Ex-Fannie Mae worker charged with planting computer virus
By Freeman Klopott
Examiner Staff Writer 1/29/09
Rajendrasinh Makwana, an Indian citizen, was indicted Tuesday on computer intrusion charges. The former Gaithersburg resident is out on $100,000 bail, court documents said.
Makwana was fired from his contract position at Fannie Mae on Oct. 24 for changing computer settings without permission from his supervisor, FBI agent Jessica Nye wrote in a sworn statement. He had worked at Fannie Mae for three years as a computer engineer at the Urbana offices, where he had full access to all of the federally created mortgage company’s 4,000 servers. Before leaving work Oct. 24, Makwana allegedly tried to hide a code in server software that was set to activate the morning of Jan. 31, the agent wrote.
“Had this malicious script executed, [Fannie Mae] engineers expect it would have caused millions of dollars of damage and reduced if not shutdown operations at [Fannie Mae] for at least one week,” Nye wrote. “The total damage would include cleaning out and restoring all 4,000 of [Fannie Mae’s] servers, restoring and securing the automation of mortgages, and restoring all data that was erased.”
A spokeswoman for Fannie Mae declined to comment.
According to Nye’s statement, a senior computer engineer discovered the virus Oct. 29. The malicious code was hidden after a blank page, and “it was only by chance” that the senior engineer scrolled down and found the virus, Nye wrote. The engineer locked down Fannie Mae’s servers to determine whether other viruses were hidden inside and where the virus had come from, Nye wrote. Only about 20 Fannie Mae employees and contractors, including Makwana, had access to the server where the virus was stored.
An Internet Protocol address was eventually linked to Makwana’s company-issued laptop, Nye wrote. He was arrested Jan. 7.
The virus was set to execute at 9 a.m. Jan. 31, first disabling Fannie Mae’s computer monitoring system and then cutting all access to the company’s 4,000 servers, Nye wrote. Anyone trying to log in would receive a message saying “Server Graveyard.”
From there, the virus would wipe out all Fannie Mae data, replacing it with zeros, Nye wrote. Finally, the virus would shut down the servers.
Since the virus’s discovery, engineers have double-checked the servers and found no evidence of other malicious codes, Nye wrote.
Makwana’s attorney, Christopher Nieto, did not return calls Wednesday.
42 Comments
Reader Comments:
POSTED Jan 29, 2009
Trojanhorses: "Thank you. Now you see there is no such thing as an hones to goodness H1B worker. Not only do they have the market cornered at Fannie along with Freddie They have no love for this country while we are trying to get above water Yes call me whatever you like I am sure tthe same people who planted a virus also covered up this Fannie Mae crisis for the higher ups at Fannie. America wake your sorry asses from the slumber."POSTED Jan 29, 2009
H1B#36a: "What wasn't reported was that the contractor was fired for writing a script poorly, that caused the failover over of a number of High-Availablitity production servers. His "landmine/timebomb" script was found through his same poor scripting skills. Whatever doping manager that hired that guy should be fired too, along with his director and VP!"POSTED Jan 29, 2009
Skip: "I would suggest that there is a lot more to this story than has been reveled so far. This man is a talented professional, and to risk his career with such an action doesn't make sense."POSTED Jan 29, 2009
Jim: "Trojanhorses! Hold your horses dear boy. You have no idea if he was really a H1B? Now do you? Stop spreading hate and go home to your mama."POSTED Jan 29, 2009
Patrick: "hey this one ought to make you smile"POSTED Jan 29, 2009
melancholyrb: "Here is the text of the criminal complaint: http://i.zdnet.com/blogs/fmncomplaint.pdf The suspect's method and motivation are well outlined. Trojanhorses: Perhaps you should reconsider extrapolating the character of 85,000 people from the actions of one."POSTED Jan 29, 2009
Vicente: "Unbelievable. This employee might been doing us all a FAVOR if debt records were wiped and the company thrown into chaos. Maybe a PROPER AUDIT WOULD HAD TO BE CONDUCTED. Then we'd finally get to see some criminal CEO doing a perp walk. They did much more damage to the economy and this country but every single fatcat will walk away with giant bonusses."POSTED Jan 29, 2009
Harold: "Jessica Nye needs to learn that "shutdown" is not a verb. Maybe we need a Federal Bureau of Spelling."POSTED Jan 29, 2009
to Trojanhorses: "Let's not mischaracterize H1Bs from the actions of one foreigner, who is only here because local workers can't cut the mustard."POSTED Jan 29, 2009
Wolf: "@Harold: In the technical world (especially for UNIX administrators) shutdown is a verb. I am a UNIX administrator and I think Ms. Nye's report was very good, and I guess it is more important that she's competent at her job rather than able to translate technical jargon in perfect English. That said, I find it odd that a programmer fired for incompetence was able to devise such a scheme: especially because the code was apparently flawless and he had no way to test it."POSTED Jan 29, 2009
Steve: "@Vicente: With 4000 servers they surely have an extensive backup and restore policy and procedure. If the accused had somehow figured out a way to invalidate all the backups that were made, in addition to the "virus"'s reported capabilities, _then_ he would have done us a favor. Otherwise, it would have just been a headache for the administrators of those servers. And a short period of unavailability for some services."POSTED Jan 29, 2009
QSECOFR: "Thats why you implement a Change Control Process and you do not put your source on Production servers. As far as H1B's are concerned is not our students graduating from MIT, Berkley and other top universities not good enough? Now to add to Vicente comments, he probably would of done us all a favor... thanks melancholyrb for posting the complaint, I think I might use this as an example for current source code auditing when pushing changes to production."POSTED Jan 29, 2009
blast3r: "this was not a trojan as others are saying in the comments section. this is a logic bomb."POSTED Jan 29, 2009
Joseph Durnal: "Wow, this is an interesting story. A good security policy, that was actually implemented and followed would have prevented this. I want to see the script! :)"POSTED Jan 29, 2009
procedures/policy failure: "Multiple failures, Change Management, Management and employee... Tisk Tisk. No worries he'll get a job with WiPro next month and will be back on the job with Homeland Security."POSTED Jan 29, 2009
Stripped: "One does not need to be a talented programmer these days to come up with a trojan (or a logic bomb script for that reason). Go download a copy of BackOrifice or a similar thing, click a couple of times, and -- voila! -- a new "trojaned" app has been created. If it weren't so, we wouldn't have so many script kiddies going for the low-hanging fruit. Going on with the fruit theme, one rotten apple doesn't mean all of H-1B's are vile, malicious, vindictive, and unprofessional. And as it's been already noted, proper CM procedures and security practices (separation of duties, anyone?) would've prevented this."POSTED Jan 29, 2009
H1-B's: "Jim my friend all the information is there to clue you in that he was here on a H1-B Visa. For those of us that work for these companies that are offshoring work to India and piling up H1-B Visa's we know what to look for in the written word to translate. 100% chance he was here on a H1-B Visa. Just another way for these firms to cut wages. Hey the CEO's bonus would suffer if he did not have all this cheap labor at their disposal."POSTED Jan 29, 2009
His employer was OmniTech: "If you want to see all the jobs OmniTech advertises for H1-B Visa's scroll down the page. OmniTech is based in Fairfax Va. http://jobsearch.monsterindia.com/searchresult.html?fts=infosolutions&loc="POSTED Jan 29, 2009
Smarter: "I am not sure that he is guilty or not. I think Fannie Mae is playing game. Next month, Fannie Mae will be say Bank losts more than 1 trillion dollor....and they does not have to pay money....their customer....GOD Bless USA"POSTED Jan 29, 2009
Cliff: "We are assuming he is guilty and not being framed for some reason. But given that assumption, it demonstrates the weak security policies, as Joseph Durnal has pointed out. One must assume that security breaches will occur, given enough time, and therefore data should be compartmentalized: the scope of any malicious action should be limited. It is unconscionable that one account could have acted upon 4000 servers. That is the problem. I also very much dislike the comments by Trojanhorses. I have colleagues and friends who are Indian and H1B. We need to remember that there was a time when all of our ancestors emigrated here."POSTED Jan 29, 2009
Striker: "Having worked there, I'm not sure that their backup and restore procedures are the greatest. Even if they have improved since my departure, restoring 4000 servers has got to be quite a task. The points on separation of duties is well taken. However, other articles indicated that his first erroneous computer script was created on Oct. 10 or 11. They didn't get rid of him until the 24th!!! I don't recall anything about Fannie's contracting policies, but in most places, the contractor screws up and he's gone that day. All it takes is a call from the company's contracting officer to the contractor's home office. I agree with others that all we are seeing is what they needed to use in the criminal complaint and indictment. There is probably much more that took place."POSTED Jan 29, 2009
Losers: "Guess that some body is trying to put someone in a scape goat scene. Rajendrasinh Makwana is also stupid enough not to mask his step. If he wants to plant a virus, he should never use his own device and runs as far as possible. Guess again that the FBI also finds viruses on his home computers."POSTED Jan 30, 2009
Tam: "Almost every major issue at Fannie/Freddie center around kickbacks. Contractors bill an average of $100/hr. The placement agency keeps $15/hr. The hiring manager or their wife or offshore account earn $15 to $20/hr. Corruption is widespread and shameless. Does anyone believe the guy got fired for changing computer settings? Please. Likely his placement agency and the hiring manager fought over kickback shares, threats were made to remove the individual, and the individual probably threatened to go to the authorities (under a federal conservatorship, kickbacks become illegal.) I feel bad for the guy."POSTED Jan 30, 2009
DaBomb: "Hey, thanks for revealing all of that internal information about Fannie Nye and the court system/Judge. It is great that you have made public the IP address scheme, server names, and a whole host of other information to make somebody's job much easier to navigate around and plan an intrustion. Also, the guy just added a few lines of script to the bottom of a script that runs every day, on a date, it would actually execute causing the issue. This isn't a trojan. Nye, you should be ashamed for your poor abilities to do your job, your technical abilities and nomenclature are second rate. Obviously all of your information contained in the complaint came from the Fannie internal security team."POSTED Jan 30, 2009
Pwnd: "I find this tale suspicious on a few levels. First and foremost, what prompted the senior engineer to think there was anything odd and motivate him to scroll down and look at the end of the page? Second, if Rajendrasinh was creative enough to write a script to do what he is alleged, he should have been creative enough to simply replace an existing system configuration file with the malicious script, ensure that he retained the original file's timestamp, changed whatever passwords he could have, and done it all from a VM image on his laptop that was using a bridged connection and not NAT'd. If you're going to do something that holds dire consequences should you get caught, you should ensure that you take every precaution not to. Like H1B#36a said, this is an issue that should also bring question upon the quality of management that would hire someone into a position where their skills are lacking."POSTED Jan 30, 2009
Elivs: "What do you want to be he isn't and H-1B or an L-1 or some other alphabet soup visa? A recent study found more than one in five H-1B applications to be invalid for one reason or another. In 2001, while hundreds of thousands of American techs were being laid off, it is estimated that 9 out of 10 tech jobs created that year were reserved and given to foreigners. Fast forward to now: they keep their jobs while we are being laid off in droves. Horror stories of H-1Bs cramming for skillsets on the job that they were already supposed to posses are easy to find on the web, as are stories of what they did once they were on the job. See for yourself and make up your mind. Many already have."POSTED Jan 30, 2009
SoCo: "Doesn't anyone else think this is more than a little suspicious: "An Internet Protocol address was eventually linked to Makwana’s company-issued laptop". It seems that even your disgruntled script kiddy would use a different terminal or a method to conceal the implanting of such a script. I think this should be a serious red flag that foul play was possibly to a cause, as IPs have serious accountability short comings. I hope some technician isn't setting this guy up, or using him as a scape goat through his IP/laptop for his own failed attack. Accountability seems very marginal unless this guy confesses, which you usually don't do before/after posting $100K bond"POSTED Jan 30, 2009
cheapworker: "You get what you pay for in the short term and then pay for it over and over in the long term."POSTED Jan 30, 2009
FedupLibBS: "Geez .. now this makes Watergate look like a WaterBalloon fight."POSTED Jan 30, 2009
CMD: "...and if they overlooked any instance of malicious code of this nature then we'll be hearing more about this sometime after 9:00 a.m. tomorrow (31 January)."POSTED Jan 30, 2009
PSquare: "This consultant worked for IonIdea and not Omnitech. FBI made an error. You will soon see a correction. Already, the following links has the correction 1. http://www.theregister.co.uk/2009/01/29/fannie_mae_sabotage_averted/ 2. http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9127040&taxonomyId=17&intsrc=kc_top PSquare"POSTED Jan 30, 2009
Chris Amsden: "I hope they string this guy up by the nearest tree! As if the financial sector isn't already suffering enough, we have guys like this out there trying to ruin it for the rest of us!"POSTED Jan 30, 2009
Dude: "=) what's an H1B? I have yet to read the full criminal complaint, but it seems to me that this code could not have ben created in less than a day when he was fired, so he must have been working on it for a while and that's probably where he had slipped up on a few other projects. But who hired in this contractor to whom did he report? If any of the records were tampered with the people indebted would not benefit, only the CEOs who cooked the books and left with their golden parachutes would. So maybe they should follow this guy's bank account to see who is paying his bail "out""POSTED Jan 30, 2009
Ironhors: "It is a crime to use Federal money to hire H1B people from overseas or engage firms registered overseas anyway. Most of the work done by H1B from India is sub-standard to begin with; let alone the people from there are not trust worthy."POSTED Jan 31, 2009
Sadler: "Apparently Makwana is currently working for Bank of America! I have notified BoA Security as well as the FBI. BoA needs to review everything he had access to... He should be considered an imminent threat and a flight risk. See www.D50.org for my predictions of this type event from years ago."POSTED Jan 31, 2009
Clinton2012: "All the H1Bs working in our tech industry are a ticking bomb, Obama should take this near miss as a warning and send Raj to jail and his buddies back home. How many layoffs of American workers does it take before we stop giving some of our best jobs away?"POSTED Jan 31, 2009
Sadler: "To Clinton2012: Please Google: "hillary clinton" +tata"POSTED Feb 1, 2009
kgb999: "From the complaint: "In one email, MAKWANA communicated to his relatives in India instructing them not to return to the United States." This guy was H1B. He would have been long gone to India by the time this thing executed. That's why he thought he didn't have to worry about the repercussions."POSTED Feb 2, 2009
jasmin nay: "rajendrasinh is innocent.some body is trying to entrapped him.think if he want to do any wrong to Fannie Mae data then he will use his own laptop for this malicious codes.he can use any other ip address also instead of his own.he is innocent."POSTED Feb 2, 2009
jolly: "rajendrasinh is innocent.some body is trying to entrapped him.think if he want to do any wrong to Fannie Mae data then why he will use his own laptop for this malicious codes.he can use any other ip address also instead of his own.he is innocent." and 24oct was his last day of job if he has done any wrong then he should gone back to india.but still he is in usa that means he is innocent.may some one has use rajendra ip address and edit malicious codes.some one has miss use rajendra laptop.he is innocent.FBI shoud reinvestigate this case again if possible.rajendra is innocent."POSTED Feb 2, 2009
H2B: "A high profile investigation on this case is needed. What is the benefit for Makwana if he plants virus on Jan 31. Don't you think it is a continuation of the corrupt republican regime to hide out many of their faults. Is there a clear proof of when this virus was planted? Was Makwana had access to that laptop on such date? Hope the examiner will examine such basic facts!"POSTED Feb 2, 2009
H2B: "A high profile investigation on this case is needed. What is the benefit for Makwana if he plants virus on Jan 31. Don't you think it is a continuation of the corrupt republican regime to hide out many of their faults. Is there a clear proof of when this virus was planted? Was Makwana had access to that laptop on such date? Hope the examiner will examine such basic facts!"