Malware 101: Using logic bombs to evade detection

While espionage was by far one of the most prolific activities that participants in the Cold War engaged in — providing a plentiful source of plots for spy movies and shows to this day — the era also saw the birth of cyberwarfare. In 1982, the CIA — fed up with the amount of success the KGB was having at stealing information and technology from the U.S. — decided to create a piece of malware disguised as pipeline software.

The software would work as intended for a set amount of time and then start sending signals to the pipeline pumps and valves being controlled by it that would cause damage to the equipment, ultimately resulting in an explosion along one of the Soviet Union's pipelines. This malware was the first logic bomb — an evasion technique in which malware waits for specific conditions to be met before acting maliciously (or "detonating," to use a term more appropriate to the name).

How logic bombs work

A logic bomb can use any number of different conditions as triggers, although time is one of the more common conditions. The CIA malware used a time interval as the condition, whereas the Michaelangelo virus discussed in the viruses article used a specific date (March 6). The Elk Cloner virus, on the other hand, used the number of boots since infection as its logic trigger. Logic bombs are perhaps not the most sophisticated of evasion techniques, but they can be quite effective, even today.

Dynamic analysis is a technique that inspects the behaviors observed by a particular file, and it is quite common among antimalware software and manual malware analysis. Software and analysts alike can only spend so much time on each file, however, because there are many more files to analyze. By delaying execution of malware by a few hours, both can sometimes be tricked into thinking a file is not malicious upon first inspection when in actuality it is.

Of course, logic bombs are well known among analysts and antimalware software companies, and techniques to trick the malware into thinking commonly used logic triggers have been met are often used during analysis. Nonetheless, the struggle between attackers and defenders is constantly ongoing, and more advanced malware authors will look for new techniques for their malware to evade detection as long as possible.

Stealth and deception

Even outside the scope of logic bombs, it is not uncommon for attackers to gain entry to a network (whether using malware or other means) and wait days or even weeks before deploying the intended malware systems on the network. This technique has been used quite a bit with ransomware in particular because the malware failing to achieve its objective prevents the attackers from the possibility of the ransom being paid.

While quietly sitting in the network, the attacker might gather information about the network and systems on it while trying to avoid being detected in order to increase the chances of success of the attack. Even bots will often collect such information and send it to the command-and-control servers.

Logic bombs are about stealth and deception (in fact, the program that produced the first logic bomb was called the "Deception Program"), which can be very effective in evading detection by defenders and cybersecurity software. They may be less technical than other malware and evasion techniques, but that are quite strategic instead. Hiding from anti-malware software in particular greatly increases the success rate of malware attacks and is a common thread among almost all evasion techniques.

You can read the rest of the Malware 101 series here.