Logic BombsLogic BombsDouglas SmithDouglas Smith

David PalmisanoDavid Palmisano

What is a Logic Bomb?What is a Logic Bomb?

A A logic bomblogic bomb is a piece of code is a piece of code intentionally inserted into a software intentionally inserted into a software system that will set off a malicious function system that will set off a malicious function when specified conditions are met. when specified conditions are met.

More on Logic BombsMore on Logic Bombs

Criteria for “Logic Bombs”Criteria for “Logic Bombs” For code to be considered a ‘logic bomb’ the effects For code to be considered a ‘logic bomb’ the effects

of the code should be unwanted and unknown to the of the code should be unwanted and unknown to the software operator.software operator.

Trial software that expires after a certain time is Trial software that expires after a certain time is generally not considered a logic bomb. generally not considered a logic bomb.

PiggybackingPiggybacking Many viruses, worms, and other code that are Many viruses, worms, and other code that are

malicious in nature, often carry a logic bomb that malicious in nature, often carry a logic bomb that “detonates” under given conditions. This may help the “detonates” under given conditions. This may help the code on it’s journey as it worms through your system code on it’s journey as it worms through your system undetected.undetected.

A New Age of CrimeA New Age of Crime

Robbery at gunpoint has become Robbery at gunpoint has become obsolete. Welcome to the new generation obsolete. Welcome to the new generation of crime.of crime.

Logic bombs for profit (monetary or Logic bombs for profit (monetary or otherwise)otherwise) RemoteRemote No get-a-way carNo get-a-way car Low fatality rateLow fatality rate Wile E. Coyote syndrome a thing of the pastWile E. Coyote syndrome a thing of the past

Emergence of the Logic BombEmergence of the Logic Bomb

Technology is directly proportional to the Technology is directly proportional to the need for security.need for security.

The home computer was one of the The home computer was one of the greatest technological advancements greatest technological advancements since the wheel.since the wheel. Word ProcessingWord Processing PongPong The VirusThe Virus

Emergence cont’dEmergence cont’d

Time BombsTime Bombs Detonates at a given time.Detonates at a given time. Most well-known version of the logic bomb.Most well-known version of the logic bomb. Many of the first viruses released were time Many of the first viruses released were time

bombs.bombs. Debuted in the 1980’s (Friday the 13Debuted in the 1980’s (Friday the 13 thth virus) virus) Michelangelo virus brought public focus to Michelangelo virus brought public focus to

viruses due to media coverage.viruses due to media coverage.

AttackersAttackers

Most of the time Logic bombs are placed Most of the time Logic bombs are placed in the system by insiders. in the system by insiders.

Such as: Such as: Disgruntled employees Disgruntled employees Corporate SpiesCorporate Spies

Also planted by remote users/systemsAlso planted by remote users/systems

Possible Triggers for Logic Bombs?Possible Triggers for Logic Bombs?

Lapses in time.Lapses in time. Specific dates.Specific dates. Specific CommandsSpecific Commands Specific Actions in ProgramsSpecific Actions in Programs ““Still – there” logic bombsStill – there” logic bombs

Remain in the system with compromising effects.Remain in the system with compromising effects. Will run as instructed by its creator unless the creator Will run as instructed by its creator unless the creator

deactivates it.deactivates it. Payroll example.Payroll example.

Historic AttacksHistoric Attacks

In June 1992, a defense contractor General In June 1992, a defense contractor General Dynamics employee, Michael Lauffenburger, Dynamics employee, Michael Lauffenburger, was arrested for inserting a logic bomb that was arrested for inserting a logic bomb that would delete vital rocket project data. It was would delete vital rocket project data. It was alleged that his plan was to return as a highly-alleged that his plan was to return as a highly-paid consultant to fix the problem once it paid consultant to fix the problem once it triggered. The bomb was stumbled on by triggered. The bomb was stumbled on by another employee of the company. another employee of the company. Lauffenburger was charged with computer Lauffenburger was charged with computer tampering and attempted fraud and faced tampering and attempted fraud and faced potential fines of $500,000 and jail-time ).potential fines of $500,000 and jail-time ).

Historic AttacksHistoric Attacks

In February 2000, Tony Xiaotong was In February 2000, Tony Xiaotong was indicted before a grand jury accused of indicted before a grand jury accused of planting a logic bomb during his planting a logic bomb during his employment as a programmer and employment as a programmer and securities trader at Deutche Morgan securities trader at Deutche Morgan Grenfell. The bomb had a trigger date of Grenfell. The bomb had a trigger date of July 2000, and was discovered by other July 2000, and was discovered by other programmers in the company. Removing programmers in the company. Removing and cleaning up after the bomb allegedly and cleaning up after the bomb allegedly took several months.took several months.

Victimization PreventionVictimization Prevention Do not allow any one person universal access to your Do not allow any one person universal access to your

system.system. Separation of dutiesSeparation of duties

Always practice safe computing. Always use protection. Always practice safe computing. Always use protection. AntiVirus software can significantly reduce the risk of AntiVirus software can significantly reduce the risk of contracting a virus which may contain a logic bomb.contracting a virus which may contain a logic bomb.

New strains of logic bomb and virus programs are constantly being New strains of logic bomb and virus programs are constantly being created. created.

Remember, if you believe your system may be Remember, if you believe your system may be compromised by another entity (programmer, software or compromised by another entity (programmer, software or other system). Get tested to prevent the transmission of other system). Get tested to prevent the transmission of dangerous code operations.dangerous code operations.

Defenses for BombsDefenses for Bombs Segregate operations from programming and testing. Segregate operations from programming and testing. Institute a carefully controlled process for moving code into Institute a carefully controlled process for moving code into

production.production. Give only operations staff write-access to production code.Give only operations staff write-access to production code. Lock down your production code - source and executable – making Lock down your production code - source and executable – making

it close to impossible for unauthorized people to modify programs.it close to impossible for unauthorized people to modify programs. Assign responsibility for specific production programs to named Assign responsibility for specific production programs to named

positions in operations.positions in operations. Develop and maintain a list of authorized programmers who are Develop and maintain a list of authorized programmers who are

allowed to request implementation of changes to production allowed to request implementation of changes to production programs.programs.

Require authorization from the authorized quality assurance officer Require authorization from the authorized quality assurance officer before accepting changes to production.before accepting changes to production.

Keep records of exactly which modifications were installed when, Keep records of exactly which modifications were installed when, and at whose request.and at whose request.

Defenses for BombsDefenses for Bombs Use hash functions on entire files in the production library.Use hash functions on entire files in the production library. Recompute all hashes against a secure table to ensure that no one Recompute all hashes against a secure table to ensure that no one

has altered production files without authorization and has altered production files without authorization and documentation.documentation.

Keep audit trails running at all times so that you can determine Keep audit trails running at all times so that you can determine exactly which user modified which file and when. exactly which user modified which file and when.

If possible, ensure that audit trails include chained hash functions. If possible, ensure that audit trails include chained hash functions. That is, the checksum on each record (which must include a That is, the checksum on each record (which must include a timestamp) is calculated not only on the basis of the record itself but timestamp) is calculated not only on the basis of the record itself but also using as input the checksum from the previous record. also using as input the checksum from the previous record. Modifying such an audit trail is much more complicated than simply Modifying such an audit trail is much more complicated than simply using a disk editor to alter data in one or two records. using a disk editor to alter data in one or two records.

Back up your audit files and keep them under high security.Back up your audit files and keep them under high security.

BibliographyBibliography Kabay, M. E.. Kabay, M. E.. Network World Security Network World Security Newsletter, August 21, 2002. Newsletter, August 21, 2002.

http://www.networkworld.com/newsletters/sec/2002/01514405.htmlhttp://www.networkworld.com/newsletters/sec/2002/01514405.html

Walder, Justin. Press Release, December 17, 2002. Walder, Justin. Press Release, December 17, 2002. http://www.usdoj.gov/criminal/cybercrime/duronioIndict.http://www.usdoj.gov/criminal/cybercrime/duronioIndict.htmhtm

Answers.com. Answers.com. Logic bombs:Definition and Much More from Logic bombs:Definition and Much More from Answers.comAnswers.com. . http://www.answers.com/topic/logic-bombhttp://www.answers.com/topic/logic-bomb