What is a logic bomb?
A logic bomb is malicious code embedded within a legitimate software application or script, designed to execute only when specific conditions are met. Until those conditions are satisfied, the code sits dormant and undetected. Once triggered, it carries out its payload, which can range from deleting files and corrupting data to crashing entire systems.
Unlike viruses and worms, logic bombs do not self-replicate or spread. They execute once, when their trigger fires.
How a logic bomb works
The attacker embeds malicious code inside a legitimate program or script and defines a trigger condition. That condition can be a specific date or time, the deletion of a particular file, a user logging in, or any other detectable system event. The trigger can be simple or layered, making it difficult to anticipate when the code will execute.
When the condition is met, the logic bomb detonates, running its payload and causing whatever damage the attacker intended. The severity depends entirely on what the payload was written to do.
Key characteristics
Dormancy keeps the code inactive and hidden until the trigger fires, often allowing it to evade detection for extended periods.
Embedded placement inside legitimate applications lets the code bypass security tools that focus on standalone malicious files.
Logical conditions define exactly when execution occurs, giving the attacker precise control over timing.
Payload is the harmful action the code performs upon detonation, whether that is data deletion, system disruption, or something else entirely.
Logic bombs vs. related malware
Logic bombs are a form of malware, meaning they are software designed to cause harm or perform unauthorized actions. They are not viruses. A virus self-replicates by attaching to other files and spreading across systems. A logic bomb is a standalone piece of code that stays in one place and fires once when its conditions are met. The two can coexist, as a virus could carry a logic bomb as its payload, but they are distinct in how they operate.
Why logic bombs are dangerous
Their dormant state is their primary advantage. A logic bomb can sit inside a production system for months or years without triggering any alerts, because it is not actively doing anything harmful until the moment it detonates. By the time it fires, the attacker may be long gone and difficult to trace. The damage can be immediate and widespread, particularly when the bomb targets critical infrastructure or large data stores.
Notable cases
The Slag code (1986): A programmer at a chemical plant in Germany embedded a logic bomb that caused safety systems to malfunction, triggering an explosion that caused over $170 million in damages.
UBS PaineWebber (2002): A systems administrator planted a logic bomb designed to wipe data from more than 2,000 servers at the financial firm. The attack caused an estimated $3 million in damages. The perpetrator was sentenced to 97 months in prison.
Siemens SCADA case (2000): A disgruntled employee at a California paper mill embedded a logic bomb in the plant's control system. The resulting malfunction caused over $1 million in damages.
All three cases share a common thread: the attacker had legitimate insider access, which made both planting and concealing the code straightforward. Logic bombs are disproportionately an insider threat, placed by employees or contractors who understand the systems they are targeting.
