Q. How do you know when you have written a really good piece of software that protects people from rootkits?
A. When the rootkit writers or users start to target your software.
This is exactly what is currently happening with GMER, a really good antirootkit rootkit scanner. GMER is written by a person who comes from Poland who goes by the name of gmer.
GMER has become a popular antirootkit scanner this year and has become known for finding hard to find rootkits, had a nice interface and was easy to use. GMER also updated the software on a regular basis and when Rustock came on the scene in 2006 GMER adapted to checking ADS streams, a known place that Rustock hid files.
It was surprising though that in December 2006 the homepage for GMER www.gmer.net was unreachable. When a user tried to load the homepage a “page not found” type of error was shown. The hosting service for GMER had to make the site unreachable because of a DDoS ( a Distributed Denial of Service ) attack. A DDoS attack is basically where someone or gang has setup a botnet (computers taken over by hackers for their own use) that continiously tries to load the page at www.gmer.net. This causes a lot of stress on the hosting service and hence the site had to be taken offline.Â
All is not lost though. With the help of a lot of people around the internet the name of GMER is getting more popular than ever before and the attacks on the GMER site have highlighted GMER as a threat to rootkit writers and users.
With the GMER site down other sites have provided a mirror of the original GMER site so people can still download and read about GMER.
A list of current sites as of the 7th Jan 2006 @ 23:55 GMT is as follows:
http://archive.mysteryfcm.co.uk/security/antirootkit/gmer/gmer.htm
http://fbeej.dk/gmer/gmer.htm
http://www.alexaur.com/anti-rk/
http://www.pperry.f2s.com/mirror/gmer/gmer.htm
http://martijnc.be/tools/gmer/gmer.htm
http://gmer.spywarefix.org/
http://gmer.it-mate.co.uk/gmer.htm
http://www.majorgeeks.com/GMER_d5198.html
The GMER software can also be downloaded from http://pcalsicuro.phpsoft.it/gmer.zip
Even as I transpose my list it looks as 2 more have been taken down.
People Power will help GMER survive these attacks only strengthen it’s reputation as a very good rootkit scanner.
Keep Safe,
regards,
Steo
www.antirootkit.com
Just an FYI, the following is now disabled aswell ….
archive.mysteryfcm.co.uk/security/antirootkit/gmer/gmer.htm
Hello. I uploaded to my Google Pages account (which theoretically can stand up to almost all DDoS, but Google may decide to take it down to conserve bandwidth). Get it at: http://hype-free.blogspot.com/2007/01/gmer-site-ddos-ed.html
Thanks for the replies guys…
Steven,
indeed it is and only after a few hours of the post. I am sure that as fast as they are taken down, new ones will be put up.
Cd-MaN,
great idea
One problem with the GMER site being offline is that tampered copies of GMER may start appearing and people should look out for the MD5 and SHA1 values on your blog post.
All these sites are dead.
http://archive.mysteryfcm.co.uk/security/antirootkit/gmer/gmer.htm
http://fbeej.dk/gmer/gmer.htm
http://www.alexaur.com/anti-rk/ (403: “Forbidden, You don’t have permission to access /anti-rk/ on this server”)
http://martijnc.be/tools/gmer/gmer.htm
http://gmer.it-mate.co.uk/gmer.htm
I think attackers target is not a GMER as software – GMER as Site. There are few threads on different forums (such as Wilders) about this problem.
Unfortunately, gmer.it-mate.co.uk was the target of a DDOS (suprise suprise) that apparently ended up taking down the entire FastHosts network, so FH deleted the site ….
Similarly, archive.mysteryfcm.co.uk was the target of the same, and unfortunately, had to be deleted (I’ve already created an alternative, but for obvious reasons, am a little hesitant at publicizing it, so it’s URL is only known by a few select individuals at present, as a backup)
Steven,
Thanks for the reply.
Whats is happening is truly amazing.
Do you have any stats that would show the magnitude of the DDoS attacks?
On one server i heard there was 50K requests per second!
regards
Steo
I’ve still got the log’s for a day in the life of one of the servers lying round somewhere but it’s way too big to send (one of them is 870MB).
If you’d like a copy of it, fire me an e-mail and I’ll pop it onto HTTP for you ….
Do you have access to Malware Research? (we’ve got a thread going there to share info on what exactly is going on and discussing ways to put a stop to it).
Be there in a second…:-)
I put the file (gmer) in my server
http://www.kuma215.it/GMR.zip
While my site stays up, you can download Gmer from here too:
http://www.msfluffymuffin.com/gar/gmer.zip
I just hope my poor lil’ site stays un-harmed
( , but I guess no matter what I feel I need to do my part and fight back and stand against these bullies!!
I guess if it goes down I will find away to repost Gmer so it can be kept alive for everyone to download and to carry on the good cause
)
Big hugs to our good friend Gmer,
Aimee oxo
Hi Steven, steo, EP_X0FF, Cd-MaN, hi everyone,
My Website was also attacked after I uploaded a mirror for GMER!
Please, stop publishing the mirrors here as all of them (but MajorGeeks and Eraser’s) are down!
Steo, would you like to remove Eraser (Marco Guiliani)’s URL?
hey,
I provide ddos mitigation for sites such as yours that could become a victim to ddos attacks. let me know if you might be interested and we can work something out
cheers,
Ypigsfly