Logic Bombs

Douglas Smith
David Palmisano
 What is a Logic Bomb?
 A logic bomb is a piece of code
intentionally inserted into a software
system that will set off a malicious function
when specified conditions are met.
 More on Logic Bombs
 Criteria for “Logic Bombs”
 For code to be considered a ‘logic bomb’ the effects
of the code should be unwanted and unknown to the
software operator.
 Trial software that expires after a certain time is
generally not considered a logic bomb.
 Piggybacking
 Many viruses, worms, and other code that are
malicious in nature, often carry a logic bomb that
“detonates” under given conditions. This may help the
code on it’s journey as it worms through your system
undetected.
 A New Age of Crime
 Robbery at gunpoint has become
obsolete. Welcome to the new generation
of crime.
 Logic bombs for profit (monetary or
otherwise)
 Remote
 No get-a-way car
 Low fatality rate
 Wile E. Coyote syndrome a thing of the past
 Emergence of the Logic Bomb
 Technology is directly proportional to the
need for security.
 The home computer was one of the
greatest technological advancements
since the wheel.
 Word Processing
 Pong
 The Virus
 Emergence cont’d
 Time Bombs
 Detonates at a given time.
 Most well-known version of the logic bomb.
 Many of the first viruses released were time
bombs.
 Debuted in the 1980’s (Friday the 13th virus)
 Michelangelo virus brought public focus to
viruses due to media coverage.
 Attackers
 Most of the time Logic bombs are placed
in the system by insiders.
 Such as:
 Disgruntled employees
 Corporate Spies
 Also planted by remote users/systems
Possible Triggers for Logic Bombs?
 Lapses in time.
 Specific dates.
 Specific Commands
 Specific Actions in Programs
 “Still – there” logic bombs
 Remain in the system with compromising effects.
 Will run as instructed by its creator unless the creator
deactivates it.
 Payroll example.
 Historic Attacks
 In June 1992, a defense contractor General
Dynamics employee, Michael Lauffenburger,
was arrested for inserting a logic bomb that
would delete vital rocket project data. It was
alleged that his plan was to return as a highly-
paid consultant to fix the problem once it
triggered. The bomb was stumbled on by
another employee of the company.
Lauffenburger was charged with computer
tampering and attempted fraud and faced
potential fines of $500,000 and jail-time ).
 Historic Attacks
 In February 2000, Tony Xiaotong was
indicted before a grand jury accused of
planting a logic bomb during his
employment as a programmer and
securities trader at Deutche Morgan
Grenfell. The bomb had a trigger date of
July 2000, and was discovered by other
programmers in the company. Removing
and cleaning up after the bomb allegedly
took several months.
 Victimization Prevention
 Do not allow any one person universal access to your
system.
 Separation of duties
 Always practice safe computing. Always use protection.
AntiVirus software can significantly reduce the risk of
contracting a virus which may contain a logic bomb.
 New strains of logic bomb and virus programs are constantly being
created.
 Remember, if you believe your system may be
compromised by another entity (programmer, software or
other system). Get tested to prevent the transmission of
dangerous code operations.
 Defenses for Bombs
 Segregate operations from programming and testing.
 Institute a carefully controlled process for moving code into
production.
 Give only operations staff write-access to production code.
 Lock down your production code - source and executable – making
it close to impossible for unauthorized people to modify programs.
 Assign responsibility for specific production programs to named
positions in operations.
 Develop and maintain a list of authorized programmers who are
allowed to request implementation of changes to production
programs.
 Require authorization from the authorized quality assurance officer
before accepting changes to production.
 Keep records of exactly which modifications were installed when,
and at whose request.
 Defenses for Bombs
 Use hash functions on entire files in the production library.
 Recompute all hashes against a secure table to ensure that no one
has altered production files without authorization and
documentation.
 Keep audit trails running at all times so that you can determine
exactly which user modified which file and when.
 If possible, ensure that audit trails include chained hash functions.
That is, the checksum on each record (which must include a
timestamp) is calculated not only on the basis of the record itself but
also using as input the checksum from the previous record.
Modifying such an audit trail is much more complicated than simply
using a disk editor to alter data in one or two records.
 Back up your audit files and keep them under high security.
 Bibliography
 Kabay, M. E.. Network World Security Newsletter, August 21, 2002.
http://www.networkworld.com/newsletters/sec/2002/01514405.html

 Walder, Justin. Press Release, December 17, 2002.

http://www.usdoj.gov/criminal/cybercrime/duronioIndict.htm

 Answers.com. Logic bombs:Definition and Much More from

Answers.com. http://www.answers.com/topic/logic-bomb