Winzapper

From Wikipedia, the free encyclopedia

Winzapper in action.
Winzapper in action.

Winzapper is a freeware utility / hacking tool used to delete events from the Microsoft Windows NT 4.0 and Windows 2000 Security Log. It was developed by Peter Nordahl as a proof-of-concept tool, demonstrating that once the Administrator account has been compromised, event logs are no longer reliable[1]. According to Hacking Exposed: Windows Server 2003, Winzapper works with Windows NT/2000/2003[2].

Prior to Winzapper's creation, Administrators already had the ability to clear the Security log either through the Event Viewer or through third-party tools such as Clearlogs[3] However, Windows lacked any built-in method of selectively deleting events from the Security Log. An unexpected clearing of the log would likely be a red flag to system administrators that an intrusion had occurred. Winzapper would allow a hacker to hide the intrusion by deleting only those log events relevant to the attack. Winzapper, as publicly released, lacked the ability to be run remotely without the use of a tool such as Terminal Services. However, according to Arne Vidstrom, it could easily be modified for remote operation[4].

There is also an unrelated parasitic trojan by the same name[5].

[edit] Countermeasures

Winzapper creates a backup security log, "dummy.dat," at %systemroot%\system32\config[6]. This file may be undeleted after an attack to recover the original log[7]. Conceivably, however, a savvy user might copy a sufficiently large file over the dummy.dat file and thus irretrievably overwrite it. Winzapper causes the Event Viewer to become unusable until after a reboot, so an unexpected reboot may be a clue that Winzapper has recently been used.[8]. Another potential clue to a Winzapper-based attempt would be corruption of the Security Log (requiring it to be cleared), since there is always a small risk that Winzapper will do this.

According to WindowsNetworking.com, "One way to prevent rogue admins from using this tool on your servers is to implement a Software Restriction Policy using Group Policy that prevents the WinZapper executable from running"[9].

[edit] References

  1. ^ Winzapper FAQ, NTSecurity.
  2. ^ Hacking Exposed Windows Server 2003, Joel Scambray, Stuart McClure, p. 228, McGraw-Hill Osborne Media, 1 edition, October 27, 2006.
  3. ^ Hacktool.Clearlogs, Symantec.
  4. ^ Announcing WinZapper - erase individual event records in the security log of Windows NT 4.0 / 2000, Arne Vidstrom, Sep. 6, 2000.
  5. ^ Winzapper Trojan, Logiguard.
  6. ^ How to Hack Windows, Part 3, Kurt Seifried, Sys Admin, November 2000, Vol. 9 Issue 11.
  7. ^ Forensic Footprint of Winzapper, 8th Day Tech.
  8. ^ Microsoft Security Whitepaper - Windows NT, Kurt Seifried.
  9. ^ Gaps in Security Log, WindowsNetworking.com.