The rise of the white hat vigilante

"Hacking the hacker is far more fun than cracking poor people's software," says Xylitol, a former software cracker turned white hat vigilante.

SC doesn’t know Xylitol’s name, only that he lives in France, and has achieved fame in infosec circles for tireless disruption of cracker and fraud forums, botnets and malware kits.

Xylitol is one of a small but well-armed clutch of security professionals dedicated to the art of disruption.

These actors - some professional security engineers working for large corporations by day, some former crackers, some self-taught researchers seeking notoriety, sacrifice their free time to take the battle to the criminal underground.

Some spend there weekends attempting to reverse malware, others seek to identify attackers, while a small band launch skirmishes against black hats by busting their botnets and hacking their websites.

This week SC spoke to these white hats spread across France, India, Japan and Australia to find out why they take matters into their own hands, and the consequences that tend to follow.

We chose actors whose individual efforts have obliterated criminal enterprises or brought about successful cross-border prosecutions against black hats who would have likely otherwise escaped penalty.

Xylitol's day job couldn't be further from his war on black hats.

By day, he sweats on a vehicle assembly line for a manfacturer. But the physical exertion helps him "keep a cool head", he said, when it comes to hacking and provides him with an appreciation for an honest day's wage, something that drives his motivation to fight fraudsters.

After becoming bored with the routine software privacy, Xylitol began busting fake anti-virus and ransomware programs to help free victims of scareware campaigns.

'Ransomware' or 'scareware'  is a brutally effective combination of social engineering and malware, through which attackers infect a victim's machine with malware that disables or locks down access to its services or data and follow up the attack with demands for a payment to unlock or 'free' the machine.

Victims attempting to access their devices are sometimes presented with fake law enforcement notices claiming the user had been caught accessing illicit or copyright-infringing content, demanding payment of a fine; or conversely are accused of operating unlicensed software and asked to pay a license fee.

Xylitol was inspired by white hats at Secubox Labs, a firm that had found ways to reverse engineer ransomware in order to discover and publish decryption keys intended to be provided to victims only after payment of a fee or purported fine.

On several occasions, Xylitol has published decryption keys used to unlock the devices within hours of the criminal authors producing new versions of their malware.

His work has since expanded into infiltrating and tearing apart hacking and carding forums and publishing the source code for large botnets.

"I've moved into infiltrating affiliate programs, then fake pharmacies, carding communities -- I cover almost everything fraud related now," he said.

These efforts have drawn a regular stream of death threats to his online accounts.

In October 2010, Xylitol reversed and published the SpyEye kit, a hacking package available in cybercrime forums at prices in the thousands of dollars. He continued to release cracked copies of the malware each time its authors released an update.

And in April he breached infamous private cybercrime forum Darkode, exposing a mass of account details and private messages between hackers trading in the top dollar black market for zero-day exploits and malware.

A year later, Xylitol raided popular Russian site virtest - a site used by cyber criminals to test their wares against anti-virus offerings.

Darkode and Spyeye were among the most prominent disruptions in significant Xylitol's portfolio of interrupted criminal enterprises.

"I stopped counting them a long time ago," he said.

Another Frenchman, who acts under the handle of Kafeine, has built a loyal following by deconstructing scores of exploit, ransomware and malware kits. The seasoned researcher - and friend of Xylitol - has revealed zero-day flaws and specialises in exploit kit analysis.

Earlier this year, Kafeine detailed a zero-day Java exploit (CVE-2013-0422) for the InfoSec community that had been used by exploit kits such as BlackHole, Nuclear, Cool and Redkit. His post on the exploit warned users to disable Java and received hundreds of thousands of hits.

From there, news filtered out to researchers at major anti-virus firms and then to the wider press.

Read on as we meet more of Xylitol's kind...

Copyright © SC Magazine, Australia