There are a lot of dirty and destructive pieces of software out there, but a logic bomb may cause some of the most damage. Triggered by just a small event, logic bombs can wreck computers, networks, and even an organization's precious profits. In this tip from our Ask the Experts
section, contributor Ed Skoudis explains how an enterprise can prepare for a hacker's detonation.
A logic bomb is a nasty piece of software that is designed to cause some damage on a computer or network. Such an attack is triggered by a certain event or series of events; it could be something as simple as the passage of a certain amount of time or a given user logging in. For example, when the system clock on a target machine reaches a certain date and time… Bam! The critical data residing on it is destroyed, or maybe the computer crashes.
In investigations conducted by my network forensics consultancy, Intelguardians, we've seen several logic bomb situations in the wild. In one case that combines the above ideas with an interesting and common twist, an administrator set up a logic bomb designed to trigger if he didn't log in for 90 days. The organization had actually fired this admin for other reasons and had removed his access from the system. His logic bomb attack persisted, however, acting as a silent sentinel. After 90 days, the organization was faced with massive data destruction.
In another case, an attacker submitted an extortion notice to a large stock-trading firm, threatening that its crucial trading systems -- responsible for tens of millions of dollars in commission per hour -- would be forced offline unless the firm paid $1 million to the attacker. The firm decided not to pay, and its systems did indeed come down for more than an hour, taking a heavy financial toll. After the firm coaxed the systems back to life, a second extortion notice arrived. In the second go-round, though, the attackers asked for a different amount, having shown that they could indeed cause damage. Did they raise their price to $5 million? $10 million? No, and here's the amazing psychological trick: They actually lowered the price to half a million dollars. After showing the power of their logic bomb and the financial destruction they could cause, reducing the price made the deal far more tempting to the stock-trading firm. The company ended up paying the extortion fee and later located the logic bomb, eradicating it from their environment.
To deal with logic bomb attacks, make sure your enterprise employs regular backups that are verified on a consistent basis. Secondly, make sure you have Hot Standby Router Protocol (HSRP) enabled on your routers, which will ensure connectivity even when first-hop routers fail. And, finally, identify the personnel in your management chain who should be informed in the case of extortion threats. Determine these critical decision makers in advance, so that they can be quickly notified if and when such nefarious activity does occur.
About the author:
Ed Skoudis is a SANS instructor and a founder and senior security consultant with Intelguardians, a Washington, DC-based information security consulting firm. His expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. In addition to Counter Hack Reloaded, Ed is also the author of Malware: Fighting Malicious Code. He was also awarded 2004, 2005 and 2006 Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project. As an expert on SearchSecurity.com, Ed answers your questions related to information security threats.
This was first published in July 2007