Time Bomb

Attacks can be performed during a limited time. To avoid detection some malware contain an deadline date. Once the date is reached the malware do not run anymore. Malware analyst have to change the time of the machine to run the file. This technique can also defeat a sandbox if the date is already outdated.

Code Snippets

Thomas Roccia

Description

This code snippet triggers actions after one day since the compile time.

#include <ctime>
#include <iostream>
#include <string>
#include <sstream>

const double time_attack_in_days = 1.0;

using namespace std;

time_t time_when_compiled()
{
    string datestr = __DATE__;
    string timestr = __TIME__;
    istringstream iss_date(datestr);
    string str_month;
    int day;
    int year;
    iss_date >> str_month >> day >> year;

    int month;
    if      (str_month == "Jan") month = 1;
    else if (str_month == "Feb") month = 2;
    else if (str_month == "Mar") month = 3;
    else if (str_month == "Apr") month = 4;
    else if (str_month == "May") month = 5;
    else if (str_month == "Jun") month = 6;
    else if (str_month == "Jul") month = 7;
    else if (str_month == "Aug") month = 8;
    else if (str_month == "Sep") month = 9;
    else if (str_month == "Oct") month = 10;
    else if (str_month == "Nov") month = 11;
    else if (str_month == "Dec") month = 12;
    else exit(-1);

    for(string::size_type pos = timestr.find(':'); pos != string::npos; pos = timestr.find(':', pos))
    {
    	timestr[pos] = ' ';
    }

    istringstream iss_time(timestr);
    int hour, min, sec;
    iss_time >> hour >> min >> sec;
    tm t = {0};
    t.tm_mon = month - 1;
    t.tm_mday = day;
    t.tm_year = year - 1900;
    t.tm_hour = hour;
    t.tm_min = min;
    t.tm_sec = sec;

    return mktime(&t);
}

int main()
{
    time_t current_time = time(NULL);
    time_t build_time = time_when_compiled();

    double diff_time = difftime(current_time, build_time);
    const double time_to_wait = time_attack_in_days * 24.0 * 60.0 * 60.0;

    // trigger the time of execution
    if(diff_time > time_to_wait)
    {
        cout << "Time of attack!" << endl;
        exit(-1);
    }
    else
    {
        cout << "Time in second before running the attack: " << time_to_wait << endl;
    }

    return 0;
}
Thomas Roccia

Description

Trigger the action on Monday.

#include <Windows.h>
#include <iostream>
#include <ctime>
#include <stdio.h>

using namespace std;

// Trigger the action only on Monday
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
    time_t rawtime;
    struct tm * timeinfo;
    char buffer[100];

    time(&rawtime);
    timeinfo = localtime(&rawtime);

    strftime(buffer, sizeof(buffer), "%A", timeinfo);

    const char * str(buffer);

    if (str == "Monday")
    {
        cout << "Wait!" << endl;
        MessageBox(NULL, (LPSTR)str, (LPSTR)str, MB_OK);
    }
    else
    {
        cout << "Time of attack!" << endl;
        MessageBox(NULL, (LPSTR)str, (LPSTR)str, MB_OK);
    }
    return 0;
}

Additional Resources

Subscribe to our Newsletter and don't miss important updates