Tip

Investigating logic bomb attacks and their explosive effects

There are a lot of dirty and destructive pieces of software out there, but a logic bomb may cause some of the most damage. Triggered by just a small event, logic bombs can wreck computers, networks, and even an organization's precious profits. In this tip from our Ask the Experts

    Requires Free Membership to View

section, contributor Ed Skoudis explains how an enterprise can prepare for a hacker's detonation.


Listen to Ed Skoudis's tip

Download Ed Skoudis's logic bomb advice to your PC or favorite MP3 player.

A logic bomb is a nasty piece of software that is designed to cause some damage on a computer or network. Such an attack is triggered by a certain event or series of events; it could be something as simple as the passage of a certain amount of time or a given user logging in. For example, when the system clock on a target machine reaches a certain date and time… Bam! The critical data residing on it is destroyed, or maybe the computer crashes.

In investigations conducted by my network forensics consultancy, Intelguardians, we've seen several logic bomb situations in the wild. In one case that combines the above ideas with an interesting and common twist, an administrator set up a logic bomb designed to trigger if he didn't log in for 90 days. The organization had actually fired this admin for other reasons and had removed his access from the system. His logic bomb attack persisted, however, acting as a silent sentinel. After 90 days, the organization was faced with massive data destruction.

For more information

Learn more about application logic attacks.

Use threat modeling to secure the software development process.

Have an information security threat question of your own? Ask Ed.

In another case, an attacker submitted an extortion notice to a large stock-trading firm, threatening that its crucial trading systems -- responsible for tens of millions of dollars in commission per hour -- would be forced offline unless the firm paid $1 million to the attacker. The firm decided not to pay, and its systems did indeed come down for more than an hour, taking a heavy financial toll. After the firm coaxed the systems back to life, a second extortion notice arrived. In the second go-round, though, the attackers asked for a different amount, having shown that they could indeed cause damage. Did they raise their price to $5 million? $10 million? No, and here's the amazing psychological trick: They actually lowered the price to half a million dollars. After showing the power of their logic bomb and the financial destruction they could cause, reducing the price made the deal far more tempting to the stock-trading firm. The company ended up paying the extortion fee and later located the logic bomb, eradicating it from their environment.

To deal with logic bomb attacks, make sure your enterprise employs regular backups that are verified on a consistent basis. Secondly, make sure you have Hot Standby Router Protocol (HSRP) enabled on your routers, which will ensure connectivity even when first-hop routers fail. And, finally, identify the personnel in your management chain who should be informed in the case of extortion threats. Determine these critical decision makers in advance, so that they can be quickly notified if and when such nefarious activity does occur.

About the author:
Ed Skoudis is a SANS instructor and a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm. His expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. In addition to Counter Hack Reloaded, Ed is also the author of Malware: Fighting Malicious Code. He was also awarded 2004, 2005 and 2006 Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project. As an expert on SearchSecurity.com, Ed answers your questions related to information security threats.

This was first published in July 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.