Dropping the logic bomb

Contract IT worker goes to court over attempted logic bomb attack on US financial giant.

A former IT contract worker at the giant US mortgage bank known as Fannie Mae* was indicted last week for having planted - on the day he was fired last October - a logic bomb that would have trashed all 4,000 of its production servers tomorrow if it hadn't been found.

Rajendrasinh Babubaha Makwana, an Indian national in the country on a work visa and employed by a contracting firm at the Fannie Mae data centre in Urbana, Maryland as a computer engineer, was terminated on October 24 for having made unauthorised system changes, according to a sworn complaint and attached affidavit (PDF) by FBI agent Jessica Nye.

Makwana was a member of the Fannie Mae computer centre operations staff. On October 10 or 11, Makwana had put into production a script without proper authorisation from his supervisor. For that transgression, his permission to turn over scripts into production was withdrawn, but the passwords which gave him the actual capability to do so were not changed.

That was the company's first mistake, not changing the production server passwords to lock him out of the systems that he no longer had permission to administer. However, we imagine that his superiors still trusted him, sort of, while they mulled over whether or not to fire him, so they didn't immediately change the production control systems' root passwords.

Makwana was told he was being terminated early in the afternoon of October 24, but he was permitted to remain at his desk until the end of the day, and his computer access was not immediately terminated.

That was their second mistake, not immediately removing him from the operations area. During the next three hours he sent an email to his contract employers to advise them of his termination. And he had time to plant several malicious scripts in Fannie Mae's server complex, according to agent Nye's affidavit.

Five days later, a senior Unix engineer happened to discover one of Makwana's malicious scripts, which was appended to an operations script that runs every morning at 9:00 am to verify that two SAN paths are operational. Upon locking down all production servers and investigating, the operations staff soon discovered four additional malicious scripts.

The first script was coded to remain dormant until January 31, 2009. When triggered, it was crafted to copy and run the other four scripts.

The second script would block the monitoring system to prevent system engineers from receiving any problem alerts from production servers for 61 minutes. It would also build a list of all the servers in the data centre and disable logins to the production control server and its backup server.

The third script would build a list of all Fannie Mae production, contingency and backup servers and run the fourth script on all servers.

The fourth script would first disable all logins and clear all server logs, thus removing all traces of Makwana's activities. It would then set all systems' login messages to "Server Graveyard", remove the root password appliance access so no one could change the root password from it, wipe out all data on all Fannie Mae servers and replace it with zeros, remove the 'High Availability' software from all critical servers that contained it, and finally, power off all of the Fannie Mae servers it could find.

The fourth script was also set up to run on the backup production control server to trash any systems it might have missed while running on the other server, then wipe clean that backup server and power it off, too.

The only more thorough trashing of Fannie Mae's data centre we might possibly imagine would have to entail something on the order of an actual bomb.

Makwana is free on $US100,000 bail, but we doubt he'll be flying back to India for a while.

* Fannie Mae is one of two (along with Freddie Mac) huge US secondary market mortgage holders that was taken into receivership by the US government during the Wall Street meltdown last Fall. The name Fannie Mae stems from the acronym for its name, FNMA, which stands for Federal National Mortgage Association. Fannie Mae currently holds millions of US home mortgages, several trillion dollars worth. To say it's a large financial operation is an understatement.