The rise of the white hat vigilante

In India, a respected researcher known as Cyb3rsleuth has also earned notoreity for intelligence gathering and malware analysis.

Cyb3rsleuth works as a professional intelligence analyst but - when under the cover of anonymity - also has a penchant for not only disrupting black hat hackers but also identifying them to the public.

Among the white hat's most notable work was an adaptation of the research of SecureWorks' Joe Stewart. Stewart revealed to the world an active espionage campaign run out of China when he found a host of compromised government and corporate computers phoning home from the dellpc.us domain.

Cyb3rsleuth followed a trail of breadcrumbs that linked to the online alias of Tawnya Grilth, the registrant behind the dellpc.us domain, to find a young man operating a mobile phone business in Zhengzhou, China.

"Zhang [Changhe's] attribution is one of the most memorable of my research efforts ... It gave me immense satisfaction," Cyb3rsleuth said.

Changhe was uncovered by linking email addresses and online aliases uncovered by Stewart with social networking sites, classified ads and business directories. Cyb3rsleuth also uncovered the identity of a Changhe collaborator with "close ties" to the People's Liberation Army.

Cyb3rsleuth keeps his real name closely under wraps to avoid what would otherwise be harsh retribution from cyber criminals.

"Anonymity is important for researchers like us because it allows to focus on our work rather than worrying about hacker intrusions and securing our online presence," he said.

"Just look at  [blogger] Brian Krebs and how the bad guys are harassing him with DDoS, writing malware in his name, sending carded (fraudulently-purchased) goods- including drugs - to his address. I am happy to avoid all this."

Cyb3rsleuth also claims to have identified the hacker behind the Rustock botnet and has passed the information onto Microsoft, which promised to investigate the matter. SC reached out to Microsoft's legal counsel Richard Boscovich but had not heard back by the time of publication.

For his part, Cyb3rsleuth said his intention was to help fellow researchers in their work and to provide intelligence to the broader security community.

"I would love to share knowledge with others and help combat cyber crime because I believe security is not one man or company's job. It works better when every one of us is aware of the events and tools that are coming up in underground communities."

Business

For other actors, disrupting the online criminal world is an extension of their day jobs as white hat security professionals. Twelve months ago, the former chief executive of Kaspersky Labs Japan now owner of KLJTECH, Hendrik Adrian, formed a not-for-profit group of vigilante researchers bearing the fitting name MalwareMustDie.

Adrian is known by the handle unixfreaxjp, and operates within a team that has infiltrated and commandeered botnets and reversed malware. The forensics and incident response professional also investigates advance persistent threats and provides intelligence to computer emergency response teams (CERTs) around the world.

"You know how after a day of work you just gather and do something interesting with your friends? This is how we spend our time ... we crack the malware codes, we study them in detail, document all research materials and spread the knowledge so we can help to suppress the growth of malware," Adrian said.

"We are really under their skin and they don't even realise it."

Like his fellow independent researchers, Andrian and his team were driven to help protect users. The ex-AV boss said his former industry (antivirus) was unhelpful to the malware research space and, by extension, hurting users because it omitted important details from published malware analysis.

"People need to read and know the truth of what malware is, but the actual malware information is [hindered] by lame antivirus 'analysis' and this is very wrong," he said.

"They call it 'analysis'; I call it promotion to bullshit users."

He says the best work by the group of 30 core "veteran" security members was in the exposure of Darkleech, a malicious, prolific and mysterious attack vector that uses Apache modules to target servers and spray dangerous exploits over legitimate websites.

Adrian detailed some of the findings in a blog in March, which paid credit to other researchers that had examined their own chunks of the sophisticated malware. The harnessing of a sense of community has been instrumental in many botnet and malware take downs.

Darkleech resurfaced last month in a single attack campaign that used a variant to foist the Blackhole exploit kit. It has compromised more than 40,000 domains and IP addresses since October last year.

Malwaremustdie also foiled a bid by malware writers to use bittorrent for command and control, and have now turned their attention to taking down Kelihos, a bitcoin and spamming bot that resurfaced earlier this year.

The group joined fellow researchers, law enforcement, Microsoft and ICANN to take down some 200 Russian and Bahama domains used in Kelihos within a 48 hour period earlier this month. Adrian's group previously took down 97 Russian domains after the botnet had infected more than 23,000 IP addresses around the world.

Another team of researchers dedicated to busting malware and popping botnets work under malware.lu, a wing of security firm iTrust Consulting.

This group of five security boffins, led by Paul Rascagneres, operate out of Luxembourg and provide malware samples and technical analysis to customers and the security research community at large.

"For me, the police are not enough and take too much time to act," Rascagneres told SC. "The processes are too long", he said, and it has been difficult for law enforcement to conduct offensive strikes at criminal enterprises.

Read on to learn how Rascagneres and his team fight back...

Copyright © SC Magazine, Australia