- Winzapper
. It was developed by Peter Nordahl as a proof-of-concept tool, demonstrating that once the Administrator account has been compromised, event logs are no longer reliable [ [http://www.ntsecurity.nu/toolbox/winzapper/ Winzapper FAQ] , NTSecurity.] . According to "Hacking Exposed: Windows Server 2003", Winzapper works with Windows NT/2000/2003 [ [http://books.google.com/books?id=UVchzZjT-jcC&pg=PA228&lpg=PA228&dq=winzapper&source=web&ots=EnWURte1ct&sig=iCwKQHMmQqC1rMwMM6SODUZ0ZIc Hacking Exposed Windows Server 2003] , Joel Scambray, Stuart McClure, p. 228, McGraw-Hill Osborne Media, 1 edition, October 27, 2006.] .
Prior to Winzapper's creation, Administrators already had the ability to clear the Security log either through the
Event Viewer or through third-party tools such asClearlogs [ [http://www.symantec.com/security_response/writeup.jsp?docid=2004-102811-2608-99 Hacktool.Clearlogs] , Symantec.] However, Windows lacked any built-in method of selectively deleting events from the Security Log. An unexpected clearing of the log would likely be a red flag to system administrators that an intrusion had occurred. Winzapper would allow a hacker to hide the intrusion by deleting only those log events relevant to the attack. Winzapper, as publicly released, lacked the ability to be run remotely without the use of a tool such asTerminal Services . However, according to Arne Vidstrom, it could easily be modified for remote operation [ [http://www.security-express.com/archives/bugtraq/2000-09/0000.html Announcing WinZapper - erase individual event records in the security log of Windows NT 4.0 / 2000] , Arne Vidstrom, Sep. 6, 2000.] .There is also an unrelated
parasitic trojan by the same name [ [http://logiguard.com/spyware/w/winzapper-trojan.htm Winzapper Trojan] , Logiguard.] .Countermeasures
Winzapper creates a backup security log, "dummy.dat," at %systemroot%system32config [ [http://www.samag.com/documents/s=9366/sam0104o/0104o.htm How to Hack Windows, Part 3] , Kurt Seifried, Sys Admin, November 2000, Vol. 9 Issue 11.] . This file may be
undelete d after an attack to recover the original log [ [http://forensics.8thdaytech.com/winzapper-forensic-foorprint Forensic Footprint of Winzapper] , 8th Day Tech.] . Conceivably, however, a savvy user might copy a sufficiently large file over the dummy.dat file and thus irretrievably overwrite it. Winzapper causes the Event Viewer to become unusable until after areboot , so an unexpected reboot may be a clue that Winzapper has recently been used. [ [http://www.seifried.org/security/os/microsoft/windowsnt.html Microsoft Security Whitepaper - Windows NT] , Kurt Seifried.] . Another potential clue to a Winzapper-based attempt would be corruption of the Security Log (requiring it to be cleared), since there is always a small risk that Winzapper will do this.According to WindowsNetworking.com, "One way to prevent rogue admins from using this tool on your servers is to implement a Software Restriction Policy using Group Policy that prevents the WinZapper executable from running" [ [http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/Security/GapsinSecurityLog.html Gaps in Security Log] , WindowsNetworking.com.] .
References
Wikimedia Foundation. 2010.
