A logic bomb is a piece of malicious code secretly inserted into a software system that remains dormant and invisible until a specific condition a “trigger” is met. Once triggered, it “detonates” to execute its harmful payload, such as deleting data, crashing servers, or corrupting files.

Unlike viruses or worms, logic bombs don’t usually spread on their own; they are typically planted by someone with internal access, like a disgruntled employee or a contractor.

How a Logic Bomb Works?

A logic bomb follows a simple “if-then” structure: If [Trigger] occurs, then execute [Payload].

The Trigger (The Fuse)

The trigger is the condition the code is waiting for. These can be:

• Time-Based: Also called a “Time Bomb,” these trigger on a specific date (e.g., Friday the 13th) or after a countdown.
• Event-Based: Triggers when a specific action happens, such as opening a particular file or logging into a specific account.

• Negative Triggers: These trigger when something doesn’t happen. For example, a disgruntled programmer might write a script that checks if their name is still on the payroll; if the name is removed, the bomb goes off.

The Payload (The Explosion)

The payload is the actual damage the code is programmed to do. Common payloads include:

• Deleting critical databases or entire server drives.
• Corrupting files so they cannot be opened.
• Creating a “backdoor” for a hacker to enter the system later.
• Slowing down the computer by consuming all available memory.

Famous Real-World Examples

• The Siemens Case (2014–2016): A contract programmer for Siemens, David Tinley, planted logic bombs in spreadsheets he created. The files would “break” after a certain amount of time, forcing Siemens to hire him (and pay him) to fix them.
• UBS PaineWebber (2002): A systems administrator, Roger Duronio, was unhappy with his bonus. He planted a logic bomb that wiped out over 2,000 servers across 400 branch offices on a specific date, causing millions of dollars in damage.
• The South Korea “DarkSeoul” Attack (2013): A massive logic bomb attack simultaneously wiped the hard drives of several South Korean banks and media companies, bringing their operations to a complete standstill.

How to Protect Against Them?

Logic bombs are notoriously difficult to detect because they are often hidden inside legitimate, working code. Organizations use several strategies to prevent them:

• Code Reviews: Having a second set of eyes look at all new code before it is added to a system.
• Least Privilege: Ensuring employees only have access to the specific systems they need for their jobs.
• Separation of Duties: Preventing one person from having total control over a critical process.
• Endpoint Security: Using advanced security software that monitors for suspicious system changes, rather than just known viruses.