Time Bomb Scripts

Last month a contractor was fired from Fannie Mae. The reason for termination was promoting scripts to Production without authorization. There were a lot of mistakes made on the part of the company. They did not change the root passwords to the systems this contractor had access to. They also let him stick around after they fired him. This is bad news, especially given that the guy was let go for unauthorized code deployment.

What I found very interesting were the details of a bunch of time activated scripts this guy left behind at Fannie Mae. His first act was to add some code to the end of a daily script. This code would retrieve and install a bunch of other scripts.

Here is an example of what of the payload scripts did. It would generate a list of servers in the company. Then it would disable monitoring. Finally it would disable the ability to log into all the servers that it found. Well that is bad, but is not too evil.

Next the terminated contractor wrote a script that would clear server logs. Then it would remove root access to machines and delete the data on them. Finally it would shut down the servers automatically.

The last script was especially evil. It would attempt to corrupt any systems it could find in the company. Then it would go after the backup machine, clear out the backups, and turn them off. This hacker was just plain thorough.

Luckily another engineer detected the original script that was to install all the other rogue code. Upon detection, he shut everything down in the company until they could figure out what was going on. That was the one smart move the company made. These rogue scripts could have done severe damage to the bank.

Props to The Inquirer for providing the facts for this blog post.