The rise of the white hat vigilante

"Hacking the hacker is far more fun than cracking poor people's software," says Xylitol, a former software cracker turned white hat vigilante.

SC doesn’t know Xylitol’s name, only that he lives in France, and has achieved fame in infosec circles for tireless disruption of cracker and fraud forums, botnets and malware kits.

Xylitol is one of a small but well-armed clutch of security professionals dedicated to the art of disruption.

These actors - some professional security engineers working for large corporations by day, some former crackers, some self-taught researchers seeking notoriety, sacrifice their free time to take the battle to the criminal underground.

Some spend there weekends attempting to reverse malware, others seek to identify attackers, while a small band launch skirmishes against black hats by busting their botnets and hacking their websites.

This week SC spoke to these white hats spread across France, India, Japan and Australia to find out why they take matters into their own hands, and the consequences that tend to follow.

We chose actors whose individual efforts have obliterated criminal enterprises or brought about successful cross-border prosecutions against black hats who would have likely otherwise escaped penalty.

Xylitol's day job couldn't be further from his war on black hats.

By day, he sweats on a vehicle assembly line for a manfacturer. But the physical exertion helps him "keep a cool head", he said, when it comes to hacking and provides him with an appreciation for an honest day's wage, something that drives his motivation to fight fraudsters.

After becoming bored with the routine software privacy, Xylitol began busting fake anti-virus and ransomware programs to help free victims of scareware campaigns.

'Ransomware' or 'scareware'  is a brutally effective combination of social engineering and malware, through which attackers infect a victim's machine with malware that disables or locks down access to its services or data and follow up the attack with demands for a payment to unlock or 'free' the machine.

Victims attempting to access their devices are sometimes presented with fake law enforcement notices claiming the user had been caught accessing illicit or copyright-infringing content, demanding payment of a fine; or conversely are accused of operating unlicensed software and asked to pay a license fee.

Xylitol was inspired by white hats at Secubox Labs, a firm that had found ways to reverse engineer ransomware in order to discover and publish decryption keys intended to be provided to victims only after payment of a fee or purported fine.

On several occasions, Xylitol has published decryption keys used to unlock the devices within hours of the criminal authors producing new versions of their malware.

His work has since expanded into infiltrating and tearing apart hacking and carding forums and publishing the source code for large botnets.

"I've moved into infiltrating affiliate programs, then fake pharmacies, carding communities -- I cover almost everything fraud related now," he said.

These efforts have drawn a regular stream of death threats to his online accounts.

In October 2010, Xylitol reversed and published the SpyEye kit, a hacking package available in cybercrime forums at prices in the thousands of dollars. He continued to release cracked copies of the malware each time its authors released an update.

And in April he breached infamous private cybercrime forum Darkode, exposing a mass of account details and private messages between hackers trading in the top dollar black market for zero-day exploits and malware.

A year later, Xylitol raided popular Russian site virtest - a site used by cyber criminals to test their wares against anti-virus offerings.

Darkode and Spyeye were among the most prominent disruptions in significant Xylitol's portfolio of interrupted criminal enterprises.

"I stopped counting them a long time ago," he said.

Another Frenchman, who acts under the handle of Kafeine, has built a loyal following by deconstructing scores of exploit, ransomware and malware kits. The seasoned researcher - and friend of Xylitol - has revealed zero-day flaws and specialises in exploit kit analysis.

Earlier this year, Kafeine detailed a zero-day Java exploit (CVE-2013-0422) for the InfoSec community that had been used by exploit kits such as BlackHole, Nuclear, Cool and Redkit. His post on the exploit warned users to disable Java and received hundreds of thousands of hits.

From there, news filtered out to researchers at major anti-virus firms and then to the wider press.

Read on as we meet more of Xylitol's kind...

In India, a respected researcher known as Cyb3rsleuth has also earned notoreity for intelligence gathering and malware analysis.

Cyb3rsleuth works as a professional intelligence analyst but - when under the cover of anonymity - also has a penchant for not only disrupting black hat hackers but also identifying them to the public.

Among the white hat's most notable work was an adaptation of the research of SecureWorks' Joe Stewart. Stewart revealed to the world an active espionage campaign run out of China when he found a host of compromised government and corporate computers phoning home from the dellpc.us domain.

Cyb3rsleuth followed a trail of breadcrumbs that linked to the online alias of Tawnya Grilth, the registrant behind the dellpc.us domain, to find a young man operating a mobile phone business in Zhengzhou, China.

"Zhang [Changhe's] attribution is one of the most memorable of my research efforts ... It gave me immense satisfaction," Cyb3rsleuth said.

Changhe was uncovered by linking email addresses and online aliases uncovered by Stewart with social networking sites, classified ads and business directories. Cyb3rsleuth also uncovered the identity of a Changhe collaborator with "close ties" to the People's Liberation Army.

Cyb3rsleuth keeps his real name closely under wraps to avoid what would otherwise be harsh retribution from cyber criminals.

"Anonymity is important for researchers like us because it allows to focus on our work rather than worrying about hacker intrusions and securing our online presence," he said.

"Just look at  [blogger] Brian Krebs and how the bad guys are harassing him with DDoS, writing malware in his name, sending carded (fraudulently-purchased) goods- including drugs - to his address. I am happy to avoid all this."

Cyb3rsleuth also claims to have identified the hacker behind the Rustock botnet and has passed the information onto Microsoft, which promised to investigate the matter. SC reached out to Microsoft's legal counsel Richard Boscovich but had not heard back by the time of publication.

For his part, Cyb3rsleuth said his intention was to help fellow researchers in their work and to provide intelligence to the broader security community.

"I would love to share knowledge with others and help combat cyber crime because I believe security is not one man or company's job. It works better when every one of us is aware of the events and tools that are coming up in underground communities."

Business

For other actors, disrupting the online criminal world is an extension of their day jobs as white hat security professionals. Twelve months ago, the former chief executive of Kaspersky Labs Japan now owner of KLJTECH, Hendrik Adrian, formed a not-for-profit group of vigilante researchers bearing the fitting name MalwareMustDie.

Adrian is known by the handle unixfreaxjp, and operates within a team that has infiltrated and commandeered botnets and reversed malware. The forensics and incident response professional also investigates advance persistent threats and provides intelligence to computer emergency response teams (CERTs) around the world.

"You know how after a day of work you just gather and do something interesting with your friends? This is how we spend our time ... we crack the malware codes, we study them in detail, document all research materials and spread the knowledge so we can help to suppress the growth of malware," Adrian said.

"We are really under their skin and they don't even realise it."

Like his fellow independent researchers, Andrian and his team were driven to help protect users. The ex-AV boss said his former industry (antivirus) was unhelpful to the malware research space and, by extension, hurting users because it omitted important details from published malware analysis.

"People need to read and know the truth of what malware is, but the actual malware information is [hindered] by lame antivirus 'analysis' and this is very wrong," he said.

"They call it 'analysis'; I call it promotion to bullshit users."

He says the best work by the group of 30 core "veteran" security members was in the exposure of Darkleech, a malicious, prolific and mysterious attack vector that uses Apache modules to target servers and spray dangerous exploits over legitimate websites.

Adrian detailed some of the findings in a blog in March, which paid credit to other researchers that had examined their own chunks of the sophisticated malware. The harnessing of a sense of community has been instrumental in many botnet and malware take downs.

Darkleech resurfaced last month in a single attack campaign that used a variant to foist the Blackhole exploit kit. It has compromised more than 40,000 domains and IP addresses since October last year.

Malwaremustdie also foiled a bid by malware writers to use bittorrent for command and control, and have now turned their attention to taking down Kelihos, a bitcoin and spamming bot that resurfaced earlier this year.

The group joined fellow researchers, law enforcement, Microsoft and ICANN to take down some 200 Russian and Bahama domains used in Kelihos within a 48 hour period earlier this month. Adrian's group previously took down 97 Russian domains after the botnet had infected more than 23,000 IP addresses around the world.

Another team of researchers dedicated to busting malware and popping botnets work under malware.lu, a wing of security firm iTrust Consulting.

This group of five security boffins, led by Paul Rascagneres, operate out of Luxembourg and provide malware samples and technical analysis to customers and the security research community at large.

"For me, the police are not enough and take too much time to act," Rascagneres told SC. "The processes are too long", he said, and it has been difficult for law enforcement to conduct offensive strikes at criminal enterprises.

Read on to learn how Rascagneres and his team fight back...

One of Malware.lu's most prominent works involved a technical analysis of the alleged Beijing-backed hacker group APT1 [pdf]. 

Following on a detailed report on the Chinese group by research company Mandiant, Malware.lu went further and directly attacked and hijacked APT1's command and control servers which operated remote access trojans.

To do this they wrote a custom extension of the password cracker tool 'John the Ripper' to specifically target the Poison Ivy trojan, then exploited a known buffer overflow vulnerability in Ivy's command and control infrastructure. The group also wrote a tweaked Metasploit module to make the latter exploit more effective.

When Rascagneres' group found another homemade remote access trojan, they repeated the steps anew.

These attacks were concealed using a large amount of custom shell code

"We worked at lot during that week," Rascagneres said. "We warned more than 50 states and organisations after our analysis."

Last year Malware.lu identified the creator of the Herpes botnet. Rascagneres exploited a time-based SQL injection in the command and control client which gave him the means to open a shell on the developer's machine, where he found a string of personal information including the owner's identity and Facebook account.

An 18 year-old Italian man would later tell Rascagneres that he sold the bot to pay for his tuition. 

Many of the better known anti-malware groups choose not to attack and disrupt malicious hackers. 

The Shadowserver group, for example, operate according to a non-invasive policy under which they do not attack enemy infrastructure. This, says one member of ShadowServer's small Australian chapter, is a distinct line-in-the-sand that the group will not cross.

“It is the altruistic goal of trying to keep the interent safe," one member said of ShadowServer's overarching goals. Shadowserver was formed to provide an independent source of intelligence to law enforcement and the white-hat security community. It specifically aims to shore-up botnet investigative and control techniques and improve malware analysis.

ShadowServer's team of volunteers have worked in global botnet takedowns, providing crucial information to thousands of organisations including law enforcement agencies and computer emergency response teams, notably with the massive takedowns of the Conficker worm.

The group has also been involved in sinkholing domains, including those used in complex state-sponsored espionage attacks.

This year, Shadowserver researchers compiled a list of recursive DNS servers in a bid to reduce the risk of large distributed denial of service attacks such as the April 300Gbps attack by bulletproof hosters against anti-spam organisation Spamhaus. 

"To target the criminals, we find what servers and IPs they are using and approach the people they buy from," the Australian member of Shadowserver told SC. The group would look for legal clauses to have criminal enterprises shut down. A breach of a registrar's terms of service, for example, could be used to swipe their domain names.

"So rather than the information on victim machines going to some guy's server in Russia, it goes to us and we'll know who the victims are," he said.

This was a product of Shadowserver's "whiter than white" approach to cyber crime disruption. Many of its endeavours have been aided by other researchers providing information on cyber criminals, which is in turn disseminated to a large network of contacts at computer emergency response teams, security firms and law enforcement agencies.

The identities of some team members are kept tightly under wraps.

"We piss a lot of these guys off sometimes. We're ruining their businesses -- and these aren't small businesses. And they're not run by what you would expect to be nice people."

Shadowserver reports to about 5000 network owners about malicious activities they detect over their networks.

Retribution

There are no reports of physical attacks against white hat security researchers, but the online deviants they target have other ways to retaliate.

Beyond the constant barrage of death threats and denial of service attacks launched from the burgeoning booter site service market, renegade white hats have been framed for illegal drug purchases and possession of child exploitation material and had heavily-armed police raid their houses due to an attack known as swatting.

In August 2008, police turned up at the door of Swiss researcher Roman Hüssy after botnet operators circulated a fake suicide note from him to hundreds of thousands of residents. The notes were sent in response to Hüssy's effective and long-running Zeus, SpyEye and Palevo tracker services, which have helped network operators block control domains used by the botnets they track.

More severe retribution has been suggested by frustrated cyber criminals in 2011. One member posting on a cyber crime forum was reported by krebsonsecurity to have suggested mailing Hüssy an anthrax-laced letter, while another thought the gang should pool their cash to hire a hitman.

Another suggested that heroin be purchased and shipped to his house, alongside a tip-off to local police about the pending delivery.

Help or hindrance?

While offensive efforts against cyber criminals have helped to bring down several criminal enterprises, there can be serious consequences for law enforcement investigations.

In Australia, disruptive activity by renegade actors have foiled multiple law enforcement efforts.

Reliable sources tell SC that at least one investigation this year into a Sydney hacking gang had to be dropped shortly before law enforcement was ready to make an arrest after researchers broke into the cyber criminals' machines and compromised evidence.

Lawful botnet take downs have also triggered problems for researchers. In June this year, Hüssy,  Shadowserver operatives and several other renegades criticised Microsoft after its FBI-backed take down of Citadel botnets and domains, codenamed Operation b54, damaged their own white hat botnet research.

Microsoft's take down disrupted 1462 botnets by redirecting 4000 Citadel domains to their own servers in a process known as sinkholing. Of those, a quarter were domain names already captured by Hüssy, who passed on the information these domain names provided on Citadel victims to Shadowserver and its global white hat network.

"Shadowserver will no longer be able to inform network owners about several thousand Citadel infected computers, because the Citadel domain names sinkholed by abuse.ch has been seized by Microsoft," Hüssy said.

"In fact, these 1000 domain names did no longer present a threat to internet users, but were actually used to help to make the internet a better place."

For its part, Microsoft' assistant general counsel Richard Boscovich said the company would offer data to any "key researchers" who were helping victims and would improve coordination of its future botnet take downs.

Copyright © SC Magazine, Australia