Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
Winzapper
open-in-new
<h2 id="countermeasures">Countermeasures</h2> <p>Winzapper creates a backup security log, "dummy.dat," at %systemroot%\system32\config. This file may be <a href="/facts/Undelete/RJHzHYdn">undeleted</a> after an attack to recover the original log.<a class="footnote-ref" id="fnref:6" href="#fn:6"><sup>6</sup></a> Conceivably, however, a savvy user might copy a sufficiently large file over the dummy.dat file and thus irretrievably overwrite it. Winzapper causes the Event Viewer to become unusable until after a <a href="/facts/Booting/j6N1kRpc">reboot</a>, so an unexpected reboot may be a clue that Winzapper has recently been used.<a class="footnote-ref" id="fnref:7" href="#fn:7"><sup>7</sup></a> Another potential clue to a Winzapper-based attempt would be corruption of the Security Log (requiring it to be cleared), since there is always a small risk that Winzapper will do this. </p><p>According to WindowsNetworking.com, "One way to prevent rogue admins from using this tool on your servers is to implement a Software Restriction Policy using Group Policy that prevents the WinZapper executable from running".<a class="footnote-ref" id="fnref:8" href="#fn:8"><sup>8</sup></a> </p> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>Winzapper FAQ, NTSecurity. <a href="http://www.ntsecurity.nu/toolbox/winzapper/" target="_blank">http://www.ntsecurity.nu/toolbox/winzapper/</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>Joel Scambray, Stuart McClure (October 27, 2006). Hacking Exposed Windows Server 2003. McGraw-Hill Osborne Media, 1 edition. p. 228. ISBN 9780072230611. <a href="9780072230611" target="_blank">9780072230611</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>"Hacktool.Clearlogs". Symantec.com. Archived from the original on January 8, 2007. <a href="https://web.archive.org/web/20070108020358/http://www.symantec.com/security_response/writeup.jsp?docid=2004-102811-2608-99" target="_blank">https://web.archive.org/web/20070108020358/http://www.symantec.com/security_response/writeup.jsp?docid=2004-102811-2608-99</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>Vidstrom, Arne (September 6, 2000). "Announcing WinZapper - erase individual event records in the security log of Windows NT 4.0 / 2000". Security-express.com. <a href="http://www.security-express.com/archives/bugtraq/2000-09/0000.html" target="_blank">http://www.security-express.com/archives/bugtraq/2000-09/0000.html</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> <li id="fn:5"><p>"Winzapper Trojan". Logiguard.com. <a href="http://logiguard.com/spyware/w/winzapper-trojan.htm" target="_blank">http://logiguard.com/spyware/w/winzapper-trojan.htm</a> <a href="#fnref:5" class="footnote-back-ref">↩</a></p></li> <li id="fn:6"><p>"Forensic Footprint of Winzapper". Forensics.8thdaytech.com. <a href="http://forensics.8thdaytech.com/winzapper-forensic-foorprint" target="_blank">http://forensics.8thdaytech.com/winzapper-forensic-foorprint</a> <a href="#fnref:6" class="footnote-back-ref">↩</a></p></li> <li id="fn:7"><p>Seifried, Kurt. "Microsoft Security Whitepaper - Windows NT". Seifried.org. <a href="https://www.seifried.org/security/os/microsoft/windowsnt.html" target="_blank">https://www.seifried.org/security/os/microsoft/windowsnt.html</a> <a href="#fnref:7" class="footnote-back-ref">↩</a></p></li> <li id="fn:8"><p>"Gaps in Security Log". Windowsnetworking.com. <a href="http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/Security/GapsinSecurityLog.html" target="_blank">http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/Security/GapsinSecurityLog.html</a> <a href="#fnref:8" class="footnote-back-ref">↩</a></p></li> </ol>