IT Life

Forensics Expert Traces Digital Trail To Defendant In UBS Sabotage

Planning for success, the perpetrator of the UBS attack installed the trigger mechanism of the logic bomb that brought down the company's network four years ago, twice on every server it targeted.
On Nov. 15, though, Jones said the remote connection came through the UBS gateway using Duronio's user name and password. From there, the user logged onto a server that Duronio had been assigned responsibility for. Records also show that user switched over to root user and worked on the system where code components were created that day. This all happened during the timeframe that the records show the code was created or modified.

''These are the logs that prove that what I said was true,'' Jones told the jury. ''Even though I didn't have the Verizon session logs for that particular date, I had others. We still have enough information out of the VPN log to know a person using Verizon came in, and the user name [was assigned to Duronio].''

Building the Code

Jones traced the same kind of trail map for two other days in November, but he also talked about the code that he found on UBS servers in the main data center, as well as in branch servers across the country.

U.S. Secret Service agents and forensics investigators found the trigger component of the malicious code on two of Duronio's home computers, as well as on a hard copy printout left on his bedroom dresser. And Jones said he found all of the code, including that identical trigger, on the main host server at UBS, as well as on a sampling of the downed branch servers.

The logic bomb consisted of the trigger, which is the timer that tells the logic bomb when to go off; the payload, which is the actual destructive code that tells the server to delete all the files; a distribution mechanism, which automatically pushes the program out to the branch servers; and a persistence mechanism, which keeps the logic bomb running even if there's a reboot or power outage that knocks the server offline.

Jones, trying to explain the program to the jury, said to think of a Looney Tunes cartoon where there's an alarm clock attached to a bundle of dynamite. The alarm clock is the trigger, he told the laughing jury, while the dynamite and resulting explosion make up the payload.

He also noted that he found six different versions of the trigger code, some in source code and others in binary code. Three of the versions were consistent with the trigger that was used in the March 4, 2002 attack. The other three had different execution dates or instead of triggering something destructive, simply triggered a message to pop up on a user's screen.

''This was probably for testing purposes,'' Jones said. ''When you develop a program, you want to set it up for a particular time and see if it goes off. Once the trigger was created, it was honed down to do exactly what the creator wanted it to do.''

The third version of the trigger was the one actually used in the attack, and it was the same one found in Duronio's home and on his home computers, Jones testified.

The investigator also said he found two versions of the trigger on each server that was hit. One trigger was named rpc.logd and the other was named syschg, but both had the same function. ''They were both installed to really make sure the logic bomb carried out its function,'' Jones said. ''That person really wanted this to run. If the rpc.logd was caught, the syschg would still run....This logic bomb was going to run on March 4, 2002.''

The defense will get its chance to cross examine Jones tomorrow or Wednesday, when the trial resumes.