Winzapper

Winzapper is a freeware utility / hacking tool used to delete events from the Microsoft Windows NT 4.0 and Windows 2000 Security Log. It was developed by Arne Vidstrom as a proof-of-concept tool, demonstrating that once the Administrator account has been compromised, event logs are no longer reliable.[1] According to Hacking Exposed: Windows Server 2003, Winzapper works with Windows NT/2000/2003.[2]

Prior to Winzapper's creation, Administrators already had the ability to clear the Security log either through the Event Viewer or through third-party tools such as Clearlogs.[3] However, Windows lacked any built-in method of selectively deleting events from the Security Log. An unexpected clearing of the log would likely be a red flag to system administrators that an intrusion had occurred. Winzapper would allow a hacker to hide the intrusion by deleting only those log events relevant to the attack. Winzapper, as publicly released, lacked the ability to be run remotely without the use of a tool such as Terminal Services. However, according to Arne Vidstrom, it could easily be modified for remote operation.[4]

There is also an unrelated trojan horse by the same name.[5]

  1. ^ Winzapper FAQ, NTSecurity.
  2. ^ Joel Scambray, Stuart McClure (October 27, 2006). Hacking Exposed Windows Server 2003. McGraw-Hill Osborne Media, 1 edition. p. 228. ISBN 9780072230611.
  3. ^ "Hacktool.Clearlogs". Symantec.com. Archived from the original on January 8, 2007.
  4. ^ Vidstrom, Arne (September 6, 2000). "Announcing WinZapper - erase individual event records in the security log of Windows NT 4.0 / 2000". Security-express.com.
  5. ^ "Winzapper Trojan". Logiguard.com.