What Is a Logic Bomb?

If your system is infected, it's only a matter of time before it explodes

A logic bomb is unwanted code inserted into a software program that gets triggered only after a specific event takes place. Logic bombs are otherwise harmless and unapparent until the code “wakes up” to unload its malicious instructions. (Sounds like a movie premise, doesn't it?)

Logic bomb viruses can be created to do all sorts of damage to the system they’re running on, and can rely on one or more triggers before they’re set off. Time-based logic bombs, also called time bombs, are a common form, where the actions the code performs only take place at a certain date and time.

A logic bomb virus isn’t technically any worse or better than another virus—they’re all unwanted and harmful. However, a logic bomb virus is specifically nefarious because it can lie dormant for days, months, or longer without the user knowing, making it that much more difficult to identify who made it, how to stop it, and the extent of the damage.

Woman using laptop with time bomb

Similar to other malware, logic bomb viruses can be detected and removed by antivirus programs. However, not all logic bombs are viruses; you’ve probably even used one, as you’ll learn below. 

How Logic Bomb Viruses Work

A logic bomb is like an incomplete virus. It doesn’t do anything until it’s paired with a trigger. You can imagine a logic bomb virus as a set of instructions that are constantly listening for the go-ahead to move forward with whatever it’s been programmed to do.

What happens when a logic bomb goes off depends on how it was made. The creator has full control over not only the triggers that set it off but also what happens once the conditions have been met.

Here are some common triggers for logic bombs:

  • Specific program is installed, opened, closed, or deleted.
  • Certain holiday or other special event takes place (or the date/time could be completely arbitrary).
  • USB device is inserted or removed.
  • Particular file is created, opened, changed, or deleted.
  • Certain command is entered into the computer.

Once the logic bomb virus decides that it’s time to unload the malicious code, what happens next is limited only by the creator’s imagination:

  • Files get deleted or edited.
  • Passwords get stolen.
  • More viruses get copied to the computer.
  • Files become corrupt.
  • The whole hard drive gets wiped.

It’s also possible for a logic bomb to be disarmed, or temporarily disabled. For example, one kind of logic bomb could be simple: a flash drive gets removed and then all the files on the computer get deleted. However, another kind could be set to go off every single day at noon, but the creator could reset it before then so that it goes off the next day, unless it’s cancelled again.

Logic Bomb Virus Examples

You could use any combination of conditions and actions to describe a logic bomb. Here are some examples:

  • Stealing a Password: You download an unsuspecting program that works just like you’d expect it to, but behind the scenes is a logic bomb that waits for you to visit a specific website. Once it’s been loaded in your browser, it starts a keylogger that records the username and password you entered and sends it back to the creator.
  • Revenge for Employment Termination: An employee creates a tool that monitors a database file that holds a record of every employed person in the company. She includes a logic bomb that erases the contents of a file server, but it’s set to go off only if her own entry is removed from the list. This logic bomb includes a secondary function where it launches two years from the first event to cover her tracks.
  • Launch a DDoS Attack: Malicious code is built into a program that gets downloaded by thousands of people. These programs communicate with each other to learn how many are currently installed. Once the logic bomb virus reaches a specific installation count, they’re all used in a DDoS attack to crash a particular website.

There have been many successful and failed attempts at logic bomb viruses all over the world. Here are a few examples that made the news:

How to Remove and Prevent Logic Bombs

Deleting a logic bomb virus requires the same tools you’d use to delete other malware. Visit that link for antivirus programs you can install on your computer to detect logic bomb viruses before they do damage. There are also tools that scan for viruses before the computer starts up.

Learn how to prevent viruses and other malware to avoid logic bomb viruses. Since it’s common for a logic bomb to delete files, backing up your data is also a good precautionary practice. Businesses can reduce logic bomb occurrences by giving users lower-level privileges (i.e., not admin rights).

Are All Logic Bombs Bad?

The term logic bomb is sometimes reserved only for malicious code. If any of the above actions take place, then the program holding the logic bomb can be categorized as malware. However, not all logic bombs are viruses.

Consider a program that lets you use all of its features without restrictions, but then shuts down some of them after seven days or if the program has been opened 10 times. This logic bomb goes off after a pre-chosen length of time or number of uses. However, unlike a logic bomb virus that might delete files or steal sensitive information, this one disables features.

The assumption here that makes this one non-malicious is that you were probably told ahead of time that you’ll have access to the full set of features for a limited time, after which you have to pay to reactive them. This is very common with trialware.