What Is Time Bomb?
October 30, 2022
A logic bomb or time bomb is a specific kind of malware execution under certain conditions. These conditions may vary from certain dates like New Year's Eve or Valentine's Day to certain events like a user opening a specific file or folder. Sometimes time bomb can be just a short piece of code embedded into the trojan virus, spyware, or malware to conduct malicious actions. Various threat actors and employees often use time bombs, which can sometimes get revenge on this malware. There are known cases when employees dissatisfied with their jobs left time bombs to bring damage to the companies they worked for after they retired from their position.
But there are also examples when time bombs can be used for quite legitimate purposes like deleting all files related to an employee after they left the job, but more commonly time bombs are used for malicious operations. The most famous example of a revenge employee shows one from Siemens who inserted a time bomb inside companies spreadsheet software that they also were in charge to develop and maintain. This time bomb would repeatedly go off and, as a result, would cause bugs to appear that they were called to fix. Besides financial motives, threat actors and others may use time bombs to protest when someone has not been promoted or fired.
Time bombs can have positive or negative triggers. A positive trigger means a certain condition to activate a time bomb has been met. On the contrary, a negative trigger means that a certain condition has not been met, and the time bomb gets deactivated. The damage done by the activated time bomb will differ depending on the intents of those who planted it. Among the various malicious tasks, time bombs will usually do the things like data exfiltration, hard drive wiping or file deletions.
This kind of malware often gets hidden inside other completely legitimate software and therefore is hard to detect on someone's network. Companies or organizations usually won't know they've been infected with a time bomb unless it gets triggered.
What Time Bomb Can Be Used For
There are exist variety of ways that time bombs can be used, and some of the most common examples can be the next:
- "Happy holidays" time bomb. Very often, bombs get used by threat actors on certain days like New Year's Eve or Valentine's Day to disrupt some companies' service during these particular peak periods. For example, threat actors or even the company's competitors may have the intention to cripple the operation of a company that produces services or products related to the Christmas holiday season and thus make the targeted company unavailable to the market at this time of the year;
- Revengeous time bomb. Disgruntled employees may also use a time bomb to get revenge. They insert the malware inside the company's network and set the date of its activation after they leave this job. In such a case, it is hard to connect two events and find the one responsible for the damage;
- Malware launcher. Time bombs can be used along with other kinds of malware like spyware, ransomware, trojans or worms. In a symbiosis like this, activated time bombs will conduct malicious actions specific to the malware they've planted. For example, a time bomb inserted into spyware will launch the virus at the time when the victim usually visits the online banking page. This activated time bomb will then log all the keystrokes made and steal sensitive information for later transfer to the attacker.
The Most Known Examples Of Time Bombs
Although time bombs are not that popular, there are a few of them that has made quite a name. You may have heard of them or not, but these time bombs are worth naming.
Chornobyl malware or Win95.CIH. The first time this malware was released in 1998. It was one of the first computer viruses capable of not only damaging software but also inflicting some damage to the hardware of the targeted machine. The malware had a specific execution date — 26th of April — the date when the Chornobyl disaster happened. Win95.CIH had the ability to wipe out all the information on targeted hard drives and also damage BIOS on the motherboard. Chornobyl was one of the first viruses that showed the capability of malware to damage hardware as effectively as software. The malware revealed the malicious possibility that the BIOS could potentially be overwritten and thus showing that hardware is also vulnerable to malware. After the Win95.CIH malware activity, the system was typically fallen into a notorious Blue Screen of Death (BSOD).
Jerusalem malware. It was the first malware pandemic (computer virus outbreak that affected multiple countries) involving this particular time bomb. The MS-DOS malware executed only on Friday 13th. The malware deleted every document the victim worked with on Friday the thirteenth. On other dates, the Jerusalem time bomb would significantly slow down the infected PC-XT machines.
Time Bomb and Logic Bomb difference
The main difference between the two notions and the one they can be distinguished by is their condition that triggers the time bomb and logic bomb. For a time bomb, this condition is a certain date or time when it triggers. A logic bomb doesn`t have this condition, but triggers a user accessing a certain file or application on the infected computer. Still, there could be instances where the malicious construction contains signs of logic and a time bomb. This mixed thing is harder to defuse, but anti-malware software will likely be able to detect the unusual activity before it’s too late.
What is the difference between a time bomb and a common virus?
If we talk about a comparison between a time bomb and a virus, there`s nothing to talk about. Time bombs can be a part of different kinds of viruses and other malware like ransomware or spyware. We already mentioned that time bombs are usually pieces of malicious code that threat actors sometimes embed even inside normal, legitimate programs. Rarely, time bombs suppose the use of self-made scripts that do all dirty job when launched. But most of the analysts consider them malicious, and protection systems will likely ban them before they are launched.
How Do I Know I Have Time Bomb?
You likely won't know you have been infected with a time bomb unless it gets activated. But there are a few definite characteristics that may show you had one on your network. Time bombs get activated only when certain conditions are met. Time bombs need to have data conditions met; they will only work. Because of this feature time, bombs don't get to be discovered until they go off and can stay undetected for long periods. The trigger of a bomb can be the removal of an employee from the company's payroll or the approached certain date. Many specialists assume that there's a distinction between time bombs and logic bombs and that time bombs are those logic bombs triggered only on certain dates.
You don't know what a time bomb's payload is until it gets triggered. A payload is an important component of every malware that is tasked with carrying the direct malicious activity. It does what the malware has been coded to do. The activation of a payload can lead to further infection of a system, stealing of valuable and important information or massive resend of spam emails.
Time bombs can lie dormant for an extended period of time. Time bombs won't go off immediately after the infection but lie inactive for some time. Because of this feature, time bombs are often used when certain dissatisfied individuals get revenge at work or elsewhere and need to cover their tracks. Some cases report that time bombs can go unnoticed even for years, and after they have been triggered, it is hard to find who exactly implanted them.
How To Prevent Time Bomb Attack
Although they are hard to detect — time bombs are still malware that can be avoided as any other kind of various cyber threat. Several steps can be taken to ensure you have the minimum risk of time bomb infection:
Regularly perform softwrae updates
Time bombs, same as any other malware, often exploit various vulnerabilities found in operating systems and application software. That's why the developers constantly issue new updates to cover the vulnerabilities and don't leave threat actors a chance to exploit them. Ensuring you apply updates regularly means there's a little chance that your computer will be at risk of time bomb infection and other threats as well.
Develop a habit of downloading content only from trusted places
Develop a healthy practice of avoiding pirated software or unreputable freeware. If you need to download a document or other file online, use widely known and trusted sources. Remember that various downloads you do on the internet are one of the main sources of not only time bombs but other various kinds of malware. In addition to this, don't forget about different links and email attachments we may receive through different channels. Be careful around them as well. Website security checks also should help you ensure robust online safety. Everything that seems odd or unusual will be better left unchecked or unopened.
Use antivirus or antimalware software
The most important rule of today's cyber security is to have reliable anti-malware software to fight off not only time bombs but various other kinds of malware. Check regularly its updates so that the software you have installed can successfully identify and remove any cyber threat.
Keep an eye on your employees
This may sound like a thing from a James Bond movie, but it`s actually an authentic way to prevent time bomb attacks. Specialists call such cyber attacks where an employee is involved an insider threat. Although this type of cyber attack may be rare, it is rightly considered the most dangerous. It is also worth mentioning that not only key employees can be involved in insider threat cyber attacks. The only problem is to receive high enough privileges to be able to deploy the time bomb. Not only personal revenge but very often, such employees in a company are the most targeted individuals by wailing phishers, for example.
Insider threat is a matter of high importance to secure the workplace of high-ranking individuals in a company with a decent security system. Things like EDR solutions will not just mirror the malware attacks but also prevent time bombs, data breaches, and other nasty things from insider threats.