NoteVerse

Logic bombs

Comprehensive study notes, diagrams, and exam preparation for Logic bombs.

Logic Bombs

Definition

A logic bomb is a malicious piece of code intentionally inserted into a software system that remains dormant until a specific condition—such as a specific date, time, or the occurrence of a particular event—is met, at which point it executes a harmful action.

Main Content

1. The Trigger Mechanism

  • The trigger is the "fuse" of the logic bomb. It can be time-based (e.g., executing on New Year's Day) or event-based (e.g., when a specific user is deleted from the database).
  • Unlike viruses or worms, logic bombs do not necessarily replicate themselves; they are designed specifically to sabotage a host system at a predetermined moment.

2. Payload Execution

  • Once the trigger condition is met, the payload executes the intended malicious task.
  • Common payloads include deleting critical system files, corrupting databases, locking user access, or sending sensitive data to an unauthorized external server.

3. Stealth and Detection

  • Because logic bombs are often embedded by insiders (employees or developers), they are notoriously difficult to detect using standard antivirus software.
  • They remain hidden within thousands of lines of legitimate code, often appearing as normal subroutines or system utilities.
[ Trigger Condition ] ----> [ Dormant State ] ----> [ Payload Activation ]
       (Input)                 (Waiting)               (Malicious Act)

Visual representation of the logic bomb lifecycle.

Working / Process

1. Code Injection

  • The attacker identifies a critical piece of the application's source code where they have administrative or developer-level access.
  • The malicious instructions are written and inserted into a module that runs with high privileges, ensuring the bomb has the power to do damage once triggered.

2. Dormancy and Observation

  • The code is "wrapped" in a conditional statement (e.g., an if-then statement). The system continues to run normally, ignoring the malicious code because the if condition is currently false.
  • The attacker monitors the environment to ensure the bomb remains undetected during system updates or security patches.

3. Triggering and Impact

  • The system environment reaches the state defined in the trigger. The if condition evaluates to true.
  • The processor executes the malicious command block, resulting in immediate disruption, data loss, or system failure.

Advantages / Applications

  • Logic bombs are sometimes used by software companies as "kill switches" to disable software if a client stops paying licensing fees (though this is often controversial and legally gray).
  • In cybersecurity red-teaming exercises, ethical hackers may create controlled logic bombs to test the responsiveness and recovery time of an organization’s incident response team.
  • They serve as a primary focus for studying "Insider Threats" in computer science, teaching students how to implement code reviews and version control to prevent unauthorized tampering.

Summary

A logic bomb is a type of sabotage software that executes a destructive payload only when specific programmed conditions are satisfied. It is primarily a tool used in insider attacks to bypass traditional perimeter defenses. Key terms to remember include: Trigger, Payload, Dormancy, and Insider Threat.

← Prev: Cyber Stalking
Next: Hacking Spamming →