Winzapper: Difference between revisions
Citation bot (talk | contribs) Alter: url. URLs might have been anonymized. Add: isbn. | Use this bot. Report bugs. | Suggested by AManWithNoPlan | #UCB_webform 1819/2103 |
GreenC bot (talk | contribs) Rescued 1 archive link. Wayback Medic 2.5 per WP:URLREQ#symantec.com |
||
| Line 1: | Line 1: | ||
<!-- Deleted image removed: [[Image:Winzapperinaction.png|thumb|400px|right|Winzapper in action.]] -->'''Winzapper''' is a [[freeware]] utility / [[hacking tool]] used to delete events from the [[Microsoft]] [[Windows NT 4.0]] and [[Windows 2000]] [[Security Log]]. It was developed by Arne Vidstrom as a proof-of-concept tool, demonstrating that once the Administrator account has been compromised, event logs are no longer reliable.<ref>[http://www.ntsecurity.nu/toolbox/winzapper/ Winzapper FAQ], NTSecurity.</ref> According to ''Hacking Exposed: Windows Server 2003'', Winzapper works with Windows NT/2000/2003.<ref>{{cite book |url=https://books.google.com/books?id=UVchzZjT-jcC&dq=winzapper&pg=PA228 |title=Hacking Exposed Windows Server 2003 |author= Joel Scambray, Stuart McClure |page= 228 |publisher=McGraw-Hill Osborne Media, 1 edition |date=October 27, 2006 |isbn=9780072230611 }}</ref> |
<!-- Deleted image removed: [[Image:Winzapperinaction.png|thumb|400px|right|Winzapper in action.]] -->'''Winzapper''' is a [[freeware]] utility / [[hacking tool]] used to delete events from the [[Microsoft]] [[Windows NT 4.0]] and [[Windows 2000]] [[Security Log]]. It was developed by Arne Vidstrom as a proof-of-concept tool, demonstrating that once the Administrator account has been compromised, event logs are no longer reliable.<ref>[http://www.ntsecurity.nu/toolbox/winzapper/ Winzapper FAQ], NTSecurity.</ref> According to ''Hacking Exposed: Windows Server 2003'', Winzapper works with Windows NT/2000/2003.<ref>{{cite book |url=https://books.google.com/books?id=UVchzZjT-jcC&dq=winzapper&pg=PA228 |title=Hacking Exposed Windows Server 2003 |author= Joel Scambray, Stuart McClure |page= 228 |publisher=McGraw-Hill Osborne Media, 1 edition |date=October 27, 2006 |isbn=9780072230611 }}</ref> |
||
Prior to Winzapper's creation, Administrators already had the ability to clear the Security log either through the [[Event Viewer]] or through third-party tools such as [[Clearlogs]].<ref>{{cite web |url=http://www.symantec.com/security_response/writeup.jsp?docid=2004-102811-2608-99 |title=Hacktool.Clearlogs |publisher=Symantec.com |accessdate= }}</ref> However, Windows lacked any built-in method of selectively deleting events from the Security Log. An unexpected clearing of the log would likely be a red flag to system administrators that an intrusion had occurred. Winzapper would allow a hacker to hide the intrusion by deleting only those log events relevant to the attack. Winzapper, as publicly released, lacked the ability to be run remotely without the use of a tool such as [[Terminal Services]]. However, according to Arne Vidstrom, it could easily be modified for remote operation.<ref>{{cite web |url=http://www.security-express.com/archives/bugtraq/2000-09/0000.html |title=Announcing WinZapper - erase individual event records in the security log of Windows NT 4.0 / 2000 |first= Arne |last=Vidstrom |date=September 6, 2000 |publisher=Security-express.com}}</ref> |
Prior to Winzapper's creation, Administrators already had the ability to clear the Security log either through the [[Event Viewer]] or through third-party tools such as [[Clearlogs]].<ref>{{cite web |url=http://www.symantec.com/security_response/writeup.jsp?docid=2004-102811-2608-99 |archive-url=https://web.archive.org/web/20070108020358/http://www.symantec.com/security_response/writeup.jsp?docid=2004-102811-2608-99 |url-status=dead |archive-date=January 8, 2007 |title=Hacktool.Clearlogs |publisher=Symantec.com |accessdate= }}</ref> However, Windows lacked any built-in method of selectively deleting events from the Security Log. An unexpected clearing of the log would likely be a red flag to system administrators that an intrusion had occurred. Winzapper would allow a hacker to hide the intrusion by deleting only those log events relevant to the attack. Winzapper, as publicly released, lacked the ability to be run remotely without the use of a tool such as [[Terminal Services]]. However, according to Arne Vidstrom, it could easily be modified for remote operation.<ref>{{cite web |url=http://www.security-express.com/archives/bugtraq/2000-09/0000.html |title=Announcing WinZapper - erase individual event records in the security log of Windows NT 4.0 / 2000 |first= Arne |last=Vidstrom |date=September 6, 2000 |publisher=Security-express.com}}</ref> |
||
There is also an unrelated [[Trojan horse (computing)|trojan horse]] by the same name.<ref>{{cite web |url=http://logiguard.com/spyware/w/winzapper-trojan.htm |title=Winzapper Trojan |publisher= Logiguard.com |accessdate= }}</ref> |
There is also an unrelated [[Trojan horse (computing)|trojan horse]] by the same name.<ref>{{cite web |url=http://logiguard.com/spyware/w/winzapper-trojan.htm |title=Winzapper Trojan |publisher= Logiguard.com |accessdate= }}</ref> |
||
Latest revision as of 22:45, 29 April 2024
Winzapper is a freeware utility / hacking tool used to delete events from the Microsoft Windows NT 4.0 and Windows 2000 Security Log. It was developed by Arne Vidstrom as a proof-of-concept tool, demonstrating that once the Administrator account has been compromised, event logs are no longer reliable.[1] According to Hacking Exposed: Windows Server 2003, Winzapper works with Windows NT/2000/2003.[2]
Prior to Winzapper's creation, Administrators already had the ability to clear the Security log either through the Event Viewer or through third-party tools such as Clearlogs.[3] However, Windows lacked any built-in method of selectively deleting events from the Security Log. An unexpected clearing of the log would likely be a red flag to system administrators that an intrusion had occurred. Winzapper would allow a hacker to hide the intrusion by deleting only those log events relevant to the attack. Winzapper, as publicly released, lacked the ability to be run remotely without the use of a tool such as Terminal Services. However, according to Arne Vidstrom, it could easily be modified for remote operation.[4]
There is also an unrelated trojan horse by the same name.[5]
Countermeasures[edit]
Winzapper creates a backup security log, "dummy.dat," at %systemroot%\system32\config. This file may be undeleted after an attack to recover the original log.[6] Conceivably, however, a savvy user might copy a sufficiently large file over the dummy.dat file and thus irretrievably overwrite it. Winzapper causes the Event Viewer to become unusable until after a reboot, so an unexpected reboot may be a clue that Winzapper has recently been used.[7] Another potential clue to a Winzapper-based attempt would be corruption of the Security Log (requiring it to be cleared), since there is always a small risk that Winzapper will do this.
According to WindowsNetworking.com, "One way to prevent rogue admins from using this tool on your servers is to implement a Software Restriction Policy using Group Policy that prevents the WinZapper executable from running".[8]
References[edit]
- ^ Winzapper FAQ, NTSecurity.
- ^ Joel Scambray, Stuart McClure (October 27, 2006). Hacking Exposed Windows Server 2003. McGraw-Hill Osborne Media, 1 edition. p. 228. ISBN 9780072230611.
- ^ "Hacktool.Clearlogs". Symantec.com. Archived from the original on January 8, 2007.
- ^ Vidstrom, Arne (September 6, 2000). "Announcing WinZapper - erase individual event records in the security log of Windows NT 4.0 / 2000". Security-express.com.
- ^ "Winzapper Trojan". Logiguard.com.
- ^ "Forensic Footprint of Winzapper". Forensics.8thdaytech.com.
- ^ Seifried, Kurt. "Microsoft Security Whitepaper - Windows NT". Seifried.org.
- ^ "Gaps in Security Log". Windowsnetworking.com.