A logic bomb is a snippet of malicious code that is intentionally inserted into other software. Logic bombs are triggered when a certain condition is met; for example, if an employee user account is deactivated, a hidden logic bomb may then be triggered and can wreak havoc on your network. Logic bombs can be hidden inside of malware, but most logic bomb attacks are carried out by malicious insiders with access to high-level systems and source code.
One of the most high-profile logic bomb attacks was carried out by a programmer working as a contractor for Siemens, who planted logic bombs inside of spreadsheet software that he was getting paid to develop and fix. When the logic bombs would go off and cause bugs in the code, Siemens would have to call this programmer in to fix the problem he’d secretly caused. In addition to financial motives, logic bomb attacks are often used as a form of revenge when a sysadmin or developer is fired or denied a promotion.
Logic bombs are bits of malicious code hidden inside other programs. They can be activated by either a positive trigger or a negative trigger. Logic bombs with a positive trigger activate when a certain condition is met—an action takes place within a program, or a specific file is opened. Logic bombs with a negative trigger are activated when a condition isn’t met, such as if a certain user doesn’t log in by a specified time. As for the damage a logic bomb does when it’s triggered, that depends on the bombmaker. Some common logic bomb attacks include file deletions, hard drive wipes, and data exfiltration.
Since logic bombs are contained within legitimate programs, they’re extremely difficult to detect on your network. Most companies won’t realize there’s malicious code hiding in their software or infrastructure until the logic bomb has been triggered. There are ways to prevent logic bomb attacks, which we’ll get into later, but the first step is understanding what you’re up against.
Beyond this basic definition of logic bombs, there are some key characteristics to help you identify this type of attack.
Though logic bombs are malicious code, they’re not technically malware, because they’re frequently contained in legitimate programs. Malware can generally infect a system on its own, but a logic bomb needs to be inserted into a system and activated through other software or processes. A logic bomb may be included in a virus or worm as part of its attack strategy, but typically is inserted into a legitimate program by someone with knowledge of and access to the system and network, like a disgruntled systems administrator or developer.
Time bombs are a type of logic bomb. A time bomb is a malicious piece of code that activates at a specific date and time or after a certain amount of time has elapsed. If a time bomb isn’t found and removed by that time, it will go off no matter what—there aren’t any specific conditions that need to be met (or not met) in order to trigger the time bomb.
Generally, the term logic bomb is only used for intentionally malicious code, but there are legitimate (or at least accepted) uses of this kind of technology. For example, if you’ve ever used free trial software that deactivates after a certain number of days unless you purchase a license, you’ve experienced this type of non-malicious logic bomb. However, though the code was triggered by a condition not being met (you didn’t put in your credit card number within a specified amount of time) it’s technically not considered a logic bomb because it isn’t being used to cause damage to your system.
There are two primary types of logic bomb attack that you need to understand if you’re going to adequately protect yourself against them:
You can prevent logic bomb viruses the same way you prevent other kinds of malware. You need a trusted antimalware solution for your endpoints and servers, a robust firewall and intrusion detection system on your network, and comprehensive patch management to address any known vulnerabilities. You should also routinely conduct security awareness training for your staff and leadership so they know how to avoid downloading malware that could contain a logic bomb.
Preventing logic bomb attacks from insider threats can be a little trickier. As part of your development cycle, you should have experienced developers and quality assurance analysts performing internal code reviews. Every change needs to be reviewed by as many people as possible to reduce the chance of someone slipping in a malicious bit of code. These reviews should extend to any external dependencies and third-party code—you need tight control over your software supply chain to ensure you’re not adding anything malicious to your code base.