Logic Bomb
By: Serafin Sanchez 3/21/08
A logic bomb is a piece of code intentionally inserted into a
software system that will set off a malicious function when specified
conditions are met. For example, a programmer may hide a piece of code that
starts deleting files, should they ever leave the company.
Software that is inherently
malicious, such as viruses and worms, often contain logic bombs that execute a
certain malicious function at a pre-defined time or when some other condition
is met. This technique can be used by a virus or worm to gain momentum and
spread before being noticed. Many viruses attack their host systems on specific
dates. Trojans that activate on certain dates are often called time bombs.
To be
considered a logic bomb, the malicious function should be unwanted and unknown
to the user of the software.
The most common activator for a logic bomb is a date. The logic bomb checks the system date and does nothing until a pre-programmed date and time is reached. At that point, the logic bomb activates and executes it's code.
A logic bomb could also be programmed to wait for a certain message from the programmer. The logic bomb could, for example, check a web site once a week for a certain message. When the logic bomb sees that message, or when the logic bomb stops seeing that message, it activates and executes the code.
The most dangerous form of the logic bomb is a logic bomb that activates when something doesn't happen. Imagine a suspicious and unethical system administrator who creates a logic bomb which deletes all of the data on a server if he doesn't log in for a month. The system administrator programs the logic bomb with this logic because he knows that if he is fired, he won't be able to get back into the system to set his logic bomb. One day on his way to work, the unethical system administrator is hit by a bus. Three weeks later, his logic bomb goes off and the server is wiped clean. The system administrator meant for the logic bomb to explode if he was fired; he did not for see that he would be hit by a bus.
Some logic bombs can be detected and eliminated before they execute through a periodic scan of all computer files, including compressed files, with an up-to-date anti-virus program. For best results, the auto-protect and e-mail screening functions of the anti-virus program should be activated by the computer user whenever the machine is online. In a network, each computer should be individually protected, in addition to whatever protection is provided by the network administrator. Even this precaution does not guarantee 100-percent system immunity.