What Is Time Bomb?GRIDINSOFT TEAM
A logic bomb or time bomb is a specific kind of malware execution under certain conditions. These conditions may vary from certain dates like New Year Eve or Valentine's Day to certain events like a user opening a specific file or folder. Sometimes time bomb can be just a short piece of code embedded into trojan virus, spyware or other kind of malware to conduct malicious actions. Time bombs are often used not only by various threat actors, but also employees can sometimes get their revenge with this malware. There are known cases when employees dissatisfied with their jobs left time bombs to bring damages to the companies they worked for after they retired from their position.
But there are also examples when time bombs can be used for quite legitimate purposes like deleting all files related to an employee after they left the job, but more commonly time boms are used for malicious operations. The most famous example of a revengous employee shows one from Siemens who inserted a time bomb inside companie's spreadsheet software that they also were in charge to develop and maintain. This time bomb would repeatedly go off and as a result would cause bugs to appear which they were called to fix. Besides financial motives threat actors and others may use time bombs as a form of protest when someone has not been promoted or fired.
Time bombs can have positive or negative triggers. Positive trigger means that a certain condition to activate a time bomb has been met. On the contrary, negative trigger means that certain condition has not been met and the time bomb therefore gets deactivated. The damage done by the activated time bomb will differ depending on the intents of those who planted it. Among the various malicious tasks time bombs will usually do the things like data exfiltration, hard drive wiping or file deletions.
Because this kind of malware often gets hidden inside other completely legitimate software and therefore is hard to be detected on someone's network. In most cases companies or organizations won't know they've been infected with a time bomb unless it gets triggered.
What Time Bomb Can Be Used For
There are exist variety of ways that time bombs can be used for and some of the most common examples can be the next:
- "Happy holidays" time bomb. Very often time bombs get to be used by threat actors on certain days like New Year Eve or Valentine's Day to disrupt service of some company during these particular peak periods. For example, threat actors or even company's competitors may have the intention to cripple the operation of a company who produces services or products related to Christmas holiday season and thus make the targeted company unavailable to the market at this time of the year;
- Revengeous time bomb. Disgruntled employees may also get a use of a time bomb to get a revenge. They insert the malware inside the company's network and set the date of its activation after they leave this job. In such a case it is hard to connect two events and find the one responsible for the damage;
- Malware launcher. Time bombs can be used along with other kinds of malware like spyware, ransomware, trojans or worms. In a symbiosis like this activated time bombs will conduct malicious actions specific to the malware they've been planted to. For example, time bomb inserted into spyware will launch the virus at the time when the victim usually visits the online banking page. This activated time bomb will then log all the keystrokes made and steal sensitive information for later transfer to the attacker.
The Most Known Examples Of Time Bombs
Although time bombs are not that much popular there are a few of them that has made itself quite a name. You may have heard of them or not but this time bombs are worth to name.
Chornobyl malware or Win95.CIH. The first time this malware was released in 1998. It was one of the first computer viruses that were capable of not only damaging software but also inflicting some damage to hardware of the targeted machine. The malware had the specific execution date — 26th of April — the date when the Chornobyl disaster happened. Win95.CIH had the ability to wipe out all the information on targeted hard drives and also damage BIOS on the motherboard. Chornobyl was one of the first viruses that showed the capability of malware for damaging hardware as effective as software. The malware revealed the malicious possibility that the BIOS could potentially be overwritten and thus showing that hardware is also vulnerable against malware. After the Win95.CIH malware activity, the system was typically fallen into a notorious Blue Screen of Death (BSOD).
Jerusalem malware. It was the first malware pandemic (computer virus outbreak that affected multiple countries) involving this particular time bomb. The MS-DOS malware executed only on Friday 13th. Every document that the victim worked with on Friday the thirteenth was deleted by the malware. On any other dates Jerusalem time bomb would significantly slow down the infected PC-XT machines.
Time Bomb and Logic Bomb difference
The main difference between the two notions and actually the one that they can be distinguished by is their condition that triggers time bomb and logic bomb. For time bomb this condition is certain date or time when it triggers. Logic bomb doesn`t have this condition but triggers when a user acess certain file or application on infected computer. Still, there could be the instances where the malicious construction contains the signs of both logic and time bomb. This mixed thing is harder to defuse, but anti-malware software will likely be able to detect the unusual activity before it’s too late.
What is the difference between a time bomb and an ordinary virus?
If we talk about a comparison between a time bomb and a virus there`s actually nothing to talk about. Time bombs can be a part of different kinds of viruses as well as other malware like ransomware or spyware. We already mentioned it that time bombs are usually pieces of malicious code that threat actors sometimes embed even inside normal, legitimate programs. Rarely, time bombs suppose the use of self-made scripts that do all dirty job when launched. But most of the analysts consider them malicious, and protection systems will likely ban them before they are launched.
How Do I Know I Have Time Bomb?
Most likely you won't know you have been infected with a time bomb unless it gets activated. But there are a few definite characteristics that may show you had one on your network. Time bombs get activated only when certain conditions are met. Time bombs necessarily need to have data conditions met; only then they will work. It's because of this feature time bombs don't get to be discovered until they go off and can stay undetected for a very long periods of time. The trigger of a bomb can be the removal of an employee from the company's payroll or the approached certain date. Many specialists assume that there's a distinction between time bombs and logic bombs that time boms are those logic bombs triggered only on certain dates.
You don't know what is the payload of a time bomb until it gets triggered. A payload is an important component of every malware that is tasked with carrying the direct malicious activity. Plainly, it does what the malware has been coded to do. The activation of a payload can lead to further infection of a system, stealing of valuable and important information or massive resend of spam emails.
Time bombs can lie dormant for an extended period of time. Time bombs won't go off straightaway right after the infection but rather lie inactive for some time. Because of this particular feature time bombs are often used when certain dissatisfied individuals get their revenge at work or elsewhere and need to cover their tracks. Some cases report that time bombs can go unnoticed even for years and after they had been triggered it is hard to find who exactly implanted it.
How To Prevent Time Bomb Attack
Although they are hard to detect — time bombs are still malware that can be avoided as any other kind of various cyber threats. Several steps can be taken to ensure you have the minimum risk of time bomb infection:
Regularly perform softwrae updates
Time bombs, same as any other malware, often exploit various vulnerabilities found in operating systems and application software. That's why the developers constantly issue new updates to cover the vulnerabilities and don't leave threat actors a chance to exploit them. Ensuring you apply updates regularly means there's a little chance that your computer will be at a risk of time bomb infection and other threats as well.
Develop a habit of downloading content only from trusted places
Develop a healthy practice of avoiding pirated software or unreputable freeware. If you have the need to download a document or other file online use sources that are widely known and trusted. Remember that various downloads you do on the internet are one of the main source of not only time bombs but other various kinds of malware. In addition to this don't forget about different links and email attachments we may receive through different channels. Be careful around them as well. Website security checks also should help you ensure robust online safety. Everything that seems odd or unusual will be better to left unchecked or unopened.
Use antivirus or antimalware software
The most important rule of today's cyber security is to have reliable anti-malware software to fight off not only time bombs but various other kinds of malware. Check regularly its updates so that the software you have installed can successfully identify and remove any cyber threat that has arisen.
Keep an eye on your employees
This may sound like a thing from a James Bond movie, but it`s actually a very real way to prevent time bombs attacks. Specialists call such cyber attacks where an employee is involved an insider threat. Although this type of cyber attack may be rare, it is rightly considered the most dangerous one. It is also worth mentioning that not only key employees can be involved in insider threat cyber attacks. The only problem is to receive the high enough privileges to be able to deploy the time bomb. Not only personal revenge but very often such kinds of employees in a company are the most targeted individuals by wailing phishers, for example.
Insider threat is a matter of high importance to secure the workplace of high ranking individuals in a company with decent security system. Things like EDR solutions will not just mirror the malware attacks, but also prevent the time bombs, data breaches and other nasty things from insider threats.