Imagine a young man, disheveled but with a button-down shirt which is made of cotton, and khakis, not jeans. He has two days of shaving on his face, but no more than. He does have a wee bit of powdered sugar because he found the donuts. Before they departed the COBOL dinosaurs were up before dawn and gobbled up the two dozen assorted gneewmews. No real programmer got up before 9 but then the COBOLers were business programmers - not the real kind.
And he is sitting in one of those rooms where there are a dozen desks with a computer circa 2000. The CD was playing “The Exploration of Space” at a loud drone. The machines, of course, Windows NT PCs, but just barely able to run Minesweeper and a text editor. He has on his desk a tray for incoming, which is voluminous, and outgoing, which has one stapled and folded piece of paper. He is also extremely tired because he has been at his post for 14 days.
The date is September 18th, 2001. While the rest of the world is screaming about the Twin Towers having been dismantled by two jets. He is coming at the code for several versions of Windows which all have a problem. When looking at him it might be best to describe him as giddy with ASCII coming out of every available orifice. In those that there is, in this code someplace, a 0-hour flaw which has been exploited. And he is wondering if the exploiter had some connection with the Twin Towers because everything in the world seems to be falling apart. This is the year of November baseball being invented and a sub-mediocre president becoming the most popular man in America. For getting 2000-odd people killed on his watch. This is America after all.
He has up several files which all have the Windows server in various guises, specifically, he is looking at Microsoft's Internet Information Server, because this is the place where the program has targeted to attack. Then he must find where it came from. Only then can he determine what has been done to the targeted computers to attach the lethal drug.
He has a mouse under his right hand and is coming back and forth between the various MIIS segments on 95, 98, 2000, and NT. The progress is slow because his machine is just barely capable. This is what is known as the “or equal” clause in a contract, which means that “or equal” in the contract means the real thing is less than equal. He noted this in his brain bin folder for future reference when he was in charge of a gaggle of coders. That and 286 does not cut the proverbial mustard.
Then a more senior individual came over to look at how he was going about parsing through the text files, and he stopped the junior person at one particular point. The senior-level person was different from his junior: his face was cleanly shaved but his hair had not seen a comb or brush in at least a month. He was scratching his hair and looking at all of the files. He was also called an analyst rather than merely a programmer.
“That’s odd…” Said the senior analyst.
The junior programmer looked up at him and raised an eyebrow. “What do you see?” the junior programmer had his mouth open, but that was a usual gesture among the juniors.
“This computer accepted the email and opened it.” Then the senior hacker, let’s not mince words, pointed to another open text file that had the actions of the computer in real-time.
The junior programmer looked at the text file and realized that his senior programmer had looked at all of the programs that were displayed. He realized he was looking into the mind of a minor God, and he worshiped his senior programmer from that moment forward.
“Focus.” Said the senior. Immediately the junior pointed to the windows where they could see them. And then the senior pointed to one particular place: “This is a virus and it takes over by hoping that someone on the receiving end opens an email.”
“That’s just plain dumb.” Said the junior. After some searching of the mail server, they found admin.dll and when they opened this they saw code that would attach it to MIIS and start the process all over again.
“Yes, but by random luck, a quarter of all of the system admins will be in the bottom quarter of intelligence. And that is more than enough to spread the virus.”
The junior merely nodded and collected another bite for his brain index file.
The senior took the mouse and proceeded to look through several files on the various different machines. Then he stopped.
“Nimba. The original sender called it ‘Nimba.’ Cute.”
“What does Nimba mean?”
“It is admin spelled backward. Remember the first thing to do when you see any name is to reverse it or anagram it to see if it has any meaning.” Of course, being Windows admin was the name of the highest-level user. Again, the junior parsed another bite into his brainbucket. He realized that having a person who had greater knowledge than he did was the best reason to work here.
“How do you remember all of this?”
“There are only two things to do the remembering thing.”
“What are they?”
“The first is to have been doing this for 20-odd years, which is to say I was 10.”
“What is the second?”
“Be brighter than other people.”
“Why aren’t you a full professor?”
“That takes work. Now focus.”
Inside admin.dll they also discovered ‘Concept Virus(CV) V.5, Copyright(C)2001 R.P.China’.[1] They stared at this.
The senior spoke: “It is from China, and it is unlikely that this is connected with the claims of 9/11.”
“Why is that?”
“While the Chinese may have some sympathy with the bombings, they are not willing to go to war quite yet.”
“There will be a war?”
“If you were the president, what would you ask Congress for? Peace?”
“I guess not, why wouldn’t the Chinese be involved with it?”
“The Chinese don’t have more than 1 aircraft carrier, and they don’t have enough subs to sink our aircraft carriers. For this and a large number of other reasons, they don’t want to go to war with the US quite yet. Nimda is random and not connected to the mass murder of people in the Twin Towers. It looks like I have a report to write up. Let us finish our investigation.”
They worked into the night documenting everything that they found. The Junior went to sleep but the senior typed up a report and when the air traffic system was operational happily boarded an airplane to Microsoft in Seattle.
The senior slept on the plane knowing that the pool of suicidal young men who could fly a plane had probably been tapped out.
[1] In reality, F-Secure found this.