See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/342761639

Logic Bomb: An Insider Attack

Article  in  International Journal of Advanced Trends in Computer Science and Engineering · June 2020
DOI: 10.30534/ijatcse/2020/176932020

CITATIONS READS
0 3,291

1 author:

Palash Dusane

3 PUBLICATIONS   0 CITATIONS   

SEE PROFILE

All content following this page was uploaded by Palash Dusane on 10 August 2020.

The user has requested enhancement of the downloaded file.

 ISSN 2278-3091
Volume 9, No.3, May - June 2020
Palash Sandip Dusane et al., International Journal of Advanced Trends in Computer Science and Engineering, 9(3), May – June 2020, 3662 – 3665
International Journal of Advanced Trends in Computer Science and Engineering
Available Online at http://www.warse.org/IJATCSE/static/pdf/file/ijatcse176932020.pdf
https://doi.org/10.30534/ijatcse/2020/176932020

Logic Bomb: An Insider Attack

Palash Sandip Dusane1, Yallamandhala Pavithra2
1
Department of Information Technology, SRM Institute of Science and Technology, Kattankulathur, India,
palashdusane@gmail.com
2
Department of Information Technology, SRM Institute of Science and Technology, Kattankulathur, India,
pavithrays1997@gmail.com

security and integrity. Working of logic bomb code in a

ABSTRACT genuine code is shown in figure 1.

Cyberattacks are one of the biggest threats to the Computer Richard Clarke (Former White House counterterrorism
World. Security researchers and professionals are expert) shares his concerns about the cyber war in his book
continuously making various efforts to prevent such attacks. named “Cyber War: The Next Threat to National Security
Most of the times these attacks come from outside, but and What to do about it.” In this book, he mentioned that the
sometimes it can be an insider attack too. Insider attack can U.S. is very vulnerable to this type of attack because its
be more lethal, as the malicious person will have authorized infrastructure is much dependent on computer networks in
system access. Logic Bomb is one of such examples of an comparison with other countries. He showed concern that the
insider attack. A successfully triggered logic bomb can cause malicious code developers could trigger logic bombs,
system failure, auto-deletion of hard drives, manipulation of shutting down the banking and various other systems [3].
data, etc. Logic Bombs are generally hidden or embedded in
genuine code where they stay dormant until their conditions One such cyberattack occurred in South Korea on 2013-3-20
are not satisfied, this makes them very hard to detect. This 14:00:00 local time, a logic bomb in the code erased the hard
malware is normally programmed by a developer of the drives of banks and media companies. It triggered on specific
software. The attackers usually exploit software development time-date and started wiping all data from machines. At least
lifecycle to insert a logic bomb. Such type of hidden malicious two broadcasting companies and three banks were attacked
code in the system software can be a serious threat to their IT on that day. This attack prevented South Koreans from
infrastructure. As the world is now moving toward smart and making ATM transactions as the attack put some ATMs out
digital cities, all the IoT and Automated systems should be of operation. According to security researchers, the malicious
protected from such attack. This paper involves the study of code also included a module to connect remote Linux
an insider logic bomb attack, its preventive measures, machines for deleting their master boot record.
proposed code-level detection system and detailed steps for
recovery. Time Bomb is a type of logic bomb. It is programmed to get
executed at a specific time and date. It will stay inactive until
Key words: Code-Level Detection System, Insider Attack, its specific condition is met. Execution of a time bomb will
Logic Bomb, Malware. result in destructive effects on system and network. Time
bomb like “Friday the 13th” activates on a specified day and
1. INTRODUCTION deletes all the files from infected computers [4].

Cyberattacks are performed by both outsider and insider It is very hard to detect a logic bomb in the testing phase.
entities. In a comparison of both; insider attack can be more Functional testing cannot detect such malicious code, as the
dangerous because of the malicious person having authorized tester is unlikely to supply values which will trigger the
access to system and network. One such effective insider bomb. Static analysis tools are unable to detect these bombs,
attack is a Logic bomb attack. as they are aimed at finding programming mistakes like
failure to validate a user input or failing to protect against a
A logic bomb is a piece of malicious code that lies dormant buffer overflow. Requirements-based testing also fails to
and hidden within a legitimate software until a condition is detect the bomb, as a tester is unlikely to enter values required
satisfied to trigger its payload. This malware is normally to trigger them. Logic bombs cannot be detected by dynamic
embedded by developers into genuine software [1]. A logic tools either, because their execution may not result in runtime
bomb has a flaw that it only works for a software for which it errors, which is usually detected by dynamic analysis [5].
has been designed, it doesn’t replicate on other applications
[2]. Presence of Logic bomb in system poses great risks to its Antivirus based on anomaly detection may not detect logic
bomb as it will not cause events which are externally

3662
Palash Sandip Dusane et al., International Journal of Advanced Trends in Computer Science and Engineering, 9(3), May – June 2020, 3662 – 3665

observable such as unusual system call. Signature detection is

also not a full-proof solution, as the malicious code is custom  Conduct a complete background check of developers
embedded to its host software, and may not have a unique at the time of joining.
signature [6].  Provide only the necessary access to developers to
avoid any misuse of resources.
 Keep the system updated by patching it regularly.
This will make it more difficult for a malicious
developer to attack the system.
 Use updated anti-malware and IDS systems [8].
 Secure account management and password controls.
Ensure different password for different host systems
[9].
 Separate the development and testing process.
 Implement the principle of least privilege to ensure
less possible targets for an attacker [10].
 Prepare baseline for the known process and
regularly compare it to the current view. This will be
useful to find rogue process [11].
 Perform regular backups, use endpoint protection
and use business email screening functionality for
mails [12].
 Log all activities of system users and monitor them
for unusual patterns [13].
 Keep an eye on employees having signs of
dissatisfaction, anger, revenge, etc. [14].
 Keep backups to restore any damage caused by the
logic bomb [15].
 Monitor auto-updating software. Use Integrity
checker to validate if any software has been modified
Figure 1: Working of Logic Bomb.
[16].
 Perform IT Security Risk Assessment [17].
2. RECENT CASE STUDY  Manual inspection of critical program code.

In July 2019, a former contractor of Siemens pleaded guilty 4. PROPOSED DETECTION SYSTEM
for planting malicious code in spreadsheets that crashes the
software every few years. He created those custom As we have seen so far, the detection of a logic bomb is very
difficult, but what if we try to find its existence in the
spreadsheets in 2002 for various projects of Siemens in
development phase itself. One of the prevention steps
related to the power generation industry.
mentioned is to monitor the critical code, but the major
problem faced by the code reviewer is to scan the whole
For so many years when the logic bomb went off, he was project at once. It’s an intensive, time-consuming and
called and paid to fix the issue, where he used to just fix the erroneous process. The proposed system will simplify the
clock for the next attack. However, in May 2016 when he code review process by detecting probable logic bomb on
went on vacation, he had to give his administrative password code-level. It will scan the program and find keywords that
to Siemens employee to solve the issue. The Siemens may lead to a logic bomb attack. Thousands of lines of code
employee found that logic bomb while checking the will be filtered out into few lines of code categorized with risk
spreadsheets. The former contractor is now facing up to 10 factor High, Medium and Low. According to the final report
years of jail time along with a fine of up to $ 250,000 [7]. generated by the system, the code reviewer will be able to
focus on high-risk code. Block diagram of the proposed
3. PREVENTION AGAINST LOGIC BOMBS detection system is shown below in figure 2.

As logic bombs are mostly planted by software developers of

the same company or externally hired contractors, the best
practices that involve putting procedural and technical
controls should be in place. Following are some necessary
steps to prevent logic bomb attack:

3663
Palash Sandip Dusane et al., International Journal of Advanced Trends in Computer Science and Engineering, 9(3), May – June 2020, 3662 – 3665

Figure 5: Sample Excel Report.

Figure 2: Block Diagram of Detection System.

The system will identify high-risk code based on keywords

present in the database. Authorized code reviewer will able to
edit database by adding or removing vulnerable keywords.
User will provide programming file as an input to the system
on which system will return a detailed report of keywords
found in the program with their description and risk category,
as shown in figure 3. Figure 6: Sample Pie Chart.
In this way, the code reviewer has to check only the lines of
code that the system predicted to be of high-risk. This will
save a lot of time and work used for intensive code
monitoring. Performance of this system will depend on the
updated database. Organizations will be able to customize the
system’s database based on the technology they are using for
their software development.
Figure 3: Example of Records in Database.
5. STEPS TO RECOVER FROM LOGIC BOMB
The system will allow a user to perform two types of scan, ATTACK
Quick review scan and Detailed review scan. In Quick review
scan, the system will scan the program for keywords of a Following steps can be used to recover from a logic bomb
particular programming language whereas Detailed review attack on a system or a network:
scan will be for keywords of all programming languages. The
scanning process will check the code line by line for 1) Quarantine (Isolate) the infected system from the
keywords. If any code is matched with a keyword then it will network to prevent more damage. If the network has
be notified to the user in the report. An example GUI of been attacked then disconnect the whole network or
system is shown below in figure 4. at least part of the network where critical data
resides.
2) Look for symptoms and review all relevant log files
to find the start of an attack. In this way, you will
able to locate logic bomb in the infected host system.
3) Collect the evidence for Investigation of the
Incident. This will help to find the attacker behind
the logic bomb attack.
4) Remove the logic bomb from the system in a safe
mode. Perform various checks to make sure malware
has been successfully removed from the system.
5) Restore the system with your last backup (if
available). Make sure that your last backup doesn’t
have the same logic bomb.
6) Plug-in the system to the network.
7) Monitor the system/software for a few months to
make sure that everything is working properly.
Figure 4: Graphical User Interface (GUI) Example.
6. CONCLUSION AND FUTURE SCOPE
The proposed system will provide output in the form of a table
and pie chart, as shown in figure 5 and 6. It will also have a The system can be attacked by a Logic bomb from both sides
feature to export the report in excel and pdf file. i.e. inside and outside. Outsider attack can be handled by

3664
Palash Sandip Dusane et al., International Journal of Advanced Trends in Computer Science and Engineering, 9(3), May – June 2020, 3662 – 3665

avoiding intrusion with tools like firewalls. Insider attack can https://thehackernews.com/2019/07/siemens-logic-bom
be more dangerous as it is performed by disgruntled or greedy b.html.
developers who will have direct access to the company’s 8. Imtithal A. Saeed, Ali Selamat, Ali M. A. Abuagoub. A
resources. This paper discusses everything about the insider Survey on Malware and Malware Detection Systems,
logic bomb attack starting from its prevention methods, International Journal of Computer Applications (0975 –
detection system and finally, steps to recover from it. 8887) Volume 67– No.16, April 2013.
https://doi.org/10.5120/11480-7108
The proposed detection system identifies malicious
instructions on a code-level. It simplifies the code monitoring 9. Agrawal, Hira & Bowen, Thomas & Narain, Sanjai.
process by pointing out the probable logic bomb code. (2013). Defending Software Systems against Cyber
Accuracy and efficiency of this system depend on the Attacks throughout Their Lifecycle, 74-89.
keywords present in the database. The system may have high 10.5422/fordham/9780823244560.003.0003.
false positives, but these false positives will eventually point 10. Raj, Gaurav & Singh, Dheerendra & Bansal, Abhay.
out bad programming practices. If the database is properly (2014). Analysis for security implementation in
updated then false negatives will be very less. To find SDLC, Proceedings of the 5th International Conference
accurate data we have to implement this proposed system. on Confluence 2014: The Next Generation Information
Even with all the false positives, this system will be able to Technology Summit. 221-226.
provide security in the development phase by providing a 10.1109/CONFLUENCE.2014.6949376.
faster and automated code review. This paper will be helpful 11. Sharma, Bobby. (2017). A Pragmatic Way of Logic
for various organizations to deal with insider attack; Bomb Attack Detection Methodology, Indian Journal
moreover, it will also be helpful for new learners to of Science and Technology. 10. 1-5.
understand logic bomb malware. 10.17485/ijst/2017/v10i20/110608.
12. A.Anupriya, V.Nithya, S.Ponmalar. A Survey: Analysis
REFERENCES
of Virus and Malware Detection, International Journal
of Innovative Research in Computer and
1. Muni Prashneel Gounder, Mohammed Farik. New
Communication Engineering, ISSN 2320-9801, Vol. 6,
Ways To Fight Malware, International Journal of
Issue 3, March 2018.
Scientific & Technology Research, ISSN 2277-8616,
Volume 6, Issue 06, June 2017. 13. Liu, Liu & Vel, Olivier & Han, Qing-Long & Zhang, Jun
& Xiang, Yang. (2018). Detecting and Preventing
2. Manju Khari, Chetna Bajaj. Detecting Computer
Cyber Insider Threats: A Survey, IEEE
Viruses, International Journal of Advanced Research in
Communications Surveys & Tutorials. PP. 1-1.
Computer Engineering & Technology (IJARCET),
10.1109/COMST.2018.2800740.
ISSN: 2278 – 1323, Volume 3 Issue 7, July 2014.
14. Muhammad Saleem , Mirza Naveed Jahangeer Baig ,
3. Ankur Singh Bist. Detection of Logic Bombs,
Mufeeza Manzoor , M.Tahir Usman , Saba Akram ,
International Journal of Engineering Sciences &
Saira Khursheed. A Brief Overview of Network
Research Technology, ISSN: 2277-9655, 3(2): February
Attacks & Overcome Techniques, International
2014.
Journal of Scientific & Engineering Research, ISSN
4. Trupti Shah. Network Security- Virus Attacks and 2229-5518, Volume 11, Issue 1, January-2020.
Defence using Antivirus Software, International
15. Suhail Qadir Mir, Mehraj-ud-din Dar, S M K Quadri,
Journal of Advanced Research in Computer Science &
Bilal Maqbool Beig, Information Availability:
Technology (IJARCST 2014), ISSN: 2347 – 8446, Vol.
2, Issue 4 (Oct. - Dec. 2014). Components, Threats and Protection Mechanisms,
Journal of Global Research in Computer Science,
5. Babak Bashari Rad, Mohammad Kazem Hassan Nejad. Volume 2, No. 3, March 2011.
Feature Selection for Malware Classification and
Detection: A Literature Review, International Journal 16. Nicolas Robillard. Diffusing a Logic Bomb, Global
of Advanced Trends in Computer Science and Information Assurance Certification Paper, GIAC
Engineering (IJATCSE), ISSN 2278-3091, Volume 9, Security Essentials Certification (GSEC) Version 1.4b
No.1.1, 2020. (Option 1), SANS Institute 2004.
6. Agrawal, Hira & Alberi, J. & Bahler, L. & Micallef, J. & 17. Sami Haji, Qing Tan and Rebeca Soler Costa. A Hybrid
Virodov, A. & Magenheimer, M. & Snyder, S. & Model for Information Security Risk Assessment,
Debroy, V. & Wong, E.. (2012). Detecting hidden logic International Journal of Advanced Trends in Computer
Science and Engineering (IJATCSE), ISSN 2278-3091,
bombs in critical infrastructure software, 7th
Volume 8, No.1.1, 2019.
International Conference on Information Warfare and
Security, ICIW 2012. 1-11.
7. Siemens Contractor Pleads Guilty to Planting 'Logic
Bomb' in Spreadsheets. Available:
3665

View publication stats