Winzapper

Winzapper

. It was developed by Peter Nordahl as a proof-of-concept tool, demonstrating that once the Administrator account has been compromised, event logs are no longer reliable [ [http://www.ntsecurity.nu/toolbox/winzapper/ Winzapper FAQ] , NTSecurity.] . According to "Hacking Exposed: Windows Server 2003", Winzapper works with Windows NT/2000/2003 [ [http://books.google.com/books?id=UVchzZjT-jcC&pg=PA228&lpg=PA228&dq=winzapper&source=web&ots=EnWURte1ct&sig=iCwKQHMmQqC1rMwMM6SODUZ0ZIc Hacking Exposed Windows Server 2003] , Joel Scambray, Stuart McClure, p. 228, McGraw-Hill Osborne Media, 1 edition, October 27, 2006.] .

Prior to Winzapper's creation, Administrators already had the ability to clear the Security log either through the Event Viewer or through third-party tools such as Clearlogs [ [http://www.symantec.com/security_response/writeup.jsp?docid=2004-102811-2608-99 Hacktool.Clearlogs] , Symantec.] However, Windows lacked any built-in method of selectively deleting events from the Security Log. An unexpected clearing of the log would likely be a red flag to system administrators that an intrusion had occurred. Winzapper would allow a hacker to hide the intrusion by deleting only those log events relevant to the attack. Winzapper, as publicly released, lacked the ability to be run remotely without the use of a tool such as Terminal Services. However, according to Arne Vidstrom, it could easily be modified for remote operation [ [http://www.security-express.com/archives/bugtraq/2000-09/0000.html Announcing WinZapper - erase individual event records in the security log of Windows NT 4.0 / 2000] , Arne Vidstrom, Sep. 6, 2000.] .

There is also an unrelated parasitic trojan by the same name [ [http://logiguard.com/spyware/w/winzapper-trojan.htm Winzapper Trojan] , Logiguard.] .

Countermeasures

Winzapper creates a backup security log, "dummy.dat," at %systemroot%system32config [ [http://www.samag.com/documents/s=9366/sam0104o/0104o.htm How to Hack Windows, Part 3] , Kurt Seifried, Sys Admin, November 2000, Vol. 9 Issue 11.] . This file may be undeleted after an attack to recover the original log [ [http://forensics.8thdaytech.com/winzapper-forensic-foorprint Forensic Footprint of Winzapper] , 8th Day Tech.] . Conceivably, however, a savvy user might copy a sufficiently large file over the dummy.dat file and thus irretrievably overwrite it. Winzapper causes the Event Viewer to become unusable until after a reboot, so an unexpected reboot may be a clue that Winzapper has recently been used. [ [http://www.seifried.org/security/os/microsoft/windowsnt.html Microsoft Security Whitepaper - Windows NT] , Kurt Seifried.] . Another potential clue to a Winzapper-based attempt would be corruption of the Security Log (requiring it to be cleared), since there is always a small risk that Winzapper will do this.

According to WindowsNetworking.com, "One way to prevent rogue admins from using this tool on your servers is to implement a Software Restriction Policy using Group Policy that prevents the WinZapper executable from running" [ [http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/Security/GapsinSecurityLog.html Gaps in Security Log] , WindowsNetworking.com.] .

References


Wikimedia Foundation. 2010.

Игры ⚽ Поможем сделать НИР

Look at other dictionaries:

  • Windows Security Log — The Security Log, in Microsoft Windows, is a log that contains records of login/logout activity and/or other security related events specified by the system s audit policy. Auditing allows administrators to configure Windows to record operating… …   Wikipedia

  • Журнал событий — англ. Event Log в Microsoft Windows стандартный способ для приложений и операционной системы записи и централизованного хранения информации о важных программных и аппаратных событиях. Служба журналов событий сохраняет события от различных… …   Википедия

  • Proof of concept — is a short and/or incomplete realization (or ) of a certain method or idea(s) to demonstrate its feasibility, or a demonstration in principle, whose purpose is to verify that some concept or theory is probably capable of exploitation in a useful… …   Wikipedia

  • Hacking tool — A hacking tool is a program designed to assist with hacking, or a legitimate utility that can also be used for hacking. Examples Examples include Nmap, Nessus, John the Ripper, SuperScan, p0f, and Winzapper. [ [http://www.teckh.com/?p=143 Top 15… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”