Closing Case UBS PAINEWEBBER’S BUSINESS OPERATIONS DEBILITATED BY MALICIOUS CODE

Employee (Allegedly) Planned to Crash All Computer Networks
In June 2006, a former systems administrator at UBS PaineWebber, Roger Duronio, 63, was charged with building, planting, and setting off a software logic bomb designed

to crash the network. His alleged motive was to get revenge for not being paid what he thought he was worth. He designed the logic bomb to delete all the files in the

host server in the central data center and in every server in every U.S. branch office. Duronio was looking to
380
381
make up for some of the cash he felt he had been denied. He wanted to take home $175,000 a year. He had a base salary of $125,000 and a potential annual bonus of

$50,000, but the actual bonus was $35,000.
Duronio quit his job, went to a broker within hours, and bought stock options that would only pay out if the company’s stock plunged within 11 days. By setting a short

expiration date of 11 days instead of a year, the gain from any payout would be much greater. He tried to ensure a stock price crash by crippling the company’s network

to rock their financial stability. His “put” options expired worthless because the bank’s national network did go down, but not UBS stock.
Discovering the Attack
In a federal court, UBS PaineWebber’s IT manager Elvira Maria Rodriguez testified that on March 4, 2002, at 9:30 A.M. when the stock market opened for the day, she saw

the words cannot find on her screen at the company’s Escalation Center in Weehawken, New Jersey. She hit the enter key to see the message again, but her screen was

frozen. Rodriguez was in charge of maintaining the stability of the servers in the company’s branch offices.
When the company’s servers went down that day in March 2002, about 17,000 brokers across the country were unable to make trades; the incident affected nearly 400

branch offices. Files were deleted. Backups went down within minutes of being run. Rodriguez, who had to clean up after the logic bomb, said, “How on earth were we

going to bring them all back up? How was this going to affect the company? If I had a scale of 1 to 10, this would be a 10-plus.”
The prosecutor, Assistant U.S. Attorney V. Grady O’Malley, told the jury: “It took hundreds of people, thousands of man hours and millions of dollars to correct.” The

system was offline for more than a day, and UBS PaineWebber (renamed UBS Wealth Management USA in 2003) spent about $3.1 million in assessing and restoring the

network. The company did not report how much was lost in business downtime and disruption.
Tracking Down the Hacker
A computer forensics expert testified that Duronio’s password and user account information were used to gain remote access to the areas where the malicious code was

built inside the UBS network.
The U.S. Secret Service agent who had investigated the case found a hard copy of the logic bomb’s source code on the defendant’s bedroom dresser. A computer forensics

investigator found electronic copies of the code on two of his four home computers.
Defense Blames UBS Security Holes
Chris Adams, Duronio’s defense attorney, offered another scenario. Adams claimed that the code was planted by someone else to be a nuisance or prank. Adams also said

the UBS system had many security holes and backdoors that gave easy access to attackers. Adams told the jury:

UBS computer security had considerable holes. There are flaws in the system that compromise the ability to determine what is and isn’t true.

Does the ability to walk around in the system undetected and masquerade as someone else affect your ability to say what has happened?
He also claimed that UBS and @Stake, the first computer forensics company to work on the incident, withheld some information from the government and even destroyed

some of the evidence. As for the stock options, Adams explained that they were neither risky bets nor part of a scheme, but rather a common investment practice.
Disaster Recovery Efforts
While trying to run a backup to get a main server up and functional, Rodriguez discovered that a line of code (MRM-r) was hanging up the system every time it ran. She

renamed the command to hide it from the system and rebooted the server. This action stopped the server from deleting anything else. After testing to confirm the fix,

backup tapes brought up the remaining 2,000 servers, and the line of code was deleted from each one. Restoring each server took from 30 minutes to 2 hours unless there

was a complication. In those cases, restoration took up to 6 hours. UBS called in 200 IBM technicians to all the branch offices to expedite the recovery.
Many of the servers were down a day and a half, but some servers in remote locations were down for weeks. The incident impacted all the brokers who were denied access