In investigations conducted by my network forensics consultancy, Intelguardians, we've seen several logic bomb situations in the wild. In one case that combines the above ideas with an interesting and common twist, an administrator set up a logic bomb designed to trigger if he didn't log in for 90 days. The organization had actually fired this admin for other reasons and had removed his access from the system. His logic bomb persisted, however, acting as a silent sentinel. After 90 days, the organization was faced with massive data destruction.
In another case, an attacker submitted an extortion notice to a large stock-trading firm, threatening that its crucial trading systems -- responsible for tens of millions of dollars in commission per hour -- would be forced offline unless the firm paid $1 million to the attacker. The firm decided not to pay, and its systems did indeed come down for more than an hour, taking a heavy financial toll. After the firm coaxed the systems back to life, a second extortion notice arrived. In the second go-round, though, the attackers asked for a different amount, having shown that they could indeed cause damage. Did they raise their price to $5 million? $10 million? No, and here's the amazing psychological trick: They actually lowered the price to half a million dollars. After showing the power of their logic bomb and the financial destruction they could cause, reducing the price made the deal far more tempting to the stock-trading firm. The company ended up paying the extortion fee and later located the logic bomb, eradicating it from their environment.
To deal with logic bombs, make sure your enterprise employs regular backups that are verified on a consistent basis. Secondly, make sure you have Hot Standby Router Protocol (HSRP) enabled on your routers, which will ensure connectivity even when first-hop routers fail. And, finally, identify the personnel in your management chain who should be informed in the case of extortion threats. Determine these critical decision makers in advance, so that they can be quickly notified if and when such nefarious activity does occur.
This was first published in June 2007