Nice try, Mr. Makwana.

[randomness]

From http://www.informationweek.com/news/security/management/showArticle.jhtml?articleID=212903521:

Fannie Mae Contractor Indicted For Logic Bomb

It was mere chance that a senior Unix engineer with Fannie Mae discovered a logic bomb.

The logic bomb, a malicious script designed to wipe Fannie Mae's 4,000 servers, was allegedly placed by Rajendrasinh Makwana, an IT contractor who worked in Fannie Mae's Urbana, Md., facility. It was set to execute on Jan. 31. Had it done so, Fannie Mae engineers expect it would have caused millions of dollars in damage and possibly shut down the government-sponsored mortgage lender for a week.

"On October 24, 2008, at 2:53 pm, a successful SSH (secure shell) login from IP address 172.17.38.29, with user ID s9urbm, assigned to Makwana, gained root access to dsysadmin01, the development server," the affidavit states. "... IP address 172.17.38.29 was last assigned to the computer named rs12h-Lap22, which was [a Fannie Mae] laptop assigned to Makwana. ... The laptop and Unix workstation where Makwana was able to gain root access and create the malicious script were located in his cubicle."

The Register reports:

Rajendrasinh Babubahai Makwana, 35, of Virginia, concealed the Unix script on Fannie Mae's main administrative server on October 24, the same day the Unix engineer was terminated, according to court documents made public Tuesday. His script was programmed to remain dormant for three months, when it would greet administrators with a login message that read "Server Graveyard" and systematically replace all data with zeros on every production, administrative, and backup server in the company.

The allegations also lay out a cautionary tale about the risk of lax security practices at highly sensitive enterprises. Despite his dismissal on October 24, Makwana's highly privileged computer access wasn't terminated until late into the evening because of bureaucratic procedures in Fannie's procurement department, according to court documents.

Shortly after Makwana was informed he was being fired, he logged in to Fannie's main development server and embedded a series of malicious scripts inside a legitimate program. To conceal the malicious payload, he created a page worth of blank lines between the legitimate code and the malicious code.

"When the program ascertained it was January 31, 2009, it would copy the rest of the files from the '.soti' file from the dsysadm01 server and run the .y.sh script," a FBI special agent wrote in a sworn statement that referred to Fannie as ABC to protect its identity. "The .y.sh script would place a blocker on the monitoring system disabling any ABC engineers from receiving a monitoring alert for any problems on any machines in the entire ABC environment for 61 minutes."

Makwana's script would then disable logins to Fannie's administrative and backup production servers; remove the root password appliance access; rewrite all data, including backup software, with zeros; and target any "high availability" software. It would then replicate itself to each of Fannie's 4,000 servers.

For thoroughness, the script would then execute all over again on a separate administrative server in case some of the company's servers couldn't be reached from the first one.

Like so many other saboteurs, though, Makwana also appeared to make careless mistakes. He allegedly planted his malicious script via a secure shell login from his Fannie-issued laptop using an IP address Fannie had assigned to him.

Shortly before planting the script, Makwana - a native of India who was employed by an unknown IT outsourcing firm - also emailed relatives in that country using a Fannie address and told them not to return to the US.

Tyler Durden comments:

Apparently 35-year-old Rajendrasinh Makwana decided that the best way to deal with the ongoing depression is to give everyone a fresh start and delete the mortgage files for a large number of U.S. residents. He was going to distribute a computer virus in the Fannie computer network that would destroy all of Fannie's data.

Fannie and Freddie together own about $6 trillion of mortgages. Come to think of it, this may very well be a brilliant idea.

Obviously, FNM has backups.

Edit: ZDnet has linked to the complaint filed by the FBI at http://i.zdnet.com/blogs/fmncomplaint.pdf. There's a bit more detail there, including that Makwana had been contracted out from the software development company Omnitech.

Comments

[rmd.livejournal.com]

this is way *way* cooler than the tabletop computer security response scenario i did just today.

kudos to the folks who caught it. man. i assume the company is not sucking up to them nearly as much as they should after their discovery.

[r-ness.livejournal.com]

Probably not. The complaint says the "senior Unix engineer" found the script "only by chance".

[holmes-iv.livejournal.com]

Considering he found it on day 89 of 90, I'm guessing that the description is more or less accurate. Kudos for tracking it down speedily when he did find it, of course, but they also seem to have gotten a bit lucky. (I do have a guess what's going to come up in Tuesday's Network Security lecture, though...)

[r-ness.livejournal.com]

Huh. Complaint says the script was found October 29, 2008.

(See 17. under V. Probable Cause.)

[holmes-iv.livejournal.com]

So it does—I was just coming back to note that. I was inferring from the story that the discovery was recent, which was silly of me (of course there was a time lag while they got the FBI onto things and before they released the news). So, heightened props to SK, whoever he is—"just by chance" seems much less likely to be literally true, in that case.

[n5red.livejournal.com]

Wow, maybe it would stop the millions of dollars in damages that are happening because FNMA kicked the occupants (who might not even be the owners) out of their homes and then let the pipes freeze.

[browngirl.livejournal.com]

I admit to kind of being a bit impressed with Mr. Makwana. And wayyy more impressed with the engineer who caught him.

[marmota.livejournal.com]

Again I find myself as ever thankful that Evil is usually also Dumb.

[holmes-iv.livejournal.com]

Pretty sure it has, yeah. Laid-off sysadmins are baaaad mojo.

[hammercock.livejournal.com]

Well, I know someone who's going to have a tough time finding work in his field again. :-}

[whitebird.livejournal.com]

That was fascinating. Thanks for pointing it out, I'd not heard anything of it previously.