Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Fannie Mae Logic Bomb

with 4 comments

A logic bomb allegedly planted by a former engineer at mortgage finance company Fannie Mae last fall would have decimated all 4,000 servers at the company, causing millions of dollars in damage and shutting down Fannie Mae for a least a week, prosecutors say.

Unix engineer Rajendrasinh Babubha Makwana, 35, was indicted (.pdf) Tuesday in federal court in Maryland on a single count of computer sabotage for allegedly writing and planting the malicious code on Oct. 24, the day he was fired from his job. The malware had been set to detonate at 9:00 a.m. on Jan. 31, but was instead discovered by another engineer five days after it was planted, according to court records.

Makwana, an Indian national, was a consultant who worked full time on-site at Fannie Mae’s massive data center in Urbana, Maryland, for three years.

On the afternoon of Oct. 24, he was told he was being fired because of a scripting error he’d made earlier in the month, but he was allowed to work through the end of the day, according to an FBI affidavit (.pdf) in the case.  “Despite Makwana’s termination, Makwana’s computer access was not immediately terminated,” wrote FBI agent Jessica Nye.

Five days later, another Unix engineer at the data center discovered the malicious code hidden inside a legitimate script that ran automatically every morning at 9:00 a.m. Had it not been found, the FBI says the code would have executed a series of other scripts designed to block the company’s monitoring system, disable access to the server on which it was running, then systematically wipe out all 4,000 Fannie Mae servers, overwriting all their data with zeros.

“This would also destroy the backup software of the servers making the restoration of data more difficult because new operating systems would have to be installed on all servers before any restoration could begin,” wrote Nye.

As a final measure, the logic bomb would have powered off the servers.

The trigger code was hidden at the end of the legitimate program, separated by a page of blank lines. Logs showed that Makwana had logged onto the server on which the logic bomb was created in his final hours on the job.

The Rest

So wait wait, let me see here. This guy was being fired for some error he had made in a script earlier in the month? But he was capable enough to formulate a plan and a script hidden within another script to destroy (albeit locally) all their data? What’s wrong with this picture huh? Sure, they did find the script, I will give them that, and perhaps he did not hide it well enough but, wtf?

Here are the critical errors that Fannie Mae made… Other than being another fuck ass piggy corrupt company.

1) They fired this guy and let him work the rest of the day? This implies a couple things

A) They had NO IDEA what he had been up to

B) They have NO FUCKING CLUE on how to deal with terminations

When you term someone you freeze their accounts and walk them out. It’s nice to think that you can tell someone they are losing their job and let them finish the day, but you have to be seriously smoking crack to think that they will not even think of retaliation or theft on the way out. Dumbasses.

2) Their termination reason seems somewhat off. I don’t buy it really. I think that they were up to something else. Perhaps they had suspicions that he was up to no good. Or, maybe they just wanted to let him go and have a semi-reasonable cover story for doing so. In the end, yeah, they were right to do so, but oh so wrong on follow through.

3) Ok, he wasn’t so much a mental genius. Hiding the code after two pages of blank? Yeah, next time hide it elsewehere fella.

All in all, I have seen the inside of the likes of Fannie Mae and they tend to be the WORST when it comes to security. Especially where security policies and procedures come to play. I am willing to bet that they did not even have a policy on terminations that involved immediate lockouts and walking out of the building. If they indeed did, then they were probably not following policy and procedure on a regular basis.

Ass clowns.

Now, they had better give the IT guy who found the logic bomb some bonus love… Or else they could find themselves with another disgruntled employee… Who has access and means….

You feelin me Fannie?

Written by Krypt3ia

2009/01/31 at 00:36

4 Responses

Subscribe to comments with RSS.

  1. Rajendrasinh Babubha Makwana the collect 4000 server. the world is rich man . the most large biggest company financial advisor and financier. the good brileant man. the full server main use of security system.

    tom

  2. To whoever: English is obviously not your second language either. As to what I think you are saying I respond with this…

    Rajendrasinh Babubha Makwana will be somebody’s bitch in federal pound me in the ass prison. No, he wasn’t a great man, nor will he be a great “bitch” in prison.

    //end.

    crabbyolbastard

    2009/01/31 at 11:55

  3. Logic bombs are quite insidious and more widespread than people believe. It is very difficult to protect against them unless the organization follows strict protocol while letting go of people. I have detailed some ways to deal with logic bombs in my blog http://nofud.org/2009/01/31/note-to-fannie-mae-dealing-with-logic-bombs/

    akshay aggarwal

    2009/02/03 at 08:26

  4. Sure they are if you go by the definition that any worm that has a timed feature as a “logic bomb” The trending on that has been upward since worms have taken on the function of a logic bomb to increase their spread and or create zombie networks.

    I have seen a few over the years but I have not seen this as pandemic.

    crabbyolbastard

    2009/02/03 at 11:37


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: