Logic Bombs A presentation by David Kaczynski and
Logic Bombs A presentation by David Kaczynski and Pedro Montoya CIS 3460 Mike Burmester 2006
A Brief Outline • Definitions of Logic Bombs • Forensics of Logic Bombs • A Legal History of Logic Bombs
By Definition A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met (i. e. a trigger)
Types of Logic Bombs • Time Bomb -uses a date or time as a trigger • Worm -attempts to replicate itself onto other computers • Trojan Horse -does not replicate to other computers -hides as normal program • Trial Software -acceptable, non-malicious
The Trigger • Employee’s name erased from payroll (most common example) • A specified time and/or date • The arrival onto a computer system • The running of a program
So what is a logic bomb? Almost any piece of malevolent code that uses some form of logic as a trigger
Logic Bomb Forensics • Protection against logic bombs • Tracing • Detecting
No Surefire Protection! • Most attacks come from the INSIDE • Keep secured logs of all code modifications • Keep back-ups of all vital system information
Tracing Logic Bombs • Searching - Even the most experienced programmers have trouble erasing all traces of their code • Knowledge - Important to understand the underlying system functions, the hardware/software/firmware/operating system interface, and the communications functions inside and outside the computer
More on Tracing • Logon/logoff • File deletes • Rights changes • All accesses of anything by superusers • Failed logon attempts • Unused accounts • SU (Switch User) in Unix systems • System reboots • Remote accesses, in detail • New User additions
Detection • Static Analysis – examining the source code of a program • VF 1 – uses data flow techniques to statically determine names of files which a program can access • Snitch – statically examines a program for duplication of operating system services • Dynamic Analysis • Dalek – a debugger which forms the basis for dynamic analyzer
Hot on the Trail • Before investigation starts, make a working copy of the evidence • Tools for data recovery, duplication and verification ØByte. Back ØDrive. Spy ØEncase
Motivation • Why do malicious codes occur?
Behavior • Personal and Social Frustrations – a history of problems with family/school/work. Authority negativity • Computer Dependency – online activity replaces direct social life • Ethical “Flexibility” – violations justified under the circumstances • Reduced Loyalty – loyalty to profession instead of employer • A Sense of Entitlement – special or owed recognition, privilege, or exceptions • Lack of Empathy – what impact?
Typology • Explorers – curious • Good Samaritans – unaware of rule violations • Hackers – looking for ego boost • Machiavellians – advance their personal and career goals • Exceptions – above the rules that apply • Avengers – for revenge • Career Thieves – money hungry • Moles – espionage
Understanding • Underreported – unknown how often these crimes occur • Employee Screening – hacking histories? • Personnel Changes – demotions, terminations and reassignments. • Warning Signs – communicate
Computer Forensics
Famous Logic Bombs
1985 Donald Burleson USPA & IRA • Burleson worked for a security brokerage and insurance company • One of the first recorded cases of computer sabotage in the nation • Days after his dismissal, some 168, 000 records of commission sales were lost via a “time bomb” • Burleson’s logic bomb deleted files on his computer and then deleted itself • The deletion of files was traced to Burleson’s terminal to someone who used his password. He was found guilty after his alibi was shot down by witness and payment receipts
1992 Michael Lauffenburger General Dynamics Programmer • Atlas Missile Program at Kearny Mesa plant outside of San Diego • May 24, 2001 6: 00 PM was the trigger • Fellow programmer caught the rogue code • If executed, the logic bomb could delete memory, cause interference of government retrieval of information, and delete itself without a trace • Lauffenburger’s goal was to resign beforehand then get hired as a high-paid consultant • Received a $5000 fine and three year’s probation The US’s first intercontinental ballistic missile (1959)
1998 Tony Xiaotong Yu Deutsche, Morgan, Grenfell, Inc. • Hired as a computer specialist in 1996, became securities trader after writing program for bond traders • Planted logic bomb with trigger set to July 2000 • Programmer caught rogue code in 1998, took several months to clean-up • Purely destructive motive, apparently. Logic bomb could have caused millions of dollars in damage • Tony was caught when he was telling a friend what he did on a tapped phone line
2002 Roger Duronio UBS Paine Webber financial firm • Duronio was a systems administrator on a $160, 000 salary. Had a logic bomb in the works, but it wasn’t activated until his idea for a $175, 000 salary was shot down. • Resigned on 2 -22 -02, his logic bomb triggered on 3 -4 -02 • Logic bomb caused more than $3, 000 in damages, taking roughly 2, 000 servers offline • Duronio had bought $25, 000 in put option stocks weeks before he quit without a history of buying put options beforehand
Roger Duronio’s Logic Bomb: A Four-Part Plan • One part was the destructive portion, telling servers to delete all of their files • Another part “pushed” the logic bomb to other servers, despite reboots and loss of power • Duronio’s logic bomb had two triggers, in case one trigger was found and deleted
Crime Doesn’t Pay! There is no perfect crime DURONIO GOT
- Slides: 24