Forensics Expert Traces Digital Trail To Defendant In UBS Sabotage
Planning for success, the perpetrator of the UBS attack installed the trigger mechanism of the logic bomb that brought down the company's network four years ago, twice on every server it targeted.
Newark, N.J. -- The author of the malicious code that crippled UBS PaineWebber's network four years ago wasn't taking any chances when it came to executing the attack, according to a forensic investigator testifying in the ongoing computer sabotage trial here Friday.
Keith Jones, the government's forensic expert, and the director of computer forensics and incident response at Mandiant, an information security company based in Alexandria, Va., took the stand for the second day Friday to plot out the digital trail he followed from the logic bomb that shut down UBS' ability to do business for several days, to the former systems administrator accused of setting it off.
White PapersMore >>
Jones testified that the author of the malicious code took steps to make sure the attack went off as planned: The trigger mechanism for the logic bomb had been installed twice on every server that it hit, increasing the odds that the attack would successfully take down the computers that brokers used for making trades.
Jones is the government's star witness in the ongoing trial of former UBS systems administrator Roger Duronio, who is charged with four federal criminal counts, including securities fraud and mail fraud, in connection with the March 4, 2002 detonation of a logic bomb that hit UBS' main server in its data center, along with about 2,000 servers spread across the company's 370 branch offices. ''Once you have your hands on all these different logs, you can piece together how and when someone got inside the network,'' Jones told the jury. ''When you put all the pieces of the puzzle together, you get the logic bomb.''
And that's how Jones laid it out for the jury, saying he wanted them to follow the same path he took in his investigation. On Friday, he went through records from three different days when parts of the malicious code were either created or modified in the UBS system. He traced Duronio's alleged steps from his home computer through his remote connection into the specific Unix-based servers where the code components were installed.
Tracking the Code
To follow the forensics trail, Jones went through records from Duronio's Verizon DSL and dial-up accounts through UBS' VPN logs, WTMP logs, which show what time users log in and out, and SU (Switch User) logs, which show when users switch from their normal logon names to root user. The code, Jones explained, could only be planted by a root user, which, on a Unix system, is a super user with all-encompassing privileges.
''Components of the logic bomb were created, modified, distributed and installed on the UBS network, and that action was tied to the 'rduronio' user name and VPN accounts,'' said Jones. He added that investigators didn't always have every piece of the puzzle for every single day the code was created, but they had enough to create a clear picture of who built the bomb.
For instance, on Nov. 15, 2001, records show that a Verizon-owned IP address assigned to the Northeast region was used to access the UBS VPN gateway. Duronio used a Verizon account for both his DSL and dial-up accounts. Verizon, however, was unable to supply specific IP address records for every day, so some days investigators found IP addresses directly linked to Duronio's home, and other days they only had a range of IP addresses for a region.