Software:Winzapper

From HandWiki

Winzapper is a freeware utility / hacking tool used to delete events from the Microsoft Windows NT 4.0 and Windows 2000 Security Log. It was developed by Arne Vidstrom as a proof-of-concept tool, demonstrating that once the Administrator account has been compromised, event logs are no longer reliable.[1] According to Hacking Exposed: Windows Server 2003, Winzapper works with Windows NT/2000/2003.[2] Prior to Winzapper's creation, Administrators already had the ability to clear the Security log either through the Event Viewer or through third-party tools such as Clearlogs.[3] However, Windows lacked any built-in method of selectively deleting events from the Security Log. An unexpected clearing of the log would likely be a red flag to system administrators that an intrusion had occurred. Winzapper would allow a hacker to hide the intrusion by deleting only those log events relevant to the attack. Winzapper, as publicly released, lacked the ability to be run remotely without the use of a tool such as Terminal Services. However, according to Arne Vidstrom, it could easily be modified for remote operation.[4]

There is also an unrelated trojan horse by the same name.[5]

Countermeasures

Winzapper creates a backup security log, "dummy.dat," at %systemroot%\system32\config. This file may be undeleted after an attack to recover the original log.[6] Conceivably, however, a savvy user might copy a sufficiently large file over the dummy.dat file and thus irretrievably overwrite it. Winzapper causes the Event Viewer to become unusable until after a reboot, so an unexpected reboot may be a clue that Winzapper has recently been used.[7] Another potential clue to a Winzapper-based attempt would be corruption of the Security Log (requiring it to be cleared), since there is always a small risk that Winzapper will do this.

According to WindowsNetworking.com, "One way to prevent rogue admins from using this tool on your servers is to implement a Software Restriction Policy using Group Policy that prevents the WinZapper executable from running".[8]

References

  1. Winzapper FAQ, NTSecurity.
  2. Joel Scambray, Stuart McClure (October 27, 2006). Hacking Exposed Windows Server 2003. McGraw-Hill Osborne Media, 1 edition. p. 228. ISBN 9780072230611. https://books.google.com/books?id=UVchzZjT-jcC&dq=winzapper&pg=PA228. 
  3. "Hacktool.Clearlogs". Symantec.com. http://www.symantec.com/security_response/writeup.jsp?docid=2004-102811-2608-99. 
  4. Vidstrom, Arne (September 6, 2000). "Announcing WinZapper - erase individual event records in the security log of Windows NT 4.0 / 2000". Security-express.com. http://www.security-express.com/archives/bugtraq/2000-09/0000.html. 
  5. "Winzapper Trojan". Logiguard.com. http://logiguard.com/spyware/w/winzapper-trojan.htm. 
  6. "Forensic Footprint of Winzapper". Forensics.8thdaytech.com. http://forensics.8thdaytech.com/winzapper-forensic-foorprint. 
  7. Seifried, Kurt. "Microsoft Security Whitepaper - Windows NT". Seifried.org. http://www.seifried.org/security/os/microsoft/windowsnt.html. 
  8. "Gaps in Security Log". Windowsnetworking.com. http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/Security/GapsinSecurityLog.html. 



Retrieved from "https://handwiki.org/wiki/index.php?title=Software:Winzapper&oldid=349294"