The logic bomb had a "catastrophic impact," bringing operations to a standstill and wiping out servers around the country, according to testimony from an IT manager for the company.

Sharon Gaudin, Contributor

June 7, 2006

7 Min Read

Newark, N.J. -- The network at UBS PaineWebber is still suffering damage four years after a logic bomb attack, said an IT manager for the company in testimony Wednesday in a trial against the accused attacker.

While trading resumed in the days following the March 4, 2002, attack, some of the information on the approximately 2,000 Unix-based servers in the home office and 370 branch offices that were hit by the malicious code was never fully restored, according to Elvira Maria Rodriguez, the then-IT manager in charge of maintaining the stability of the company servers.

"I don't believe we were ever back to that point," said Rodriguez, who was the first witness called in the federal criminal trial against Roger Duronio, 63, a former systems administrator at UBS PaineWebber. "We were always having issues with these large-scale servers [after the attack]. We never had the luxury to focus on completely going over all the servers. We just didn't have the time."

She said it would have taken her a year to make all the servers right again, even if that was all she had to do every day. "We just had to learn to live with it," she said.

Rodriguez said the attack had a "catastrophic impact," bringing operations to a standstill and wiping out servers not just in the central data center, but around the country.

Duronio faces four counts, including computer sabotage, securities fraud, and mail fraud, in connection with the incident, which left about 8,000 of the company's brokers without the ability to trade for a day or more, and 9,000 other workers without the ability to access their desktops. It also leveled servers in the company's home office in Weehawken, N.J., and in nearly every branch office around the country.

The trial was in its second day in U.S. District Court on Wednesday.

Chris Adams, Duronio's defense attorney and a partner at Walder, Hayden & Brogan in Roseland, N.J., says his client isn't to blame for what he called the "unsophisticated and sophomoric" code that, he added, was most likely planted as a prank. Adams says the company network was riddled with security holes that allowed people to "walk around in the system undetected and masquerade as someone else."

The Plot

In his opening statement Tuesday, Assistant U.S. Attorney V. Grady O'Malley laid out the government's case against Duronio, whose own lawyer describe him as an experienced computer programmer. O'Malley told jurors Duronio sought revenge against his employer by building and disseminating the logic bomb, which was designed to delete all the files in the host server in the central data center and in every server in every U.S. branch office. Duronio was allegedly also looking to make up for some of the money he felt he'd been denied.

The government contends Duronio wanted to take home $175,000 a year. He had a base salary of $125,000 and stood to get a maximum annual bonus of $50,000. But the bonus came in $18,000 shy of his expectations.

When he didn't receive the full bonus, he went to his supervisor to make his case for more money. When that move was rejected, O'Malley says Duronio quit his job, leaving the malicious code in place to wreak havoc on the preplanned date and time.

But Duronio didn't end his plan there, according to prosecutors. He wanted revenge, but he also wanted to make some money off his endeavor. Duronio left UBS for the last time and went to a broker's office, where he spent the money he got from cashing out his and his wife's $20,000 IRA on several "put" options. This is a type of investment that only pays out if the company's stock drops in value.

Duronio, according to O'Malley, raised the stakes on this bet by putting a short time frame on it--he risked everything on UBS's stock taking a dive within 11 days.

Despite the damage, UBS's stock didn't drop, and Duronio's investments didn't pay off.

Sleepless In Weehawken

In the second day of her testimony, which lasted a total of five hours, Rodriguez told jurors that she spent a full night on a conference call with a slew of the 200 IBM tech workers who were called in to help restore the branch servers. She and her team of 13 IT professionals worked full-time on the incident until June 2 of that year.

Part of the problem, she said, was that about 20% of the downed servers didn't have backup tapes. That multiplied the trouble they had bringing the machines back to life and at times made it impossible to restore all the information that had been wiped out when the logic bomb was triggered at 9:30 that morning--just as trading started on the stock market.

"There were a lot of problems," said Rodriguez. "Some branches didn't have backup. There were no tapes to go to. We continued to encounter problems for the next year at least."

Rajeev Khanna, manager for UBS's Unix Systems Group at the time of the attack, also didn't get any sleep that night or for the next two nights. Khanna, who oversaw the recovery process, testified Wednesday that 400 to 500 UBS workers--application developers, project managers, systems administrators, and database administrators--were pulled off their normal jobs to work on the restoration.

"The most important thing was for users to be able to log in to their desktops," he said. "They couldn't log in. They couldn't do the work they do on a daily basis, in terms of pulling data on their clients, making trades, and checking market data."

UBS hasn't reported how much money was lost in business because of the server and broker downtime.

To avoid a repeat of the incident, Rodriguez said, for the next two or three years she prepared to fend off a similar attack before every March 4. She took critical servers offline, so if there was any malicious code still lurking on the network, at least those servers wouldn't be affected. "We had to make sure there was no more business impact," she said.

Security Problems

On his cross-examination of Rodriguez, Adams read down through a help desk log from the day the malicious code was triggered. While the logic bomb went off at 9:30 that morning, the log showed there were reports of much smaller incidents before that. For instance, a Sybase server was having trouble at 7:14 that morning. A user was having trouble logging in to a branch server at 7:39. And there was more trouble with the Sybase server at 8:19 a.m.

Rodriguez called the problems "routine support."

Later in his testimony, Khanna said he was generally only notified of a problem if the systems administrators were unable to handle it on their own. And he added that before 9:30 on March 4, 2002, he hadn't received calls about any trouble on the network or with the servers.

But Adams pressed Rodriguez about the company's computer security.

The defense attorney noted that in a January 2002 group internal audit report on the UBS PaineWebber IT department, it said there were issues with the company's Unix and Sybase security, specifically involving passwords.

And during Rodriguez's testimony, she said that immediately after the attack began, she stepped out of the office and used the open "root" access on another systems administrator's computer to monitor what was happening on the network.

When asked if it was company policy for an administrator to walk away and leave root access up on a computer, she said it wasn't policy, but she wasn't surprised it happened.

"I found an open session, so obviously that time [the policy] was not followed," she said, adding that she "would not be surprised" if it happened on another occasion.

And Adams asserted that a March 2000 review of the UBS virtual private network showed that another session could open under a username and password that was already in use. Rodriguez said she wasn't sure if that could be done at the time, but it can't be done now.

Testimony continues Thursday morning.

About the Author(s)

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights