Chapter 251 Ghost
The situation of the network nodes of Fermi Lab made Edward feel very strange.
The other party's network, which had been infected with the tree worm, automatically became normal for no reason, and what's more funny is that the other party thought that the span network security center had successfully cleared the worm.
What's going on over there?
Edward felt that maybe the computer in Fermi Lab had the answer he wanted.
He contacted Todd again and finally confirmed that there were many network nodes elsewhere. Although they were still connected to the network, they seemed to be invulnerable. The tree worm seemed to ignore them and automatically bypassed their nodes.
These places are also very strange.
Is it possible that the security measures of computers in these places are in place, and the tree worm can't be captured at all?
Or, are there something that worms are afraid of in these computers?
Edward felt more and more that he was about to get close to the truth of the matter.
Perhaps, the way to solve the tree worm is hidden in those computers.
He decided to leave immediately and go to the scene in person. Since this was just his personal idea, he just told Theodore the news and did not tell anyone else.
When Theodore heard him say that it was possible to find a way to restrain the worm, he immediately seemed to grab the life-saving straw and let him leave immediately and report the situation to him at any time.
Edward rushed all day and night, and his sleep was solved on the road. Finally, he came to the office of the network center of Fermi Laboratory in Illinois with a tired face, and Anthony received him enthusiastically.
Edward didn't have time to rest, so he followed Anthony directly to the computer room in the network center and began to comprehensively analyze and detect the servers in the computer room.
"There won't be any viruses or worms in our server, will we?" Anthony said with some worry.
"I won't know this until I test it. However, this is unlikely. I came here mainly to find out why these servers have automatically returned to normal operation.
"What? I heard it right, didn't I? Didn't you fix the previous failure? Anthony was shocked.
Edward shook his head helplessly: "No."
He thought and had been working hard, but it didn't work out.
Anthony also came back at this time.
He thought this fact was too ridiculous. The security expert in the span network center came here to check the reason why the server automatically returned to normal!
"Ha ha, then check it slowly. I'll go back to my job first. If you need any help, just call me."
"Okay, thank you."
Edward couldn't do it either, and he stared at the content displayed on the monitor.
He first checked the system process of the computer, which is normal, and then the user process, which is also normal.
It is very clean and there are no extra programs.
He then began to look for some of the latest modified files on the disk, just after Anthony called him at that time.
He used the search command to quickly list all the files that had been modified in the past two days, a total of about 300.
He looked over them one by one to check their dates, sizes and attributes to see if there were any suspicious places.
After half an hour, Edward frowned deeply, and the result he got was that everything was normal!
He checked the security settings of the machine, which can only be said to be ordinary. Through these settings and computer logging, he can judge that Anthony's technical level can only be said to be medium, and there is nothing outstanding at all.
This is so strange. Why is this server not infected with the tree worm?
It doesn't look anything special?
Edward didn't believe it. The server was connected to the network. He downloaded the source file of the worm from the ftp server inside the span and ran it manually on this computer.
As a result, he was shocked to find that the worm program had disappeared directly.
Disappeared out of thin air?!
This is impossible!
Edward stood up with a shocked face.
The tree worm has not run successfully at all, but disappeared directly into the disk, as if there was an invisible hand, which was directly deleted.
Edward downloaded the tree worm again and tested it, and the result was still the same.
The reaction is so fast that there must be a process running, which can detect the existence of the tree worm and then clear it directly.
Edward checked the running process again, looked at them one by one, and analyzed their specific functions, but he still did not find out which process completed the action.
"Which process is it?"
Edward got on with it. He downloaded the worm again, but it was deleted again and again, again and again...
"No, I have to calm down."
Edward held down his anxiety and sorted out his thoughts.
"It can detect the presence of the tree worm so quickly, which means that it must be running and detect programs running in memory at any time..."
"You can't see it from the process, that is to say, it hides itself..."
"The process is running in memory. The command displays the process, which is to read the specific data structure in memory. It can hide itself. Does it modify the data structure that saves the process information?"
Edward sorted out his thoughts step by step and came to such a shocking conclusion!
Before, such a technology has never appeared.
Edward thought for a long time and felt that this possibility was very high.
So, he ran to Anthony's desk outside the computer room and called Theodore on his phone, asking him to immediately find a tool that could detect the running content in memory.
Theodore immediately gave him an answer. Although the members of their security team do not know much about the security of the vms system, they have a deep research in these aspects. Some people have such a tool in their hands, which is usually used to crack software programs.
The "ramdetect" software was immediately downloaded to the server.
Edward first ran it and checked it. There was nothing abnormal. He kept the software still and ran it in the background. Then he set it up every second to save the process record in the current memory to the log file.
Then, he downloaded the tree worm again. After a flash, he immediately switched to the "ramdetect" interface, which was still the same, and there was no extra process.
He quit the software, then found the previously set folder, and found a log file in it.
In just a few seconds, more than 200 lines of records have been saved.
Edward carefully analyzed the log file and finally found a difference in the second half, which immediately revived his spirit.
In the record saved at this moment, there is an additional process called "ghost".
Edward repeatedly compared the records before and after. This process did not appear before and after, and only appeared in that second.
I tried it again several times, and estimated the time of the process, and finally determined it.
It's just a flash, only a second in the memory record, really like a ghost!
"That's it!" Edward shouted excitedly.
is this "ghost" program. Once a tree worm appears in the process, it will immediately remove it. No matter what version of the worm is, it can't escape its "eye".
Edward is very happy that he has found the reason, but what does this "ghost" program do? Why is it hidden in it? How does it hide itself?
A series of new problems bothers Edward.
He checked all the machines in other computer rooms of the Fermi laboratory. Sure enough, there was this process in it.
Edward tried to remove it, but he couldn't find an effective way. He could even find the trace of the other party, and had to use tree to lure him to make it appear in the data structure of memory information. At ordinary times, you can't know which corner of the memory it is hidden. The machine moves.
Its power in technology not only shocked Edward, but also felt an inexplicable panic.
Although thetree worm is powerful, it can be found after all. Although it has some new features, it is not out of the category of the worm. It still has some fatal shortcomings of the worm, such as repeated replication, causing network congestion. It can also be easily found in the process, and it will be removed sooner or later. .
But this "ghost" program is really like a ghost, which is extremely difficult to find. If it hadn't happened to encounter the tree worm outbreak this time, I don't know how long it will continue to hide, and I don't know how long the ghost has been buried here.
If it wants to steal confidential information like a tree worm, it will be more horrible than a worm.
Edward downloaded the network packet protocol analysis tool from ftp again, which began to monitor the server's external acceptance and sending of packets, and then unpacked analysis. He wants to see if the "ghost" is also sending data to the outside world.
The results of the analysis made him a little relieved, and there were no special data packets, that is to say, the ghosts in these servers were not contacted for the time being.
Just as Edward wanted to continue his analysis, Theodore called and complained to Edward.
The further outbreak of the tree worm has seriously affected the normal operation of government functions. The White House and the Pentagon have already greeted Theodore and asked them to restore the network as soon as possible.
At the first level, Theodore also strictly ordered Edward to come up with an effective solution as soon as possible, otherwise they would have to roll it home.
The ghost can restrain the tree virus, which Edward saw with his own eyes. The most important task now is to remove all the tree worms on the network as soon as possible and restore the network. He decided to put aside the real purpose of the ghost and start to focus on the research on the killing of ghosts.
To Edward's surprise, although ghosts seem to have the characteristics of transmission, they seem to be more organized and disciplined, and they do not spread blindly.
"As long as the ghost is successfully spread out, won't the crisis of the tree worm be solved smoothly?" Edward thought so. This is the way to solve the worm problem as quickly as possible.