Threats and vulnerabilitiesIntermediate20 min read

What Is Logic bomb? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

A logic bomb is a type of malware that stays hidden in a computer system until a certain event happens. When that event occurs, like a specific date or a user action, the logic bomb activates and performs a malicious task, such as deleting files or corrupting data. Unlike a virus, it does not spread on its own. It relies on the trigger to cause damage.

Commonly Confused With

Logic bombvsTrojan horse

A Trojan horse is malware that disguises itself as a legitimate program to trick users into installing it. A logic bomb, however, is often already inside a trusted application and does not need to trick the user. The logic bomb is a hidden component, while the Trojan is the entire malicious program. A Trojan can deliver a logic bomb as its payload.

A free game that asks for admin privileges is a Trojan. A logic bomb would be a part of that game that erases files on a specific date.

Logic bombvsVirus

A virus is a self-replicating piece of malware that attaches itself to other files or programs. A logic bomb does not replicate. The virus is its own entity that spreads; the logic bomb is a hidden routine. A virus can also contain a logic bomb, but the primary characteristic of a virus is self-replication, which a logic bomb lacks.

A virus that copies itself to every Word document on the network. A logic bomb inside that virus might delete all files on January 1st, but the virus part is what spreads.

Logic bombvsRansomware

Ransomware encrypts files and demands payment for their release. A logic bomb may simply delete files or cause damage without any demand. Ransomware's goal is extortion, while a logic bomb's goal is typically sabotage. A logic bomb could be used to deliver ransomware, but the two concepts are distinct.

Ransomware locks your files and shows a message. A logic bomb silently deletes your files with no warning.

Must Know for Exams

Logic bombs are a recurring topic in several IT certification exams, especially those focused on security and risk management. For the CompTIA Security+ exam, logic bombs fall under Domain 1.0: Attacks, Threats, and Vulnerabilities. Specifically, they are part of the objective that covers various types of malware. In Security+ questions, you may be asked to identify a logic bomb scenario, differentiate it from a virus or worm, or recognize the trigger condition. The exam often presents a case where a programmer inserts code that deletes files if their name is removed from the payroll system. The question may ask what type of malware is described, and the correct answer is logic bomb.

For the CISSP exam, logic bombs are covered in Domain 3: Security Architecture and Engineering and Domain 7: Security Operations. CISSP questions may focus on how logic bombs relate to software assurance, supply chain risk, and insider threats. You might be asked about the best controls to detect or prevent logic bombs, such as code reviews, separation of duties, and integrity checking. The CISSP also emphasizes the concept of the principle of least privilege and how it can limit the damage a logic bomb can cause.

For the CEH (Certified Ethical Hacker) exam, logic bombs are studied as a type of malware that can be used by malicious insiders. CEH questions may ask how to identify a logic bomb during penetration testing or how to defend against them in a simulated environment. The CEH also covers social engineering and physical security, which are relevant when considering how a logic bomb might be introduced.

In all these exams, the key is to remember that a logic bomb is not self-replicating. It requires a trigger and a payload. Exam questions often test this distinction. They may describe a scenario with a virus that spreads and deletes files, then ask if it is a logic bomb. The answer is no, because a virus replicates itself, while a logic bomb does not. Another common question pattern is about the trigger: what event activates the logic bomb? The answer could be a date, time, user action, or system state. Being able to identify the trigger and the payload is crucial for scoring points.

Simple Meaning

Imagine you have a co-worker who seems perfectly normal until every time they hear a particular song on the radio, they suddenly unplug the office server. That song is their trigger. A logic bomb works the same way in a computer. It is a hidden piece of code that stays quiet and harmless until a specific condition is met. That condition could be a date and time, like Friday the 13th, or an event like a user typing a certain password or a file being deleted.

Once the trigger happens, the logic bomb wakes up and does something destructive. It might erase important files, change system settings, or send confidential data to an attacker. The scary part is that before the trigger fires, no antivirus or monitoring tool might spot anything wrong because the code looks normal. This makes logic bombs especially dangerous in places like banks, hospitals, or government offices, where a single trigger could cause massive disruption.

In everyday life, think of it like a time bomb hidden in a package. The bomb is there from the start, but it only explodes when the timer reaches zero. The difference is that a logic bomb can be set off by almost anything, not just a timer. It could wait for someone to press the "Delete" key three times in a row. Because it blends in with normal software, it can be very hard to find until it is too late.

Full Technical Definition

A logic bomb is a type of malicious software (malware) that is intentionally inserted into a system to execute a payload when a predefined set of conditions is met. Unlike viruses or worms, a logic bomb does not replicate itself. It is typically placed by an insider or through a supply chain attack. The logic bomb consists of two main components: the trigger condition and the payload.

The trigger condition is a logical statement that is evaluated by the system regularly. Common triggers include a specific date and time, the number of times a program runs, the presence or absence of a file, a particular user logging in, or a system event like a shutdown. For example, a programmer might embed a logic bomb in a payroll system that activates if their employee ID is ever removed from the database. The condition is often written as an if-then statement in the code. The system checks the condition only when the infected software runs, so the bomb can remain dormant for months or years.

The payload is the destructive action the logic bomb performs once the trigger fires. Payloads can range from deleting files and corrupting databases to installing backdoors or encrypting data for ransomware. In some cases, the payload is designed to target specific systems, such as disabling safety controls in industrial control systems (ICS) or erasing financial transaction logs.

From a technical standpoint, logic bombs are often inserted into source code, scripts, or compiled binaries. They can be introduced by a disgruntled employee, a contractor, or even by an attacker who compromises the development environment. In software supply chain attacks, a logic bomb can be added to a widely used library, so any application that includes that library inherits the bomb. Detection is challenging because the malicious code is hidden inside legitimate software. Traditional signature-based antivirus tools may not detect a logic bomb because its code pattern is unique and does not match known malware signatures. Heuristic analysis and runtime behavior monitoring can sometimes catch the bomb when it activates, but only if the trigger condition actually fires during testing. Code reviews, strict access controls, and separation of duties in software development are the primary defenses.

In IT certification contexts, logic bombs are often studied under the topic of malicious code and insider threats. They are relevant to security+ and other general security exams because they represent a form of attack that bypasses many perimeter defenses. Understanding how triggers work and how to implement change management and code integrity checks is essential for defending against them.

Real-Life Example

Think of a university where a specific professor has a secret rule for the final exam. The professor tells the teaching assistant: "If less than 80% of the class passes the midterm, then after the final exam I will automatically fail everyone." The professor writes this rule into the grading spreadsheet without anyone else knowing. The rule sits quietly, doing nothing, as long as more than 80% of the students pass the midterm. But if the midterm results drop below that threshold, the spreadsheet automatically applies a failing grade to every student after the final exam.

This is exactly how a logic bomb works. The trigger condition is the midterm pass rate falling below 80%. The payload is the automatic failing of all students. The spreadsheet looks normal and functions normally for all other grading purposes. No one suspects anything because the hidden rule only shows itself when the condition is met. The professor may have left the university by that time, making it impossible to reverse the damage.

In the IT world, a logic bomb might be inserted into a company's financial software. The trigger could be the date when the employee who wrote it leaves the company. The payload could delete all accounts receivable records. The software works perfectly for years, gaining everyone's trust. Then, one day after the employee resigns, the system crashes and data vanishes. The damage is done before anyone understands why.

Why This Term Matters

Logic bombs matter because they represent a unique and dangerous form of insider threat. Unlike an external hacker who must break through firewalls and authentication, a logic bomb can be placed by someone who already has legitimate access to the system. That could be a disgruntled employee, a contractor, or even a developer in the supply chain. The bomb can remain hidden for years, activating only after the perpetrator is long gone, making attribution and recovery extremely difficult.

From a practical IT perspective, logic bombs highlight the importance of code review, change management, and separation of duties. In many organizations, a single developer should not be able to push code to production without peer review. Logic bombs also show why backups and disaster recovery plans are critical. Even if a logic bomb destroys data, a recent backup can restore operations. However, if the bomb is triggered in a way that corrupts backups as well, the damage can be catastrophic.

For IT security professionals, understanding logic bombs is essential for designing secure software development lifecycles (SDLC) and implementing monitoring that detects anomalous behavior. Runtime application self-protection (RASP) and endpoint detection and response (EDR) tools can sometimes catch the payload execution. But prevention through policies and code integrity is more reliable. Logic bombs also remind us that security is not only about preventing external attacks but also about controlling internal risks. A well-placed logic bomb can cause financial loss, reputational damage, and safety hazards in critical infrastructure. This is why many compliance frameworks, such as PCI DSS and NIST, include requirements for code review and access controls.

How It Appears in Exam Questions

In IT certification exams, logic bomb questions typically fall into one of three patterns: scenario identification, concept differentiation, and control selection.

Scenario identification questions present a short story about a system failure. For example: "A network administrator notices that on the first day of every month, the inventory database suddenly becomes corrupted. Logs show that a previously unknown script runs at midnight. Which type of malware is most likely responsible?" The correct answer is a logic bomb, because the script is dormant until a specific time trigger. The question tests your ability to recognize the trigger and payload pattern.

Concept differentiation questions ask you to distinguish a logic bomb from other malware types. For example: "Which of the following is a key difference between a logic bomb and a worm?" The answer would be that a worm replicates itself over a network, while a logic bomb does not replicate. Another variant: "A piece of malware deletes files only when a user types the word 'delete' in an email. Is this a virus, Trojan, or logic bomb?" The answer is logic bomb, because the deletion is triggered by a user action.

Control selection questions present a scenario and ask what control would be most effective. For instance: "An organization fears that a disgruntled employee may have inserted malicious code into a financial application. Which control would best detect a logic bomb before it activates?" The correct answer is peer code review or static code analysis. Another question: "Which security principle is most effective in limiting the damage of a logic bomb?" The answer is the principle of least privilege, because if the bomb runs with limited permissions, it cannot access sensitive files.

Some exams include troubleshooting questions where you must interpret logs. For example, you might see a log entry showing that a script runs every time a specific user logs in, and that script transfers data to an external IP. The question asks what is happening. The answer is a logic bomb triggered by a user login. These questions require you to connect the trigger to the payload and understand the intent. Always pay attention to what activates the malicious code and what it does after activation.

Practise Logic bomb Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Consider a medium-sized software company where the lead developer, Alex, has been passed over for promotion multiple times. Alex feels underappreciated and decides to get back at the company. He is responsible for maintaining the payroll application, which runs every two weeks to generate employee paychecks. Alex adds a small piece of code to the application. The code says: if the current date is June 1st of next year, then delete all employee records from the database. Alex plans to leave the company before that date, so he will be gone when the bomb goes off.

The new code is merged into the application without anyone noticing. The payroll application runs perfectly for over a year. Nobody reviews Alex's code because he is trusted and the changes are minor. On June 1st, the payroll application runs as scheduled. But this time, the trigger condition is met. The logic bomb activates and executes a SQL command that drops all rows from the employee table. Payroll records vanish, employee IDs are lost, and the company cannot process salaries. The system crashes and recovery from backups takes three days, costing the company thousands of dollars in overtime and lost productivity.

In this scenario, the logic bomb was hidden in plain sight. The trigger was a specific date. The payload was database deletion. The company learned that code review and separation of duties are necessary, even for trusted employees. They also realized that monitoring for unexpected database commands could have alerted them before the damage was done.

Common Mistakes

Believing that a logic bomb can spread like a virus.

A logic bomb does not replicate itself. It is a piece of code that remains dormant until triggered. A virus, on the other hand, self-replicates and spreads to other systems. Mixing these up can lead to incorrect answers on exam questions.

Remember that logic bombs are planted by a human and do not have self-spreading capabilities. Think of a booby trap, not a contagion.

Thinking that antivirus software will easily detect a logic bomb.

Antivirus software typically relies on signatures of known malware. Logic bombs are custom-coded and often do not match any known signature. They can be hidden inside trusted applications, making detection very difficult.

Understand that detection requires code review, behavior monitoring, or integrity checks, not just antivirus scans.

Confusing the trigger with the payload.

The trigger is the condition that sets off the bomb, like a date or a user action. The payload is the harmful action, like file deletion. If you get these reversed, you will misunderstand the scenario.

When analyzing a scenario, first ask: 'What event starts this?' That is the trigger. Then ask: 'What damage occurs?' That is the payload.

Assuming a logic bomb only works with a time trigger.

Time-based triggers are common, but logic bombs can be triggered by nearly any event, such as a user logging in, a file being opened, or a system shutdown. Exams may include non-time triggers to test your understanding.

Remember that the trigger is any logical condition, not just a date or time.

Exam Trap — Don't Get Fooled

{"trap":"A question describes malware that deletes files on a specific date and also spreads to other computers via the network. The exam asks what type of malware it is. Many learners immediately answer 'logic bomb' because of the date trigger."

,"why_learners_choose_it":"Learners focus on the date trigger and ignore the spreading behavior. They associate the time-based deletion with a logic bomb and do not consider that logic bombs do not replicate.","how_to_avoid_it":"Read the entire scenario.

If the malware self-propagates, it cannot be a logic bomb. It might be a worm or a virus that also contains a logic bomb component. In such questions, identify the primary characteristic.

If it spreads, it is not a pure logic bomb."

Step-by-Step Breakdown

1

Insertion

The attacker inserts the logic bomb into a system, often by adding code to an existing application, script, or system process. This could happen during software development, through a compromised update, or by a malicious insider with access to the codebase.

2

Dormancy

The logic bomb remains inactive while the host system runs normally. It does not affect performance or behavior, so it evades detection. It waits silently for the trigger condition to occur.

3

Trigger Evaluation

The system periodically checks the trigger condition. This could be every time the program runs, or at system startup. The condition is usually a logical test, like 'if date equals June 1' or 'if user X logs in'. The bomb does nothing until the condition is true.

4

Trigger Fires

When the condition is met, the logic bomb activates. The trigger could be a single event or a combination of events. This step is the moment the bomb 'explodes' logically.

5

Payload Execution

The malicious code runs its payload. This could involve deleting files, corrupting databases, opening a backdoor, encrypting data, or performing any action the attacker programmed. The payload often runs with the privileges of the host process, so it can access whatever the application can access.

6

Damage and Aftermath

The payload causes disruption, data loss, or system compromise. Detection often occurs only after the damage is done. Recovery requires restoring from backups and removing the malicious code. Attribution is difficult because the attacker may be long gone.

Practical Mini-Lesson

In the real world, defending against logic bombs requires a multi-layered approach. First, implement strong source code controls. Use version control systems with mandatory peer review for all code changes. No single developer should be able to push code to production without another pair of eyes reviewing the diff. This catches most logic bombs because the malicious code would be visible during review if the reviewer is diligent.

Second, apply the principle of least privilege to both user accounts and application processes. If a program runs with minimal permissions, even if a logic bomb activates, its ability to cause harm is limited. For example, if the payroll application runs with read-only access to the employee database, a logic bomb cannot delete records. This is why many organizations run services under dedicated service accounts with tightly scoped permissions.

Third, use integrity monitoring tools. These tools take a cryptographic hash of critical files and check them regularly for unauthorized changes. If a logic bomb alters a file, the hash changes and an alert is triggered. This can detect the insertion of the bomb before it fires, assuming the monitoring is in place and the bomb is added after the baseline is taken.

Fourth, implement runtime behavior monitoring. Endpoint detection and response (EDR) systems can flag unusual behavior, such as a payroll application suddenly trying to drop a database table. This can catch the bomb at the moment of activation, allowing incident responders to stop the damage and contain the system. However, this relies on the bomb not being able to disable the monitoring first.

Finally, maintain immutable backups. If a logic bomb destroys data, you need to recover from a clean backup taken before the bomb was planted. But if the bomb also targets backups, you need to have offline or write-once backups that cannot be modified. Regular backup testing ensures that the recovery process works and data is actually restorable. For IT professionals, understanding these practical defenses is more important than memorizing the definition. The exam will test your ability to apply these concepts in real-world scenarios.

Memory Tip

Remember: 'Lazy Logic waits for a Trigger, then Bombs the Payload.' Lazy because it does nothing until triggered. Trigger sets it off. Payload is the damage.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

Can a logic bomb be triggered by a system reboot?

Yes, a system reboot can be a trigger if the logic bomb's code is written to check for a condition after boot. For example, a bomb could activate on the tenth reboot after a specific date.

How do you find a logic bomb before it activates?

The most effective method is manual code review, especially during the software development lifecycle. Automated static code analysis tools can also detect suspicious patterns like hardcoded dates or file deletion commands.

Is a logic bomb considered a type of malware?

Yes, it is classified as malicious code, which falls under malware. However, it is not a standalone type like a virus; it is a component or routine within a legitimate program.

Can antivirus software detect a logic bomb?

Rarely, because logic bombs are custom-made and do not have known signatures. They are often part of trusted software, so antivirus may not flag them. Heuristics might catch the behavior at runtime, but not the dormant code.

What is the difference between a logic bomb and a backdoor?

A backdoor provides unauthorized access to a system, while a logic bomb performs a specific destructive action when triggered. A logic bomb could open a backdoor as its payload, but the concepts are different.

Who typically plants a logic bomb?

Logic bombs are most often planted by insiders, such as disgruntled employees, contractors, or former employees with residual access. They can also be inserted by attackers who compromise the software supply chain.

Summary

A logic bomb is a malicious piece of code that remains hidden in a system until a specific condition triggers it to cause damage. Unlike viruses or worms, it does not replicate itself but relies on a human to plant it. The bomb consists of a trigger condition and a payload. The trigger can be a date, time, user action, or any logical event. The payload can delete files, corrupt databases, or execute other harmful actions.

For IT certification exams, remember that a logic bomb is not self-propagating. Do not confuse it with a virus. Also, know that detection is difficult and requires code review and behavior monitoring, not just antivirus. In real-world practice, logic bombs underscore the importance of insider threat programs, least privilege, code integrity checks, and immutable backups.

The takeaway for exam preparation is to focus on the trigger-payload model. When you see a scenario where code executes only under a specific condition and causes damage, think logic bomb. Always verify that the code does not spread on its own. With that distinction, you can avoid the common traps and answer questions confidently.