HOME

TheInfoList



Click Here for Items Related To - Winzapper
OR:
Winzapper on:   [Wikipedia]   [Google]   [Amazon]

Winzapper is a
freeware Freeware is software, most often proprietary, that is distributed at no monetary cost to the end user. There is no agreed-upon set of rights, license, or EULA that defines ''freeware'' unambiguously; every publisher defines its own rules for the f ...
utility /
hacking tool A security hacker is someone who explores methods for breaching defenses and exploiting weaknesses in a computer system or network. Hackers may be motivated by a multitude of reasons, such as profit, protest, information gathering, challenge ...
used to delete events from the
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...
Windows NT 4.0 Windows NT 4.0 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It is the direct successor to Windows NT 3.51, which was released to manufacturing on July 31, 1996, and then to retail ...
and
Windows 2000 Windows 2000 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It was the direct successor to Windows NT 4.0, and was Software release life cycle#Release to manufacturing (RTM), releas ...
Security Log. It was developed by Arne Vidstrom as a proof-of-concept tool, demonstrating that once the Administrator account has been compromised, event logs are no longer reliable. According to ''Hacking Exposed: Windows Server 2003'', Winzapper works with Windows NT/2000/2003. Prior to Winzapper's creation, Administrators already had the ability to clear the Security log either through the
Event Viewer Event Viewer is a component of Microsoft's Windows NT operating system that lets administrators and users view the event logs on a local or remote machine. Applications and operating-system components can use this centralized log service to repo ...
or through third-party tools such as Clearlogs. However, Windows lacked any built-in method of selectively deleting events from the Security Log. An unexpected clearing of the log would likely be a red flag to system administrators that an intrusion had occurred. Winzapper would allow a hacker to hide the intrusion by deleting only those log events relevant to the attack. Winzapper, as publicly released, lacked the ability to be run remotely without the use of a tool such as
Terminal Services Remote Desktop Services (RDS), known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine ...
. However, according to Arne Vidstrom, it could easily be modified for remote operation. There is also an unrelated
trojan horse The Trojan Horse was a wooden horse said to have been used by the Greeks during the Trojan War to enter the city of Troy and win the war. The Trojan Horse is not mentioned in Homer's ''Iliad'', with the poem ending before the war is concluded, ...
by the same name.


Countermeasures

Winzapper creates a backup security log, "dummy.dat," at %systemroot%\system32\config. This file may be
undelete Undeletion is a feature for restoring computer files which have been removed from a file system by file deletion. Deleted data can be recovered on many file systems, but not all file systems provide an undeletion feature. Recovering data with ...
d after an attack to recover the original log. Conceivably, however, a savvy user might copy a sufficiently large file over the dummy.dat file and thus irretrievably overwrite it. Winzapper causes the Event Viewer to become unusable until after a
reboot In computing, rebooting is the process by which a running computer system is restarted, either intentionally or unintentionally. Reboots can be either a cold reboot (alternatively known as a hard reboot) in which the power to the system is physi ...
, so an unexpected reboot may be a clue that Winzapper has recently been used. Another potential clue to a Winzapper-based attempt would be corruption of the Security Log (requiring it to be cleared), since there is always a small risk that Winzapper will do this. According to WindowsNetworking.com, "One way to prevent rogue admins from using this tool on your servers is to implement a Software Restriction Policy using Group Policy that prevents the WinZapper executable from running".


References

{{reflist Computer security software