Winzapper is a freeware utility / hacking tool used to delete events from the MicrosoftWindows NT 4.0 and Windows 2000Security Log. It was developed by Arne Vidstrom as a proof-of-concept tool, demonstrating that once the Administrator account has been compromised, event logs are no longer reliable.[1] According to Hacking Exposed: Windows Server 2003, Winzapper works with Windows NT/2000/2003.[2]
Prior to Winzapper's creation, Administrators already had the ability to clear the Security log either through the Event Viewer or through third-party tools such as Clearlogs.[3] However, Windows lacked any built-in method of selectively deleting events from the Security Log. An unexpected clearing of the log would likely be a red flag to system administrators that an intrusion had occurred. Winzapper would allow a hacker to hide the intrusion by deleting only those log events relevant to the attack. Winzapper, as publicly released, lacked the ability to be run remotely without the use of a tool such as Terminal Services. However, according to Arne Vidstrom, it could easily be modified for remote operation.[4]
There is also an unrelated trojan horse by the same name.[5]
Countermeasuresedit
Winzapper creates a backup security log, "dummy.dat," at %systemroot%\system32\config. This file may be undeleted after an attack to recover the original log.[6] Conceivably, however, a savvy user might copy a sufficiently large file over the dummy.dat file and thus irretrievably overwrite it. Winzapper causes the Event Viewer to become unusable until after a reboot, so an unexpected reboot may be a clue that Winzapper has recently been used.[7] Another potential clue to a Winzapper-based attempt would be corruption of the Security Log (requiring it to be cleared), since there is always a small risk that Winzapper will do this.
According to WindowsNetworking.com, "One way to prevent rogue admins from using this tool on your servers is to implement a Software Restriction Policy using Group Policy that prevents the WinZapper executable from running".[8]
^Joel Scambray, Stuart McClure (October 27, 2006). Hacking Exposed Windows Server 2003. McGraw-Hill Osborne Media, 1 edition. p. 228. ISBN9780072230611.
^Vidstrom, Arne (September 6, 2000). "Announcing WinZapper - erase individual event records in the security log of Windows NT 4.0 / 2000". Security-express.com.
winzapper, freeware, utility, hacking, tool, used, delete, events, from, microsoft, windows, windows, 2000, security, developed, arne, vidstrom, proof, concept, tool, demonstrating, that, once, administrator, account, been, compromised, event, logs, longer, re. Winzapper is a freeware utility hacking tool used to delete events from the Microsoft Windows NT 4 0 and Windows 2000 Security Log It was developed by Arne Vidstrom as a proof of concept tool demonstrating that once the Administrator account has been compromised event logs are no longer reliable 1 According to Hacking Exposed Windows Server 2003 Winzapper works with Windows NT 2000 2003 2 Prior to Winzapper s creation Administrators already had the ability to clear the Security log either through the Event Viewer or through third party tools such as Clearlogs 3 However Windows lacked any built in method of selectively deleting events from the Security Log An unexpected clearing of the log would likely be a red flag to system administrators that an intrusion had occurred Winzapper would allow a hacker to hide the intrusion by deleting only those log events relevant to the attack Winzapper as publicly released lacked the ability to be run remotely without the use of a tool such as Terminal Services However according to Arne Vidstrom it could easily be modified for remote operation 4 There is also an unrelated trojan horse by the same name 5 Countermeasures editWinzapper creates a backup security log dummy dat at systemroot system32 config This file may be undeleted after an attack to recover the original log 6 Conceivably however a savvy user might copy a sufficiently large file over the dummy dat file and thus irretrievably overwrite it Winzapper causes the Event Viewer to become unusable until after a reboot so an unexpected reboot may be a clue that Winzapper has recently been used 7 Another potential clue to a Winzapper based attempt would be corruption of the Security Log requiring it to be cleared since there is always a small risk that Winzapper will do this According to WindowsNetworking com One way to prevent rogue admins from using this tool on your servers is to implement a Software Restriction Policy using Group Policy that prevents the WinZapper executable from running 8 References edit Winzapper FAQ NTSecurity Joel Scambray Stuart McClure October 27 2006 Hacking Exposed Windows Server 2003 McGraw Hill Osborne Media 1 edition p 228 ISBN 9780072230611 Hacktool Clearlogs Symantec com Vidstrom Arne September 6 2000 Announcing WinZapper erase individual event records in the security log of Windows NT 4 0 2000 Security express com Winzapper Trojan Logiguard com Forensic Footprint of Winzapper Forensics 8thdaytech com Seifried Kurt Microsoft Security Whitepaper Windows NT Seifried org Gaps in Security Log Windowsnetworking com Retrieved from https en wikipedia org w index php title Winzapper amp oldid 1060218461, wikipedia, wiki, book, books, library,
