Archive for the 'GMER' Category

Anti Rootkit Software Scanners for Vista

Friday, January 11th, 2008

We are often asked what Anti Rootkit Scanners are available for Windows Vista. There are currently only 7, out of the 20 or so scanners available, that will work with Vista. These scanners will also only work with 32 Bit versions of Vista.

Here is a list of the 7 in alphabetical order. Please click on the scanner name or screenshot to bring you to a more detailed page where you can download the software.

F-Secure Blacklight

blacklight-frontend

 

GMER

gmer-frontend

 

Icesword

Icesword Frontend

 

Rootkit Hook Analyser

rootkit-hook-analyser-frontend

 

Rootkit Revealer

 

Rootkit Unhooker

Rootkit Unhooker

 

Unhackme

Unhackme

Keep Safe,

Steo - www.antirootkit.com

Posted in News, Vista, Debate, Rootkit Scanners, GMER, Analysis, Rootkit Unhooker, Unhackme, Rootkit Revealer, Rootkit Hook Analyser, Icesword, Blacklight | 7 Comments »

Security Flaw in Vista and XP - Rootkit exploit in the wild

Thursday, January 3rd, 2008

In early Devember 2007 a new rootkit that hides itself in the Master Boot Record (MBR) of a users disk was spotted in the wild. Up until then this was more of a proof of concept (POC).

This goes to show how much effort rootkit authors are putting in to creating new ways of evading Anti Rootkit software. This is a new vector of attack for malware writers and gives them control from outside the Operating System.

This rootkit is using the MBR flaw. The MBR can be written to from within Windows.

The rootkit installs itself ( 244K ) on the last sectors of the users disk and then modifies other sectors including sector 0. The code is run before your PC boots up into XP, Vista or NT and has full control of the boot process which means it can install and run any application it wants without you, XP, Vista or NT knowing about it.

GMER has written an excellent write up on the MBR Rootkit and goes into more depth on the issue.

Indeed GMER’s Anti Rootkit Software can find the rootkit.

 gmer-finds-mbr-rootkit.jpg

The rootkit files cannot be removed from within XP, Vista or NT and must be removed without the PC running the rootkit code.

Until the MBR Security flaw within the NT code is fixed then we will all be soon riddled with MBR Rootkits.

Keep Safe,

regards,

Steo - www.antirootkit.com

 

Posted in News, Microsoft, Underground, Vista, New Rootkits, Debate, Rootkit Scanners, Other Malware, GMER, Analysis, MBR Rootkit, Master Boot Record Rootkit, XP, NT | 15 Comments »

GMER Anti Rootkit & People Power

Sunday, January 7th, 2007

Q. How do you know when you have written a really good piece of software that protects people from rootkits?

A. When the rootkit writers or users start to target your software.

This is exactly what is currently happening with GMER, a really good antirootkit rootkit scanner. GMER is written by a person who comes from Poland who goes by the name of gmer.

GMER has become a popular antirootkit scanner this year and has become known for finding hard to find rootkits, had a nice interface and was easy to use. GMER also updated the software on a regular basis and when Rustock came on the scene in 2006 GMER adapted to checking ADS streams, a known place that Rustock hid files.

GMER Screenshot

It was surprising though that in December 2006 the homepage for GMER www.gmer.net was unreachable. When a user tried to load the homepage a “page not found” type of error was shown. The hosting service for GMER had to make the site unreachable because of a DDoS ( a Distributed Denial of Service ) attack. A DDoS attack is basically where someone or gang has setup a botnet (computers taken over by hackers for their own use) that continiously tries to load the page at www.gmer.net. This causes a lot of stress on the hosting service and hence the site had to be taken offline. 

All is not lost though. With the help of a lot of people around the internet the name of GMER is getting more popular than ever before and the attacks on the GMER site have highlighted GMER as a threat to rootkit writers and users.

With the GMER site down other sites have provided a mirror of the original GMER site so people can still download and read about GMER.

A list of current sites as of the 7th Jan 2006 @ 23:55 GMT is as follows:

http://archive.mysteryfcm.co.uk/security/antirootkit/gmer/gmer.htm
http://fbeej.dk/gmer/gmer.htm
http://www.alexaur.com/anti-rk/
http://www.pperry.f2s.com/mirror/gmer/gmer.htm
http://martijnc.be/tools/gmer/gmer.htm
http://gmer.spywarefix.org/
http://gmer.it-mate.co.uk/gmer.htm
http://www.majorgeeks.com/GMER_d5198.html

The GMER software can also be downloaded from http://pcalsicuro.phpsoft.it/gmer.zip

Even as I transpose my list it looks as 2 more have been taken down.

People Power will help GMER survive these attacks only strengthen it’s reputation as a very good rootkit scanner.

Keep Safe,
regards,
Steo
www.antirootkit.com

Posted in News, Debate, Rootkit Scanners, GMER | 12 Comments »