14 Preventative Steps Your Business Should Take Against Logic Bombs

What is a logic bomb?   

A logic bomb is a malicious code that is programmed into a computer network, operating system or software, designed to be dormant until a specific condition is met. When that condition is met, the code (the logic bomb) is triggered leading to corruption of data, deletion of files and wiping of hard drives.  

In term itself refers to the code’s ‘explosion’ when a specific condition is met for example, a specific date, time or the opening of the ingrained software. The code is also known as ‘slag code’, ‘code bombs’ and ‘cyber bombs’ and the set of conditions which can trigger it is unlimited.  

A famous example of a logic bomb being imposed follows the case of the Siemens Corporation. An employee named David Tinley who worked as a software provider for nearly a decade planted a logic bomb in a company spread sheet dedicated to managing equipment. 

Another example of a logic bomb, implemented on Android devices involves the HackingTeam 2015 case. Following on from a series of events, RCS Android which is regarded as one of the most advanced Android malware samples was discovered. The malware can leak private conversations, GPS location and tracking information as well as take screenshots of online activity and hijack real time calls. 

Can it be classified as a malware? 

Logic bombs are small code segments that are embedded into other programs, operating systems and computer networks. They may be malicious but they are not technically classified as malware. There is a fine line between the two distinctions. Logic bombs be installed into a worm, virus or a stand-alone program and for this reason, their dormancy heightens the difficulty in detecting them.   

Unlike viruses and worms which are often levied onto a system from an external source, a logic code is commonly inserted by someone already part of the system for example, a disgruntled employee.  

How does it work? 

The conditions that can set off a trigger bomb can be categorised as positive or negative. Logic bombs coded with positive triggers set off negative circumstances within the program once a condition is met such as opening a specific file. Logic bombs encoded with a negative trigger are designed to be launched when a condition is not met for example, if it isn’t deactivated in time. Both conditions nevertheless cause a large reaching effect upon the software it has been hidden in.  

Consequences as a result of a logic bomb can be highly destructive. In some cases, logic bombs have been successfully used to wipe the servers of major financial organisations. Anything that can breach the servers of large-scale organisations can cause further extensive damages to the central operations of the affected organisation and its clients. Therefore, it is important as a business leader to be aware of such threats and some defence strategies against them.  

Although logic bombs are largely destructive by nature, non-malicious logic bomb codes are sometimes used for trial purposes. This is a frequent occasion which involves using trial versions of programs to enable certain access within an established time frame. This is referred to as trialware.    

Like logic bombs, trialware relies on logical condition however the payload is known unlike logic bombs.  

The different types of logic bombs  

There are different types of logic bombs that hackers can employ in numerous ways: 

• Backdoor: A backdoor is a mechanism programmed into a given software that enables any user to access it in the future. This is commonly adopted to reduce the constant need to log in to a system and provide clients access if they have been locked out. Backdoors however, can also have negative consequences for example, continued vendor access after a logic bomb is unknowingly coded into the software in use which awaits to be triggered.  
• Trojan: Trojans are malicious software that are designed to be inconspicuous on first glance. Trojans typically tend to be fitted with a backdoor feature to provide hackers access to the targeted system in order to steal data and perform further malicious operations.  
• Keylogger: In this case, a logic bomb may be dormant until a particular website is visited or an application is run. The logic bomb then triggers the keylogger, causing inputs to be recorded and transmitted to the hacker.  
• Illegitimate software: In this case, a harmful code that has been pre-installed into a software causes the logic bomb to automatically ‘detonate’ once ran. 

The devices which can be affected   

Just like malwares, logic bombs can infect any devices regardless of the assumption that some devices are more secure than others.  

Devices that can be affected are the following: 

• Windows/PC – A successfully triggered logic bomb on a Windows running device will result in system failure, deletion of the hard drive or data manipulation. 
• MacOS – This system is regarded to be more secure that many versions of Windows however, connected software, plug-ins and add-ons may generate security flaws. Commonly exploited features on macOS devices are third party browsers and browser plug-ins such as Adobe Flash, Java and Reader.  
• iPhones/iOS systems – iPhones are usually secure however; the infection risk arises if the phone is ‘jailbroken’. Jailbreaking is the term given to getting root functions to bypass security limitations that usually prevent applications from running on the system. User privilege is escalated over the operating system, making the device less secure and more attractive to hackers. Another exploitable vulnerability can be located in the WebKit browser engine which Safari uses as the default browser.  
• Android phone devices – Upon android phones, logic bombs are typically implemented through hackers gaining unauthorised permission. 

Preventative measures against logic bombs  

Putting in place preventive measures will of course, help protect your network or device against a logic bomb attack.  

Some helpful measures include: 

1. Ensuring that each account on each host is accessible with unique passwords to limit failed login attempts. 
2. Ensuring that the system is securely configured. 
3. Providing users with the required level of authority to limit further access. 
4. Regularly patching systems to make it more challenging for intruders to escalate user privilege. 
5. Establishing a baseline of known processes running on each host at any given moment. 
6. Routinely comparing the baseline to real time operations will help detect rouge processes on the system. 
7. Using software integrity to check if a software has been updated or embedded with a logic bomb.  
8. Verifying all scheduled jobs. 
9. Reviewing logs to detect unusual activities.  
10. Making sure that all hosts, workstations and servers are fitted with an up-to-date antivirus software that uses heuristic and pattern recognition for detection measures. 
11. Timetabling routine scans for connected devices. Files need to be regarded with careful scrutiny as logic codes can be hidden in compressed or zipped files. 
12. Making sure that all purchased software are the legitimate versions and not pirated. 
13. Providing employees with cybersecurity awareness training to enable them to better detect phishing emails along with having a reporting protocol.  
14. Avoiding links in email attachments and other links which look suspicious.     

About Securiwiser 

We aim to provide our clients advice concerning implementation of various specific cyber security methods, some of which will be more suitable than others depending on the business type to help ensure the cyber health of our client’s system.  

We advise our clients (whether they are individual users or business owners) regarding various cyber threats that their businesses and operating systems may face. This includes increasing trends of certain threats and prevention methods that are cost effective and time saving.    

Furthermore, business owners, employees and general users may forget to conduct regular scans to monitor the health of their operating system, which criminals can take advantage of to gain unauthorised access by exploiting unrecognised, underlying vulnerabilities.   

Securiwiser can conduct regular scans for your system and provide a detailed cybersecurity risk assessment and a cybersecurity vulnerability assessment. We can further explain detected vulnerabilities and risks in detail to our clients and provide the best course of action that will save your business time and money.