
Time Bomb
Attacks can be performed during a limited time. To avoid detection some malware contain an deadline date. Once the date is reached the malware do not run anymore. Malware analyst have to change the time of the machine to run the file. This technique can also defeat a sandbox if the date is already outdated.
Code Snippets
#include <Windows.h>
#include <iostream>
#include <ctime>
#include <stdio.h>
using namespace std;
// Trigger the action only on Monday
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
time_t rawtime;
struct tm * timeinfo;
char buffer[100];
time(&rawtime);
timeinfo = localtime(&rawtime);
strftime(buffer, sizeof(buffer), "%A", timeinfo);
const char * str(buffer);
if (str == "Monday")
{
cout << "Wait!" << endl;
MessageBox(NULL, (LPSTR)str, (LPSTR)str, MB_OK);
}
else
{
cout << "Time of attack!" << endl;
MessageBox(NULL, (LPSTR)str, (LPSTR)str, MB_OK);
}
return 0;
}
#include <ctime>
#include <iostream>
#include <string>
#include <sstream>
const double time_attack_in_days = 1.0;
using namespace std;
time_t time_when_compiled()
{
string datestr = __DATE__;
string timestr = __TIME__;
istringstream iss_date(datestr);
string str_month;
int day;
int year;
iss_date >> str_month >> day >> year;
int month;
if (str_month == "Jan") month = 1;
else if (str_month == "Feb") month = 2;
else if (str_month == "Mar") month = 3;
else if (str_month == "Apr") month = 4;
else if (str_month == "May") month = 5;
else if (str_month == "Jun") month = 6;
else if (str_month == "Jul") month = 7;
else if (str_month == "Aug") month = 8;
else if (str_month == "Sep") month = 9;
else if (str_month == "Oct") month = 10;
else if (str_month == "Nov") month = 11;
else if (str_month == "Dec") month = 12;
else exit(-1);
for(string::size_type pos = timestr.find(':'); pos != string::npos; pos = timestr.find(':', pos))
{
timestr[pos] = ' ';
}
istringstream iss_time(timestr);
int hour, min, sec;
iss_time >> hour >> min >> sec;
tm t = {0};
t.tm_mon = month - 1;
t.tm_mday = day;
t.tm_year = year - 1900;
t.tm_hour = hour;
t.tm_min = min;
t.tm_sec = sec;
return mktime(&t);
}
int main()
{
time_t current_time = time(NULL);
time_t build_time = time_when_compiled();
double diff_time = difftime(current_time, build_time);
const double time_to_wait = time_attack_in_days * 24.0 * 60.0 * 60.0;
// trigger the time of execution
if(diff_time > time_to_wait)
{
cout << "Time of attack!" << endl;
exit(-1);
}
else
{
cout << "Time in second before running the attack: " << time_to_wait << endl;
}
return 0;
}