Serious Discussion Time bombs / timed malware

[Oblivion99]

Dear all

I have several offline backup data systems. It would be a disaster, if somehow the offline backup data systems got infected with a time bomb / timed walware – and then the time bomb would execute after several years.

It could be:
Malware that deletes all the data
Malware that overwrites all the data
Malware like ransomware that will encrypt the data

I have effective deterrences, such as don’t visit shady websites, don’t open shady links, updated OS and run scans often.

1.
Has anyone heard about time a bomb / timed walware, that either delete all the data, overwrite all the data or encrypt all the data?

2.
If it happened, what could I do to solve it?
Encryption:
Try to decrypt the data
Delete all data:
?
Overwrite all data:
?

Thank you

Best regards

 

[Practical Response]

Dear all

I have several offline backup data systems. It would be a disaster, if somehow the offline backup data systems got infected with a time bomb / timed walware – and then the time bomb would execute after several years.

It could be:
Malware that deletes all the data
Malware that overwrites all the data
Malware like ransomware that will encrypt the data

I have effective deterrences, such as don’t visit shady websites, don’t open shady links, updated OS and run scans often.

1.
Has anyone heard about time a bomb / timed walware, that either delete all the data, overwrite all the data or encrypt all the data?

2.
If it happened, what could I do to solve it?
Encryption:
Try to decrypt the data
Delete all data:
?
Overwrite all data:
?

Thank you

Best regards

Not sure what led you to this question but lets address it anyway.

1. You have the most important part covered with "no internet connection"
2. What type of data systems are you running?
3. How are you transferring the data to be backed up on the offline.
4. Do you scan the offline systems when you do connect them, how often and do you scan the data before transfer? If so what are you using to scan them with?
5. If the back up drive has read/write disabled and no internet connection it would be fine.

Creating snapshots of file/ directories you are trying to save offline would protect them as well as it is then immutable.

 

[cruelsister]

Has anyone heard about time a bomb / timed walware, that either delete all the data, overwrite all the data or encrypt all the data?

Although not all that common, coding malware in order to delay its execution certainly exists. Normally it will be targeted (especially to an Organization) and will contain at the core a True Zero-Day (never released into the Wild) file.

Coding in some variation of Sleep (which is barely an inconvenience to do) will thus allow the base malicious file to hang out on a drive for whatever specified time before activating.

If you would like to see such in action, I actually used a delay within a zero-day, although it was only a few seconds in my last video (Of LoLBins, 0 Days, and ESET (Part 2) in order to fit the timing of the background song. But it just as easily could have been made to wait until a big Holiday or an election.

​

 

[Brahman]

If it happened, what could I do to solve it?

Nobody can say for certain but it's sane to keep your most important data backed up in three different locations. One is local and the other two on two different cloud services. Most cloud services prevents uploading active malware and thus may prevent a timebomb type malware. I think you have to add two different online backup location to your security setup. Well that's that, nothing is certain except death.

 

[Practical Response]

Time bombs/Logic bombs "malware" have conditions that need met to be considered either. They must have a payload unknown to the user, lay dormant for a period of time, and be triggered by a specific condition.

Delivery of these is important to Note:

1. Learn how to spot phishing emails and never download unknown attachments.
2. Don't download applications from sketchy sources, always do so from a trusted source.
3. Validate and verify links and URL's before clicking.

Keep your computer and security products update.

As stated above, when and how you back up these items you store is important. There are methods mentioned such as snapshots aka immutable storage that renders the files unable to change on the storage.

 

[Oblivion99]

Not sure what led you to this question but lets address it anyway.

1. You have the most important part covered with "no internet connection"
2. What type of data systems are you running?
3. How are you transferring the data to be backed up on the offline.
4. Do you scan the offline systems when you do connect them, how often and do you scan the data before transfer? If so what are you using to scan them with?
5. If the back up drive has read/write disabled and no internet connection it would be fine.

Creating snapshots of file/ directories you are trying to save offline would protect them as well as it is then immutable.

2.
A couple of flash drives.
A HDD.
Offline laptop.

3.
I use a laptop with Windows 11. The laptop is offline. The laptop atcs an offline backup system aswell. The main function of the laptop is to sort and get an overview of the data I want to backup.
I transfer data to the laptop from flash drives or from my iphone.

4.
All the data that is being transfered to the offline laptop is being scanned by fully-updated software. Malwarebytes or Windows Defender.
All the data on the offline laptop is often being scanned by its current version of Windows Defender - Windows Defender is not getting updated hence the laptop is offline.

5.
What du you mean?
So only "copy funcition" is enabled?

"Creating snapshots of file/ directories you are trying to save offline would protect them as well as it is then immutable."
This function is so the data can't be deleted or changed in a chosen timeperiod?

Thank you

 

[Oblivion99]

Most cloud services prevents uploading active malware and thus may prevent a timebomb type malware.

It would be the same as scanning with a anti-malware software?

The scanning method, is only as good as the malware database it uses.
The development of new malware, is always one-step ahead of the anti-malware software databases.

 

[Practical Response]

2.
A couple of flash drives.
A HDD.
Offline laptop.

3.
I use a laptop with Windows 11. The laptop is offline. The laptop atcs an offline backup system aswell. The main function of the laptop is to sort and get an overview of the data I want to backup.
I transfer data to the laptop from flash drives or from my iphone.

4.
All the data that is being transfered to the offline laptop is being scanned by fully-updated software. Malwarebytes or Windows Defender.
All the data on the offline laptop is often being scanned by its current version of Windows Defender - Windows Defender is not getting updated hence the laptop is offline.

5.
What du you mean?
So only "copy funcition" is enabled?

"Creating snapshots of file/ directories you are trying to save offline would protect them as well as it is then immutable."
This function is so the data can't be deleted or changed in a chosen timeperiod?

Thank you

Interesting way to store your offline. Imaging software on that offline computer would enable you to create incremental snapshots of your back ups that would make them immutable. This would be the best method for your choice of storage. Maybe add a couple on demand scanners for second opinions in the host machine to scan before transfer. Disable autoruns of the USB so when you insert it into the host you can scan it before using.

5. To answer this, when you make something "read only" you can not write to it or change the files while it's in that state. You would have to add "write" permissions each time to add content then disable them again when done. This is mainly used in actual external devices like flash drives, sd cards, ect. Some actually have a physical "switch" you toggle to "lock" the device.

Having multiple backs as mentioned before is wise too. Adding in cloud storage. A few offline copies.

 

[cruelsister]

Most cloud services prevents uploading active malware and thus may prevent a timebomb type malware

No, they probably won't detect anything amiss for 2 main reasons- such a delay in execution of a given file is done legitimately all the time, often directly utilizing legitimate Windows binaries (kinda-sorta). Thus a detection of this will restrict the normal functioning of Windows.

Second, weaving in a delay is a very minor (and non-malicious) part of coding a malware file, so any detection by security software would be concentrated elsewhere (the nasty parts of the file)..

 

[Oblivion99]

Maybe add a couple on demand scanners for second opinions in the host machine to scan before transfer.

Other scanning software, or what do you mean?

 

[Oblivion99]

Before the laptop went offline, Windows was fully updated.
The laptop has Windows Defender firewall enabled.

After it went offline, I performed a deep scan of all files with Microsoft Defender Antivirus - and it found nothing.

Is it safe to say, that the laptop is clean of malware / timed malware at that time?

I guess, I just has trauma from the old Windows XP days, when malware roamed wild on the internet.

 

[Practical Response]

Other scanning software, or what do you mean?

On demand scanners such as "hitman pro" that you can manually initiate scans of a file, directory or drive. It's a second opinion to verify your files are clean before transfer and to also verify the drive is clean being transferred too.

 

[Oblivion99]

Could anyone please try to answer:

The offline laptop was brand new.

Before the laptop went offline, Windows was fully updated.
The laptop has Windows Defender firewall enabled.

After it went offline, I performed a deep scan of all files with Microsoft Defender Antivirus - and it found nothing.

Is it safe to say, that the laptop is clean of malware / timed malware at that time?

Thank you

 

[Practical Response]

Could anyone please try to answer:

The offline laptop was brand new.

Before the laptop went offline, Windows was fully updated.
The laptop has Windows Defender firewall enabled.

After it went offline, I performed a deep scan of all files with Microsoft Defender Antivirus - and it found nothing.

Is it safe to say, that the laptop is clean of malware / timed malware at that time?

Thank you

As already stated above, get a couple On Demand scanners for "second opinions" to scan the system if you need to verify the system is clean. You can place "Process Explorer" from "sysinternals" on your system and enable "virus Total" and it will check all running processes through VT. You can install "Autoruns" from the same "sysinternals" and enable Virus Total" on this and check all startup entries and files through VT, to help confirm.

 

[Oblivion99]

As already stated above, get a couple On Demand scanners for "second opinions" to scan the system if you need to verify the system is clean. You can place "Process Explorer" from "sysinternals" on your system and enable "virus Total" and it will check all running processes through VT. You can install "Autoruns" from the same "sysinternals" and enable Virus Total" on this and check all startup entries and files through VT, to help confirm.

What about in the specific scenario I mention?

Brand new laptop.
Fully updated.
Microsoft Defender firewall enabled.
No shady downloads and no shady websites visited.
Offline.
Full deep scan with Microsoft Defender.
Clean.
Would you fully trust this?

Thank you

 

[Practical Response]

What about in the specific scenario I mention?

Brand new laptop.
Fully updated.
Microsoft Defender firewall enabled.
No shady downloads and no shady websites visited.
Offline.
Full deep scan with Microsoft Defender.
Clean.
Would you fully trust this?

Thank you

This would depend upon the laptop, brand, where the parts are imported from , what all software is pre installed, ect. There are variables, and nothing is guaranteed, so if you have concerns, you need to scan the system and check it.

As an example, not to many years ago Lenovo was seen shipping with pre installed Superfish “adware,” which could lead to other issues easily.

If you have to ask and question it, just use the advice up above. Some users get brand new laptops, wipe them clean and manually install the OS and drivers themselves to rid the new system of any potential issues, preinstalled bloat ware and to slim down and speed up the system.

I have nothing more to add to this thread personally, all practical advice has been given already.