The rise of the white hat vigilante

One of Malware.lu's most prominent works involved a technical analysis of the alleged Beijing-backed hacker group APT1 [pdf]. 

Following on a detailed report on the Chinese group by research company Mandiant, Malware.lu went further and directly attacked and hijacked APT1's command and control servers which operated remote access trojans.

To do this they wrote a custom extension of the password cracker tool 'John the Ripper' to specifically target the Poison Ivy trojan, then exploited a known buffer overflow vulnerability in Ivy's command and control infrastructure. The group also wrote a tweaked Metasploit module to make the latter exploit more effective.

When Rascagneres' group found another homemade remote access trojan, they repeated the steps anew.

These attacks were concealed using a large amount of custom shell code

"We worked at lot during that week," Rascagneres said. "We warned more than 50 states and organisations after our analysis."

Last year Malware.lu identified the creator of the Herpes botnet. Rascagneres exploited a time-based SQL injection in the command and control client which gave him the means to open a shell on the developer's machine, where he found a string of personal information including the owner's identity and Facebook account.

An 18 year-old Italian man would later tell Rascagneres that he sold the bot to pay for his tuition. 

Many of the better known anti-malware groups choose not to attack and disrupt malicious hackers. 

The Shadowserver group, for example, operate according to a non-invasive policy under which they do not attack enemy infrastructure. This, says one member of ShadowServer's small Australian chapter, is a distinct line-in-the-sand that the group will not cross.

“It is the altruistic goal of trying to keep the interent safe," one member said of ShadowServer's overarching goals. Shadowserver was formed to provide an independent source of intelligence to law enforcement and the white-hat security community. It specifically aims to shore-up botnet investigative and control techniques and improve malware analysis.

ShadowServer's team of volunteers have worked in global botnet takedowns, providing crucial information to thousands of organisations including law enforcement agencies and computer emergency response teams, notably with the massive takedowns of the Conficker worm.

The group has also been involved in sinkholing domains, including those used in complex state-sponsored espionage attacks.

This year, Shadowserver researchers compiled a list of recursive DNS servers in a bid to reduce the risk of large distributed denial of service attacks such as the April 300Gbps attack by bulletproof hosters against anti-spam organisation Spamhaus. 

"To target the criminals, we find what servers and IPs they are using and approach the people they buy from," the Australian member of Shadowserver told SC. The group would look for legal clauses to have criminal enterprises shut down. A breach of a registrar's terms of service, for example, could be used to swipe their domain names.

"So rather than the information on victim machines going to some guy's server in Russia, it goes to us and we'll know who the victims are," he said.

This was a product of Shadowserver's "whiter than white" approach to cyber crime disruption. Many of its endeavours have been aided by other researchers providing information on cyber criminals, which is in turn disseminated to a large network of contacts at computer emergency response teams, security firms and law enforcement agencies.

The identities of some team members are kept tightly under wraps.

"We piss a lot of these guys off sometimes. We're ruining their businesses -- and these aren't small businesses. And they're not run by what you would expect to be nice people."

Shadowserver reports to about 5000 network owners about malicious activities they detect over their networks.

Retribution

There are no reports of physical attacks against white hat security researchers, but the online deviants they target have other ways to retaliate.

Beyond the constant barrage of death threats and denial of service attacks launched from the burgeoning booter site service market, renegade white hats have been framed for illegal drug purchases and possession of child exploitation material and had heavily-armed police raid their houses due to an attack known as swatting.

In August 2008, police turned up at the door of Swiss researcher Roman Hüssy after botnet operators circulated a fake suicide note from him to hundreds of thousands of residents. The notes were sent in response to Hüssy's effective and long-running Zeus, SpyEye and Palevo tracker services, which have helped network operators block control domains used by the botnets they track.

More severe retribution has been suggested by frustrated cyber criminals in 2011. One member posting on a cyber crime forum was reported by krebsonsecurity to have suggested mailing Hüssy an anthrax-laced letter, while another thought the gang should pool their cash to hire a hitman.

Another suggested that heroin be purchased and shipped to his house, alongside a tip-off to local police about the pending delivery.

Help or hindrance?

While offensive efforts against cyber criminals have helped to bring down several criminal enterprises, there can be serious consequences for law enforcement investigations.

In Australia, disruptive activity by renegade actors have foiled multiple law enforcement efforts.

Reliable sources tell SC that at least one investigation this year into a Sydney hacking gang had to be dropped shortly before law enforcement was ready to make an arrest after researchers broke into the cyber criminals' machines and compromised evidence.

Lawful botnet take downs have also triggered problems for researchers. In June this year, Hüssy,  Shadowserver operatives and several other renegades criticised Microsoft after its FBI-backed take down of Citadel botnets and domains, codenamed Operation b54, damaged their own white hat botnet research.

Microsoft's take down disrupted 1462 botnets by redirecting 4000 Citadel domains to their own servers in a process known as sinkholing. Of those, a quarter were domain names already captured by Hüssy, who passed on the information these domain names provided on Citadel victims to Shadowserver and its global white hat network.

"Shadowserver will no longer be able to inform network owners about several thousand Citadel infected computers, because the Citadel domain names sinkholed by abuse.ch has been seized by Microsoft," Hüssy said.

"In fact, these 1000 domain names did no longer present a threat to internet users, but were actually used to help to make the internet a better place."

For its part, Microsoft' assistant general counsel Richard Boscovich said the company would offer data to any "key researchers" who were helping victims and would improve coordination of its future botnet take downs.

Copyright © SC Magazine, Australia