0 / 10 flipped
Keylogger
Tap to reveal
Malware that records every keystroke typed on a device and transmits the collected data to an attacker. Keyloggers bypass HTTPS and full-disk encryption because they capture keystrokes at the moment of typing β before any encryption is applied. The attacker receives plaintext credentials and content. Advanced keyloggers also capture clipboard contents, screenshots, instant messages, and search queries. Delivered via bundled software, P2P downloads, or malicious installers.
Why Keyloggers Bypass Encryption
Tap to reveal
Encryption protects data in transit (HTTPS) and data at rest (full-disk encryption). Neither protects data at the moment of input. When a user types a password, it exists as plaintext keystrokes before the browser processes or encrypts it. The keylogger captures it there β at the gap before encryption applies. HTTPS protects the network path. Full-disk encryption protects the stored file. Nothing encrypts the act of typing. This is the keylogger's fundamental advantage.
DarkComet RAT
Tap to reveal
A Remote Access Trojan (RAT) with a full keylogging module that captures the exact keystroke sequence β including corrections and deletions β not just the final output. DarkComet also captures screenshots, clipboard contents, and instant messages. Used in demonstrations to show that keyloggers record complete typing transcripts: if you type "passw" then delete two characters and type "sword1!", the log shows every step. The attacker receives a detailed transcript of all user input.
Logic Bomb
Tap to reveal
Malicious code that remains completely dormant until a specific trigger condition is met, then executes its payload automatically. During the dormant period, it produces no anomalous behavior β no unusual network traffic, no suspicious processes, nothing for AV to flag. Because logic bombs are custom-written for specific targets, no signature exists in any AV database. The two trigger types are: time-based (time bomb) and user-event-based. Often planted by insiders with privileged access.
Time Bomb vs. User-Event Logic Bomb
Tap to reveal
Time bomb: Triggers at a specific date/time or recurring schedule. Detonates with no human action at trigger time. South Korea 2013 (2:00 PM March 20) and Ukraine 2016 (11:53 PM December 17) are the exam examples. User-event logic bomb: Triggers on a system event β a specific account being deleted/disabled, a user logging in, a file being accessed. An insider may set one to fire when their own account is disabled upon termination β a "deadman switch" that guarantees detonation the moment HR acts.
South Korea 2013 Logic Bomb
Tap to reveal
March 20, 2013, 2:00 PM local time: A phishing email delivered a Trojan with a time-based logic bomb to South Korean banks and broadcasters. When the trigger fired, the bomb deleted storage contents and wiped the Master Boot Record (MBR) simultaneously across thousands of systems. Systems rebooted to: "Boot device not found. Please install an operating system on your hard disk." ATMs at affected banks went offline simultaneously. Coordinated simultaneous detonation was designed to overwhelm response capacity.
Ukraine 2016 SCADA Attack
Tap to reveal
December 17, 2016, 11:53 PM: A logic bomb targeting SCADA systems at a Ukrainian electrical substation systematically disabled power grid circuits, causing a blackout. The malware was customized for the specific SCADA environment β attackers had previously mapped the control network to know which circuits to disable. SCADA (Supervisory Control and Data Acquisition) systems control physical infrastructure; this attack caused real-world power loss. The midnight timing minimized staffing and maximized response difficulty.
Logic Bomb Prevention
Tap to reveal
Logic bombs cannot be detected by AV (no signatures). Prevention relies on process controls and monitoring: (1) Formal change management β all system changes require documented approval; (2) File integrity monitoring (FIM/Tripwire) β alerts when critical files or scheduled tasks change unexpectedly; (3) HIDS β behavioral monitoring catches anomalous system activity; (4) Separation of duties β no single person can plant and approve a change; (5) Least privilege β limits who has access to plant one; (6) Constant auditing β reviews catch changes that monitoring missed.
Rootkit
Tap to reveal
Malware that embeds in the OS kernel to hide itself while maintaining privileged access. The name comes from Unix "root" (administrator). A kernel rootkit intercepts OS queries β when Task Manager or antivirus asks "what processes are running?", the rootkit removes itself from the answer before it's returned. It is invisible to any tool that relies on the OS for information. Also invisible to traditional AV because the rootkit controls what the OS reports about files and processes.
Secure Boot
Tap to reveal
A UEFI BIOS feature that verifies the cryptographic digital signatures of OS components before loading them during startup. If a rootkit has modified the kernel, the signature check fails β the modified code does not match the expected signature β and Secure Boot halts the boot process. The rootkit cannot run. Secure Boot is the hardware-level prevention for rootkits: it stops the infected OS from loading before the rootkit gets to execute. Requires UEFI firmware (not legacy BIOS) and proper key configuration.