LOGIC BOMBS

PRESENTED BYPRESENTED BY ANSARI RAANA TABASSUM C-302ANSARI RAANA TABASSUM C-302SAKHEE VINAYAK BICHU C-306SAKHEE VINAYAK BICHU C-306

INTRODUCTION

WHAT IS A LOGIC BOMBWHAT IS A LOGIC BOMB It is a piece of computer code that executes a It is a piece of computer code that executes a

malicious task, such as clearing a hard drive or malicious task, such as clearing a hard drive or deleting specific files, when it is triggered by a deleting specific files, when it is triggered by a specific event. specific event.

It is also called slag code because all that's left It is also called slag code because all that's left after it detonates is computer slag. after it detonates is computer slag.

It’s not the same thing as a virus, although it It’s not the same thing as a virus, although it often behaves in a similar manner.often behaves in a similar manner.

ContdContd.. The Logic Bomb is secretly inserted into the The Logic Bomb is secretly inserted into the

code of a computer's existing software, where it code of a computer's existing software, where it lies dormant until that event occurs.lies dormant until that event occurs.

The payload of a logic bomb is usually pretty The payload of a logic bomb is usually pretty devastating to the company under attack.devastating to the company under attack.

there are some virus types that are considered there are some virus types that are considered logic bombs because they have a time-and-date logic bombs because they have a time-and-date trigger. trigger.

ContdContd.. A logic bomb stays within the network in which it A logic bomb stays within the network in which it

was inserted, making it much easier to create was inserted, making it much easier to create than a virus.than a virus.

All it needs to do is execute a task; it doesn't All it needs to do is execute a task; it doesn't need to reproduce, which is a more complicated need to reproduce, which is a more complicated function.function.

The type of action carried out in a logic The type of action carried out in a logic bomb does have a non-destructive use. bomb does have a non-destructive use.

ContdContd.. There are 2 types of triggering in Logic Bomb:-There are 2 types of triggering in Logic Bomb:- 1. Positive Triggering1. Positive Triggering 2. Negative Triggering2. Negative Triggering

The most dangerous form of the logic bomb is a The most dangerous form of the logic bomb is a logic bomb that activates when something logic bomb that activates when something doesn't happen i.e. Negative triggering.doesn't happen i.e. Negative triggering.

A logic bomb is the most civilized programmed A logic bomb is the most civilized programmed threat, because a logic bomb must be targeted threat, because a logic bomb must be targeted against a specific victim.against a specific victim.

TIME BOMBTIME BOMB Time bombs are a subclass of logic bombs that Time bombs are a subclass of logic bombs that

"explode" at a certain time."explode" at a certain time.

Some of the first viruses, written in the 1980s, Some of the first viruses, written in the 1980s, were time bombs.were time bombs.

Some examples are:- Some examples are:- 1. Friday the 131. Friday the 13thth

2. Win32.Kriz.3862 2. Win32.Kriz.3862

3. The Michelangelo3. The Michelangelo

WORKING OF LOGIC BOMBWORKING OF LOGIC BOMB A logic bomb is a program, or portion of a A logic bomb is a program, or portion of a

program, which lies dormant until a specific program, which lies dormant until a specific piece of program logic is activated. piece of program logic is activated.

The most common activator for a logic bomb is The most common activator for a logic bomb is a date. The logic bomb checks the system a date. The logic bomb checks the system date and does nothing until a pre-programmed date and does nothing until a pre-programmed date and time is reached. At that point, the date and time is reached. At that point, the logic bomb activates and executes it's code.logic bomb activates and executes it's code.

A logic bomb could also be programmed to A logic bomb could also be programmed to wait for a certain message from the wait for a certain message from the programmer. programmer.

ContdContd.. Logic bombs operate in two ways:Logic bombs operate in two ways: 1) Triggered Event1) Triggered Event 2) Still Here Event 2) Still Here Event

In triggered event, the program will review the In triggered event, the program will review the payroll records each day to ensure that the payroll records each day to ensure that the programmer responsible is still employed, and programmer responsible is still employed, and once he is fired the Logic bomb will slag vital once he is fired the Logic bomb will slag vital files.files.

In Still Here evenIn Still Here even the program will run unless it is the program will run unless it is deactivated by the programmer deactivated by the programmer

HISTORIC LOGIC BOMBSHISTORIC LOGIC BOMBS Michelangelo was a logic bomb designed to Michelangelo was a logic bomb designed to

activate yearly since the early 1990s, on the activate yearly since the early 1990s, on the birthday of the painter of the same name i.e. birthday of the painter of the same name i.e. Michelangelo - March 6th.Michelangelo - March 6th.

In June 1992, a defense contractor General In June 1992, a defense contractor General Dynamics employee, Michael Lauffenburger, Dynamics employee, Michael Lauffenburger, was arrested for inserting a logic bomb that was arrested for inserting a logic bomb that would delete vital rocket project data.would delete vital rocket project data.

On October 2, 2003 Yung-Hsun Lin, created a On October 2, 2003 Yung-Hsun Lin, created a logic bomb set to go off on his birthday in 2004. logic bomb set to go off on his birthday in 2004. but it failed caz of programing error.but it failed caz of programing error.

FICTIONAL LOGIC BOMBSFICTIONAL LOGIC BOMBS Even there are many films which are based on Even there are many films which are based on

the concept of a Logic Bomb.the concept of a Logic Bomb.

Some examples like:-Some examples like:- 1. 1. In Moffett's Ghost, an episode of Airwolf In Moffett's Ghost, an episode of Airwolf

television seriestelevision series, , the logic bomb used was the logic bomb used was like,Airwolf is set to destroy any aircraft in its like,Airwolf is set to destroy any aircraft in its range.range.

2. 2. Hugh Jackman's character in Swordfish, Hugh Jackman's character in Swordfish, Stanley Jobson,Stanley Jobson, have "dropped a logic bomb have "dropped a logic bomb through the trapdoor“.through the trapdoor“.

IMPLEMENTED LOGIC BOMBS

IMPLEMENTATION AREASIMPLEMENTATION AREAS Logic Bombs can be implemented on Intranet Logic Bombs can be implemented on Intranet

such as company’s LAN or on Internet.such as company’s LAN or on Internet.

Logic Bombs that are implemented on LAN Logic Bombs that are implemented on LAN affect only the company’s Data. It does not affect only the company’s Data. It does not spread in the outside world.spread in the outside world.

Whereas, Logic Bombs implemented on Internet Whereas, Logic Bombs implemented on Internet can be spread and it can cause damage to every can be spread and it can cause damage to every computer on which the malicious code is being computer on which the malicious code is being run.run.

LOGIC BOMBS ON LANLOGIC BOMBS ON LAN In December 2006, an ex-employee of the In December 2006, an ex-employee of the

financial company UBS PaineWebber was financial company UBS PaineWebber was sentenced to eight years in prison and more sentenced to eight years in prison and more than $3 million in restitution (compensation) for than $3 million in restitution (compensation) for planting a logic bomb in UBS's planting a logic bomb in UBS's computer computer networknetwork in 2002. in 2002.

In investigations conducted by network In investigations conducted by network forensics consultancy, Intel guardians, have forensics consultancy, Intel guardians, have seen that an administrator set up a logic bomb seen that an administrator set up a logic bomb designed to trigger if he didn't log in for 90 days.designed to trigger if he didn't log in for 90 days.

LOGIC BOMBS ON INTERNETLOGIC BOMBS ON INTERNET This is quite easy to do with only a limited This is quite easy to do with only a limited

understanding of Visual Basic. The simplest way understanding of Visual Basic. The simplest way is to create a macro that executes immediately is to create a macro that executes immediately the document is opened in an application and the document is opened in an application and contains the "payload", innocent or otherwise.contains the "payload", innocent or otherwise.

Computer Weekly, March 23rd 1995, Page 2 Computer Weekly, March 23rd 1995, Page 2 carried a story originating from Digital Equipment carried a story originating from Digital Equipment of the possibility of a 'logic bomb' being sent by of the possibility of a 'logic bomb' being sent by email.email.

TO DEAL WITH LOGIC BOMBSTO DEAL WITH LOGIC BOMBS Most IT experts recommend constant Most IT experts recommend constant

monitoring, using virus software and other monitoring, using virus software and other scanning programs intended to pick up on new scanning programs intended to pick up on new objects in a computer's data, not only of overall objects in a computer's data, not only of overall networks but also of each individual computer on networks but also of each individual computer on a network.a network.

To deal with logic bombs, make sure your To deal with logic bombs, make sure your

enterprise employs regular backups that are enterprise employs regular backups that are verified on a consistent basis. verified on a consistent basis.

make sure you have make sure you have Hot Standby Router Hot Standby Router Protocol (HSRP)Protocol (HSRP) enabled on your routers, which enabled on your routers, which will ensure connectivity even when first-hop will ensure connectivity even when first-hop routers failrouters fail. .

SAFE GAURDING AGAINST LOGIC BOMB

MINIMIZING POTENTIALMINIMIZING POTENTIALThere are number of ways to minimize potential for There are number of ways to minimize potential for

obtaining Logic Bombs.obtaining Logic Bombs.

Individual Actions:-Individual Actions:- 1.1. Check disks or programs using current version of Check disks or programs using current version of

Antivirus software.Antivirus software.2.2. Don’t use software or demos with doubtful origin.Don’t use software or demos with doubtful origin.3.3. Check the disk which is lend to other, before using it Check the disk which is lend to other, before using it

again.again.4.4. Remove the floppy disk hen work is done.Remove the floppy disk hen work is done.5.5. Don’t boot the machine if any disk, except a “Clean Don’t boot the machine if any disk, except a “Clean

Bootable System Disk “ is present is disk drive. Bootable System Disk “ is present is disk drive. 6.6. Scan any program or document downloaded on the Scan any program or document downloaded on the

machine.machine.7.7. Upgrade the Anti-virus software on regular basis.Upgrade the Anti-virus software on regular basis.8.8. Be aware of “cookies” on internet.Be aware of “cookies” on internet.

ContdContd.. Network School Actions:-Network School Actions:-

1.1. use anti-virus software programs and pre-set use anti-virus software programs and pre-set network operating system software.network operating system software.

2.2. clearly establish acceptable use policies, clearly establish acceptable use policies, making clear appropriate and inappropriate making clear appropriate and inappropriate actions to both students and staff.actions to both students and staff.

3.3. use the network utilities which remove use the network utilities which remove unauthorized files and programs based on a unauthorized files and programs based on a pre-set time frame.pre-set time frame.

SAFETY MEASURES FOR SAFETY MEASURES FOR MICROSOFT OFFICE APPLICATIONSMICROSOFT OFFICE APPLICATIONS Word or Excel will skip loading a macro on the Word or Excel will skip loading a macro on the

internet if the [SHIFT] key is held down while the internet if the [SHIFT] key is held down while the file is being loaded from the File/Open dialog file is being loaded from the File/Open dialog box.box.

It does not necessarily work if the file is opened It does not necessarily work if the file is opened by double-clicking in Explorer or launched from by double-clicking in Explorer or launched from Mulberry or a web browser.Mulberry or a web browser.

Contd.Contd. For example, to open a Word document For example, to open a Word document

without automatically executing any macros:without automatically executing any macros:

1.1. Save it to a file Save it to a file

2.2. Start up Word Start up Word

3.3. From the File menu, choose Open and select the From the File menu, choose Open and select the file you wish to load file you wish to load

4.4. Hold down the [SHIFT] key and click on [OK] Hold down the [SHIFT] key and click on [OK]

5.5. Keep the [SHIFT] key depressed until the document Keep the [SHIFT] key depressed until the document has finished loading.has finished loading.

THE THE BOTTOMBOTTOM LINES LINES1.1. Take care with unsolicited files in general, Take care with unsolicited files in general,

whether accessed through the Internet or more whether accessed through the Internet or more conventional means.conventional means.

2.2. With email attachments: if you don't know the With email attachments: if you don't know the poster, don't read them or take extreme care.poster, don't read them or take extreme care.

3.3. Remember that email "authorship" can be Remember that email "authorship" can be forged very easily. (Someone you don't know forged very easily. (Someone you don't know might purport to be someone you do know)might purport to be someone you do know) . . Use latest anti-virus software.Use latest anti-virus software.

THE VERY BOTTOM LINETHE VERY BOTTOM LINE

The best precaution against all threats The best precaution against all threats to files on PCs is to have an to files on PCs is to have an adequate, current backup.adequate, current backup.

REFERENCE WEBSITESREFERENCE WEBSITES

http://computer.howstuffworks.com/logic-http://computer.howstuffworks.com/logic-bomb.htmbomb.htm

http://www.networkworld.com/http://www.networkworld.com/newsletters/sec/2002/01514405.htmlnewsletters/sec/2002/01514405.html

http://en.wikipedia.org/wiki/Logic_bombhttp://en.wikipedia.org/wiki/Logic_bomb