Three Malware Types β Side-by-Side
| Property | Keylogger | Logic Bomb | Rootkit |
|---|---|---|---|
| Primary Goal | Capture keystrokes and user data; transmit to attacker | Execute a destructive or disruptive payload when a trigger fires | Maintain hidden privileged access to the system |
| Behavior Before Trigger/Discovery | Active but silent β continuously capturing; no visible symptoms | Completely dormant β no activity, no detectable behavior | Active but invisible β intercepts OS queries to hide itself |
| Why AV Misses It | May evade signatures; new variants appear constantly | Custom code β no signature exists in any database | Intercepts OS queries; AV sees falsified process/file lists |
| How It Arrives | Bundled software, P2P downloads, malicious downloads | Planted by an insider with system access | Exploit, trojan, or physical access to the system |
| Primary Detection Tool | Dedicated anti-malware (Malwarebytes), behavioral EDR | File integrity monitoring (FIM/Tripwire), HIDS, change audit | Secure Boot (prevention); rootkit-specific removal tools; forensic boot |
| Primary Defense | Avoid risky installs; use MFA; run anti-malware | Formal change management; separation of duties; auditing | Enable Secure Boot; keep UEFI firmware updated |
Why Keyloggers Bypass Encryption
User Types a Password
Keystrokes are generated by physical key presses β raw input events at the OS level, before any application processes them
β
Keylogger Intercepts Here
The keylogger captures keystrokes at this point β the input is plaintext. Nothing has processed it yet. This is the gap that no encryption covers.
β
Browser Processes Input
The password appears in the form field. The browser is about to encrypt it for transmission. But the keylogger already has it.
β
HTTPS Transmits Encrypted Data
The browser sends the encrypted credential to the server. HTTPS protects this network transmission perfectly. The keylogger was never near this layer.
β
Keylogger Sends Data File to Attacker
Once or several times daily, the keylogger sends all collected keystrokes β including that password β to the attacker's server. In plaintext. Encryption never applied.
HTTPS protects the data in transit between browser and server. Full-disk encryption protects data at rest on the hard drive. Neither protection exists at the moment of keystroke capture. The keylogger lives in that gap.
Keylogger β What Gets Captured
| Data Type | How Captured | What Attacker Gains |
|---|---|---|
| Keystrokes | Direct hook into OS input events; records every key press including corrections and modifiers | Usernames, passwords, credit card numbers, written content, anything typed |
| Clipboard contents | Monitors clipboard events (copy/paste operations) | Passwords copied from password managers; copied sensitive text; avoids keyboard-only detection |
| Screenshots | Periodic screen captures at configured intervals | Visual record of activity: documents read, emails composed, pages visited, applications used |
| Instant messages / chat | Monitors messaging application inputs and/or display content | Private communications; business decisions; internal discussions |
| Search queries | Captures text entered in browser search fields | Research topics; personal health/legal/financial searches; intelligence about user interests and concerns |
Logic Bomb Lifecycle
Attacker Gains System Access
Often an insider with legitimate credentials and elevated permissions β a sysadmin, developer, or IT staff member. External attackers can also plant bombs after compromising a system.
β
Logic Bomb Is Planted
Custom malicious code is embedded in a scheduled task, script, system file, or application. Trigger condition is set β a specific date/time or a system event.
β
Dormant Period β Undetectable by AV
The logic bomb does nothing. No unusual network traffic. No anomalous processes. No AV signature matches. If file integrity monitoring is absent, the bomb may sit undetected indefinitely.
β
Trigger Condition Met
The clock reaches the designated time, or the monitored event occurs (account deleted, user logs in, file accessed). The bomb activates automatically β no human action required.
β
Payload Executes
Data deletion, MBR wipe, file encryption, SCADA circuit disable, or other destructive action. In a coordinated attack, simultaneous detonation occurs across all infected systems at once.
Logic Bomb Trigger Types
| Trigger Type | Trigger Mechanism | Real Example | Insider Use Case |
|---|---|---|---|
| Time Bomb | Specific date, specific time, or recurring schedule (e.g., "every Sunday at midnight") | South Korea 2013: detonated at 2:00 PM March 20; Ukraine 2016: detonated at 11:53 PM December 17 | Set to trigger after the insider has left the organization and cannot be immediately implicated |
| User-Event Logic Bomb | System event: account deletion, specific user login, file access, process start | Disgruntled employee sets bomb to trigger when their account is disabled β guaranteeing detonation upon termination | Acts as a "deadman switch" β termination is the trigger; damage begins the moment HR disables the account |
Why Rootkits Are Invisible β The Information Control Problem
Security Tool Queries the OS
Task Manager, antivirus scanner, or process monitor asks the operating system: "What processes are currently running?" and "What files exist in this directory?"
β
Rootkit Intercepts the Query
The rootkit is embedded in the kernel β the layer that handles these queries. It intercepts the request before the honest answer is assembled, removes its own entries from the result, and passes along the falsified answer.
β
Security Tool Receives Falsified Results
The security tool receives a process list and file list that is complete except for the rootkit's components. It has no way to know the answer was manipulated. It reports: nothing unusual found.
β
Rootkit Remains Hidden
Every monitoring tool that relies on the OS for information will miss the rootkit. The rootkit controls the information the OS provides. Detection requires bypassing the compromised OS β booting from a trusted external source.
Rootkit Detection and Removal Options
| Method | How It Works | Limitation |
|---|---|---|
| Behavioral anomaly analysis | Look for system behavior that seems inconsistent β high CPU/memory with no processes accounting for it; network connections to unknown IPs; system functions that behave strangely | Requires skilled analyst; indirect evidence only; not definitive |
| Boot from external trusted media | Boot the system from a forensic external drive, bypassing the potentially compromised OS. Examine the system's storage directly β the rootkit cannot intercept queries from an OS it is not running in. | Requires forensic tools and expertise; not automated |
| Rootkit-specific removal tools | Once a rootkit variant is identified and analyzed, security vendors build targeted removal tools that know exactly what the rootkit modified and how to reverse it. | Retrospective β only works for known, analyzed rootkits. Cannot remove a novel rootkit. |
| Secure Boot (UEFI) | UEFI BIOS verifies the digital signature of OS components before loading them. If a rootkit has modified the kernel, the signature check fails and the system refuses to boot the modified OS. | Prevention, not removal. Requires UEFI firmware (not legacy BIOS). Must be properly enabled and configured. |
Logic Bomb Prevention Controls
| Control | What It Does | Why It Matters for Logic Bombs |
|---|---|---|
| Formal change management | All system changes require documented requests, review, and approval before implementation | Eliminates the ability to silently plant a bomb β any change creates a record; unauthorized changes can be investigated |
| File integrity monitoring (FIM / Tripwire) | Maintains cryptographic hashes of critical files; alerts when any hash changes unexpectedly | Detects the act of planting β a modified scheduled task or script causes an alert before the trigger fires |
| HIDS | Host-based intrusion detection monitors system behavior for anomalous activity and policy violations | Catches behavioral indicators of bomb-planting activity β new scheduled tasks, unusual scripts, unauthorized process creation |
| Separation of duties | No single person can both make system changes and approve or review them | An insider cannot plant a bomb without a second person noticing; reduces the blast radius of a single compromised account |
| Least privilege | Users and admins are granted only the minimum access needed for their role | Limits who can plant a bomb β requires actual access to critical system areas; reduces the number of potential planters |
| Constant auditing | Regular review of scheduled tasks, scripts, configuration files, and administrator activity logs | May detect planted bombs during the dormant period; audits create accountability that deters planting |