often
time bombs, where
you're waiting for a particular
date and time to occur
and that's when
the bomb goes off
or it may be based on
something that a user does.
It waits for a backup process
to occur, for example,
and then the bomb goes off.
This is very
difficult to identify,
because it won't match
a known signature that
might be an anti-virus
or anti-malware software
and it's usually
installed by somebody
who has administrative
access to the system.
One example of a
real world logic bomb
occurred on March 19th
of 2013 in South Korea.
An email was sent to people
inside of media organizations
and banks and it
came as a bank email.
It looked legitimate and
people clicked the links that
were inside that
email and malware was
installed onto those systems.
Then a day later, on March
the 20th at 2:00 p.m.
Local time exactly,
the malware logic bomb
exploded and effectively
deleted the boot records
and rebooted the systems
on those devices, which
meant when those systems
rebooted at 2 o'clock,
it showed that a boot
device was not found
and that you needed to
install an operating
system on the hard disk.
Many computers were affected
and a number of ATMs
were affected as well,
preventing anyone
from accessing
any of their funds
through any of those ATMs.
A more dangerous logic bomb
occurred on December 17th 2016
at exactly 11:53 p.m.
This was in the Ukraine at
a high voltage substation,
where a logic bomb began turning
off the electrical circuits
in the electrical system.
It got into the systems that
were controlling whether power
was being provided to
particular parts of the Ukraine
and began disabling
those power systems
at a pre-determined time.
This logic bomb was specifically
written for the Ukraine SCADA
networks.
These are the supervisory
control and data acquisition
networks that control the
infrastructure for electricity.
Normally those types of systems
are completely disconnected
from anything else.
So this became a very
difficult problem
to solve and prevent
any type of logic bomb
from occurring in the future.
Since it's difficult to
identify a logic bomb using
traditional anti-virus or
traditional anti-malware
signatures, one way that
you can stop a logic bomb
is by implementing a process
and a procedure for change.
You know that this
system is not going
to change unless
someone has gone
through the process
for change control,
and then you have to
monitor that nobody
has made any changes.
If a file changes
inside a SCADA system,
it should alert and inform you
that changes have been made.
If there's a host based
intrusion detection,
for instance tripwires, a
very common piece of software
for that, it can identify
the administrators
that somebody has changed
something on that computer
and of course, you can
provide constant auditing
of these systems so that you can
perform your own tests to make
sure that nothing has
changed with the operating
system or any of
the applications
that are running on
any of those devices.
