Chapter 43 Β· Concepts

Other Malware Types β€” Concept Maps

How keyloggers bypass encryption, how logic bombs stay hidden until triggered, and why rootkits are invisible to the tools used to find them.

Three Malware Types β€” Side-by-Side

PropertyKeyloggerLogic BombRootkit
Primary Goal Capture keystrokes and user data; transmit to attacker Execute a destructive or disruptive payload when a trigger fires Maintain hidden privileged access to the system
Behavior Before Trigger/Discovery Active but silent β€” continuously capturing; no visible symptoms Completely dormant β€” no activity, no detectable behavior Active but invisible β€” intercepts OS queries to hide itself
Why AV Misses It May evade signatures; new variants appear constantly Custom code β€” no signature exists in any database Intercepts OS queries; AV sees falsified process/file lists
How It Arrives Bundled software, P2P downloads, malicious downloads Planted by an insider with system access Exploit, trojan, or physical access to the system
Primary Detection Tool Dedicated anti-malware (Malwarebytes), behavioral EDR File integrity monitoring (FIM/Tripwire), HIDS, change audit Secure Boot (prevention); rootkit-specific removal tools; forensic boot
Primary Defense Avoid risky installs; use MFA; run anti-malware Formal change management; separation of duties; auditing Enable Secure Boot; keep UEFI firmware updated

Why Keyloggers Bypass Encryption

⌨️
User Types a Password
Keystrokes are generated by physical key presses β€” raw input events at the OS level, before any application processes them
↓
πŸ•΅οΈ
Keylogger Intercepts Here
The keylogger captures keystrokes at this point β€” the input is plaintext. Nothing has processed it yet. This is the gap that no encryption covers.
↓
πŸ”’
Browser Processes Input
The password appears in the form field. The browser is about to encrypt it for transmission. But the keylogger already has it.
↓
🌐
HTTPS Transmits Encrypted Data
The browser sends the encrypted credential to the server. HTTPS protects this network transmission perfectly. The keylogger was never near this layer.
↓
πŸ“€
Keylogger Sends Data File to Attacker
Once or several times daily, the keylogger sends all collected keystrokes β€” including that password β€” to the attacker's server. In plaintext. Encryption never applied.

HTTPS protects the data in transit between browser and server. Full-disk encryption protects data at rest on the hard drive. Neither protection exists at the moment of keystroke capture. The keylogger lives in that gap.

Keylogger β€” What Gets Captured

Data TypeHow CapturedWhat Attacker Gains
Keystrokes Direct hook into OS input events; records every key press including corrections and modifiers Usernames, passwords, credit card numbers, written content, anything typed
Clipboard contents Monitors clipboard events (copy/paste operations) Passwords copied from password managers; copied sensitive text; avoids keyboard-only detection
Screenshots Periodic screen captures at configured intervals Visual record of activity: documents read, emails composed, pages visited, applications used
Instant messages / chat Monitors messaging application inputs and/or display content Private communications; business decisions; internal discussions
Search queries Captures text entered in browser search fields Research topics; personal health/legal/financial searches; intelligence about user interests and concerns

Logic Bomb Lifecycle

πŸ”“
Attacker Gains System Access
Often an insider with legitimate credentials and elevated permissions β€” a sysadmin, developer, or IT staff member. External attackers can also plant bombs after compromising a system.
↓
πŸ’Ύ
Logic Bomb Is Planted
Custom malicious code is embedded in a scheduled task, script, system file, or application. Trigger condition is set β€” a specific date/time or a system event.
↓
😴
Dormant Period β€” Undetectable by AV
The logic bomb does nothing. No unusual network traffic. No anomalous processes. No AV signature matches. If file integrity monitoring is absent, the bomb may sit undetected indefinitely.
↓
⏰
Trigger Condition Met
The clock reaches the designated time, or the monitored event occurs (account deleted, user logs in, file accessed). The bomb activates automatically β€” no human action required.
↓
πŸ’₯
Payload Executes
Data deletion, MBR wipe, file encryption, SCADA circuit disable, or other destructive action. In a coordinated attack, simultaneous detonation occurs across all infected systems at once.

Logic Bomb Trigger Types

Trigger TypeTrigger MechanismReal ExampleInsider Use Case
Time Bomb Specific date, specific time, or recurring schedule (e.g., "every Sunday at midnight") South Korea 2013: detonated at 2:00 PM March 20; Ukraine 2016: detonated at 11:53 PM December 17 Set to trigger after the insider has left the organization and cannot be immediately implicated
User-Event Logic Bomb System event: account deletion, specific user login, file access, process start Disgruntled employee sets bomb to trigger when their account is disabled β€” guaranteeing detonation upon termination Acts as a "deadman switch" β€” termination is the trigger; damage begins the moment HR disables the account

Why Rootkits Are Invisible β€” The Information Control Problem

πŸ”
Security Tool Queries the OS
Task Manager, antivirus scanner, or process monitor asks the operating system: "What processes are currently running?" and "What files exist in this directory?"
↓
🦠
Rootkit Intercepts the Query
The rootkit is embedded in the kernel β€” the layer that handles these queries. It intercepts the request before the honest answer is assembled, removes its own entries from the result, and passes along the falsified answer.
↓
πŸ“‹
Security Tool Receives Falsified Results
The security tool receives a process list and file list that is complete except for the rootkit's components. It has no way to know the answer was manipulated. It reports: nothing unusual found.
↓
βœ…
Rootkit Remains Hidden
Every monitoring tool that relies on the OS for information will miss the rootkit. The rootkit controls the information the OS provides. Detection requires bypassing the compromised OS β€” booting from a trusted external source.

Rootkit Detection and Removal Options

MethodHow It WorksLimitation
Behavioral anomaly analysis Look for system behavior that seems inconsistent β€” high CPU/memory with no processes accounting for it; network connections to unknown IPs; system functions that behave strangely Requires skilled analyst; indirect evidence only; not definitive
Boot from external trusted media Boot the system from a forensic external drive, bypassing the potentially compromised OS. Examine the system's storage directly β€” the rootkit cannot intercept queries from an OS it is not running in. Requires forensic tools and expertise; not automated
Rootkit-specific removal tools Once a rootkit variant is identified and analyzed, security vendors build targeted removal tools that know exactly what the rootkit modified and how to reverse it. Retrospective β€” only works for known, analyzed rootkits. Cannot remove a novel rootkit.
Secure Boot (UEFI) UEFI BIOS verifies the digital signature of OS components before loading them. If a rootkit has modified the kernel, the signature check fails and the system refuses to boot the modified OS. Prevention, not removal. Requires UEFI firmware (not legacy BIOS). Must be properly enabled and configured.

Logic Bomb Prevention Controls

ControlWhat It DoesWhy It Matters for Logic Bombs
Formal change management All system changes require documented requests, review, and approval before implementation Eliminates the ability to silently plant a bomb β€” any change creates a record; unauthorized changes can be investigated
File integrity monitoring (FIM / Tripwire) Maintains cryptographic hashes of critical files; alerts when any hash changes unexpectedly Detects the act of planting β€” a modified scheduled task or script causes an alert before the trigger fires
HIDS Host-based intrusion detection monitors system behavior for anomalous activity and policy violations Catches behavioral indicators of bomb-planting activity β€” new scheduled tasks, unusual scripts, unauthorized process creation
Separation of duties No single person can both make system changes and approve or review them An insider cannot plant a bomb without a second person noticing; reduces the blast radius of a single compromised account
Least privilege Users and admins are granted only the minimum access needed for their role Limits who can plant a bomb β€” requires actual access to critical system areas; reduces the number of potential planters
Constant auditing Regular review of scheduled tasks, scripts, configuration files, and administrator activity logs May detect planted bombs during the dormant period; audits create accountability that deters planting