Keylogger
Malware that records every keystroke typed on a device and periodically transmits the collected data to an attacker. Keyloggers capture credentials, financial information, and any other content the user types β at the moment of typing, before any encryption is applied. This is the defining reason keyloggers bypass HTTPS and full-disk encryption: both protections apply after the keystroke; the keylogger captures it before.
Clipboard Logging
A keylogger capability that monitors and records the contents of the system clipboard β text, passwords, or other data that the user copies (Ctrl+C) and pastes. Clipboard logging captures credentials that are copied from a password manager rather than typed directly, bypassing keyboard-only capture. An advanced keylogger may capture passwords the user never physically typed.
Screen Logging (Screenshot Capture)
A keylogger capability that takes periodic screenshots of the user's display and stores or transmits them. Provides the attacker with a visual timeline of user activity β documents read, emails composed, web pages visited, applications used β independent of what was typed. Combined with keystroke capture, screen logging creates a comprehensive record of a user's session.
DarkComet RAT
A Remote Access Trojan (RAT) that includes a full keylogging module alongside remote system access, screenshot capture, clipboard monitoring, and file management. Used as a demonstration tool to show how keyloggers capture detailed input β including which keys were pressed, in what order, including corrections and deletions. DarkComet captures the complete typing sequence, not just final output, giving attackers exact credential details with timing information.
Logic Bomb
Malicious code embedded in a system that remains completely dormant until a specific trigger condition is met, at which point it executes its payload. Logic bombs produce no anomalous behavior before triggering, making them nearly impossible to detect with traditional AV tools (which rely on signatures from known malware). Typically custom-written for a specific target, meaning no signature exists in any database. Often planted by insiders with system access.
Time Bomb
A logic bomb variant triggered by a specific date, time, or recurring schedule. The payload executes automatically when the clock reaches the designated moment β no human action required at detonation. The South Korea 2013 attack used a time bomb that detonated at exactly 2:00 PM on March 20, 2013, simultaneously across thousands of infected systems. Time bombs allow an attacker to be physically absent and unassociated when the damage occurs.
User-Event Logic Bomb
A logic bomb variant triggered by a specific system event rather than a time. Common triggers: a specific user account being deleted or disabled (an insider's "deadman switch"), a particular file being accessed, a user logging in, or a process starting. Harder to trigger accidentally than a time bomb, but can be designed to fire precisely when the attacker knows a specific event will occur (e.g., their own account being disabled during termination).
SCADA (Supervisory Control and Data Acquisition)
Industrial control system technology used to monitor and control physical processes in critical infrastructure β power grids, water treatment plants, natural gas pipelines, manufacturing facilities. SCADA systems bridge digital control with physical-world actuators (circuit breakers, pumps, valves). The Ukraine 2016 attack targeted SCADA systems to disable power grid circuits. Attacks on SCADA can cause real physical consequences beyond data loss.
File Integrity Monitoring (FIM)
A security control that maintains cryptographic hash values of critical system files and alerts administrators when any file is modified in an unauthorized or unexpected way. Tripwire is a well-known FIM tool. FIM is one of the primary defenses against logic bombs β if an insider plants malicious code in a scheduled task or critical system file, the FIM alert fires before the bomb detonates. FIM detects change; it does not prevent it, but early detection enables response.
Tripwire
A specific file integrity monitoring (FIM) tool, and the prototype of the category. Tripwire monitors designated files and directories, hashing their contents and alerting when any change occurs. Named because, like a physical tripwire, it detects intrusion by detecting the act of change. In the context of logic bomb prevention, Tripwire-class tools provide the early warning that something was modified β potentially a bomb being planted β before the trigger condition is reached.
Formal Change Management
An organizational process requiring that all modifications to systems, configurations, or code be formally requested, documented, reviewed, and approved before implementation. A primary defense against insider-planted logic bombs: if no system change can be made without a documented change request, an insider cannot quietly plant a bomb without leaving a record. Change management creates accountability and a paper trail that both deters and detects unauthorized modifications.
Separation of Duties
A security principle requiring that critical tasks be divided among multiple people so that no single individual can complete a harmful action alone. In the context of logic bombs: an administrator who can make system changes should not also be the only person who reviews and approves those changes. Separation of duties means that planting a logic bomb requires compromising multiple independent roles, not just one privileged account.
Rootkit
Malware designed to conceal itself within the operating system while maintaining privileged access. The most dangerous rootkits embed themselves in the OS kernel β the core of the operating system β allowing them to intercept and falsify the responses that system monitoring tools receive when they query what processes and files are present. A kernel rootkit is effectively invisible to Task Manager, process monitors, and traditional antivirus because those tools rely on the OS for information β and the rootkit controls the OS.
Kernel
The core component of an operating system that manages hardware resources, memory, and process execution. The kernel sits between applications and hardware β every application request for CPU time, memory, file access, or network communication goes through the kernel. A rootkit that embeds in the kernel operates at the deepest level of software privilege, able to intercept and modify any information the kernel provides to other software, including security tools.
Secure Boot
A UEFI BIOS feature that verifies the cryptographic digital signatures of OS components during the boot process before they are loaded. If any component's signature does not match a trusted key β indicating the component has been modified β Secure Boot halts the boot process and prevents the modified code from running. The primary hardware-level defense against rootkits: a rootkit that has modified the OS kernel will fail Secure Boot's signature check and never execute. Requires UEFI firmware (not legacy BIOS).
HIDS (Host-Based Intrusion Detection System)
Security software installed on individual endpoints (hosts) that monitors local system activity for signs of compromise or unauthorized change. HIDS watches for anomalous process activity, unexpected file modifications, unusual registry changes, and policy violations. In logic bomb defense, HIDS provides behavioral monitoring that can detect the anomalous activity of a planted bomb β or the planting itself β even when AV signatures do not exist.