Backdoors and logic bombs create ways that an attacker can impact systems to which he or she no longer has direct access. In this video, Mike Chapple explains the risks posed by backdoors and logic bombs placed in code by application developers.
- [Instructor] We've already talked about quite a few types of malware. Viruses, worms, Trojan horses, adware, spyware, and ransom ware. All of those malware objects have one thing in common, they are independent programs written by malware developers to deliver a malicious payload. Some malware, however, doesn't fit this pattern. Instead of being independent programs, they are pieces of code inserted into other applications with malicious intent. Let's talk about two types of malware that fit in this category, backdoors and logic bombs.
A backdoor occurs when a programmer provides a means to grant themselves or others future access to a system. They usually do this with benevolent purposes. They might be simply making programming easier so they don't have to keep logging in with user credentials, or they might be providing a mechanism to allow access later if a customer eventually locks themselves out of their own system, but these backdoors can have unintended effects. The customer might not want the vendor to have access to the system once it's installed, and backdoors might fall into the wrong hands, especially if they're published in the user manual.
Backdoors occur through many different mechanisms. Sometimes they're hard-coded accounts where there's a specific user name and password that will always grant access to a system. In other cases, there are default passwords that the users might not remember to change, and then finally, there might be unknown access channels, where there's a way to gain access to a system without going through the normal authentication process. Probably the most famous example of a backdoor occurred in the movie War Games in 1983, when Matthew Broderick gained access to a military computer system by learning the name of the system creator's son, Joshua, and then using it to gain full administrative access to the system.
In 2014, security experts allegedly found a backdoor in Samsung Galaxy devices that allowed remote access to data. Then in 2015, reports hit the media about default passwords in credit card readers that allowed access to thousands of systems. And just last week, I was scrolling through the manual for my new sprinkler system and discovered that right there in the manual was a default user name and password that many people probably haven't bothered to change. The second type of malware that works by modifying existing code is the logic bomb.
A logic bomb is malware that's set to execute a payload when certain conditions are met. This might be a specific date and time occurring, the contents of a file containing specific information, or the results of an API call. If you think about scenarios where a logic bomb might occur, the classic scenario is a programmer who's creating a payroll system, and then includes logic in that payroll system that checks every day to see if he or she is still active on the payroll. If the programmer suddenly disappears from the payroll, and presumably was terminated, the malicious action might occur as retaliation for the programmer being fired.
Looking at some real world examples of logic bombs, in 2013, a logic bomb struck many government computer systems in South Korea. And logic bombs date back to the early days of computing when, in 1989, the Friday the 13th logic bomb sat dormant on systems until the calendar read that it was both the 13th of the month and a Friday before it delivered its payload. Backdoors and logic bombs both represent significant risks to application security.
As a Security+ professional, you must remain vigilant to protect your organization against these threats. In addition to the standard anti-malware controls, you should routinely change default passwords, disable unused accounts, and monitor security bulletins for news of logic bombs and backdoors in software that your organization uses.
Looking for study partners?Join the CompTIA Security+ SY0-501 Exam study group
The CompTIA Security+ exam is an excellent entry point for a career in information security. The latest version, SY0-501, expands coverage of cloud security, virtualization, and mobile security. This course prepares exam candidates for the critical Threats, Attacks, and Vulnerabilities domain of the exam. By learning about malware, networking and application security exploitations, and social engineering, you'll be prepared to answer questions from the exam—and strengthen your own organization's systems and defenses. Author Mike Chapple, an IT leader with over 15 years of experience, also covers the processes for discovering and mitigating threats and attacks, and conducting penetration testing and scanning for vulnerabilities. Visit certmike.com to join one of his free study groups.
We are a CompTIA Content Publishing Partner. As such, we are able to offer CompTIA exam vouchers at a 10% discount. For more information on how to obtain this discount, please download these PDF instructions.
- Comparing viruses, worms, and Trojans
- Backdoors and logic bombs
- Understanding the attacker
- Attack types: from denial of service to brute force attacks
- Preventing insider threats
- Wireless attacks
- Understanding cross-site scripting
- Preventing SQL injection
- Social engineering
- Scanning for vulnerabilities
- Penetration testing
- Assessing the impact of vulnerabilities