Citadel botnet
Vishant Patel, senior manager of investigations at the Microsoft Digital Crimes Unit, shows a heat map and talks about how malicious computer networks known as the Citadel Botnets attack computers in Western Europe at the Microsoft Cybercrime Center in Redmond, Washington. Reuters/Jason Redmond

Somewhere online right now, a digital Batman is protecting your cybersecurity. An unknown security researcher is widely believed to have hacked the hackers, and is now using one of the Internet’s biggest crime machines for good. And now, just like Gotham City supports the Caped Crusader, the Internet security community is rallying behind their own vigilante for justice.

The Dridex banking botnet is one of the largest and nastiest tools used by cybercriminals today. It’s a massive network of millions of hacked computers that are unwittingly directed to launch phishing attacks, install malicious software on victim machines and launch spam emails. It has stolen at least $29 million from Internet users around the globe in recent years by secretly logging their banking credentials.

Dridex has continued to affect millions even after the FBI claimed it “struck a blow” against cybercrime by charging a Moldavian man who was allegedly involved in building the botnet in October 2015.

Now, though, part of the botnet has been hijacked and is being used to distribute an up-to-date version of the Avira antivirus software meant to clean up affected computers. Avira, which learned of the change on February 2, has denied any responsibility, and suggested the project is the work of a white hat researcher who’s grown tired of playing defense and authorities' lax enforcement measures. It certainly wouldn’t be the first time someone who worked as a corporate security researcher from 9 to 5 donned a digital cape at night and intervened elsewhere as a “gray hat” hacker.

Hackers who launch attacks with the intention of stealing money or information, or have other criminal goals, are known as "black hat" hackers. "White hat" hackers typically work on legitimate research or are dedicated to improving a company's cybersecurity. "Gray hat" hackers fall somewhere in between.

"This kind of precedent is long established,” said Nate Cardozo, a staff attorney focused on hacking rights at the Electronic Frontier Foundation, referencing the destruction of the Creeper virus in 1971. “For instance, what is generally considered to be the very first virus ever was taken down by a gray hat. So you could say that this sort of action is as old as computer viruses themselves.”

The most recent example, before Dridex, has been the ongoing war between the Anonymous hacking collective and the Islamic State terrorist group. An offshoot of Anonymous known as GhostSec has spent over a year trawling social media for signs of ISIS activity and has worked not only to reveal the user identities behind the accounts but also attempts to disrupt potential terrorist attacks before they happen by providing hacked information to governmental authorities.

Members of GhostSec previously told International Business Times UK that information surfaced by the group helped the Tunisian government stop a terrorist attack.

“Kids,” said WauchulaGhost, a former GhostSec member who now operates against ISIS independently, when asked what motivates him.

“No one, including our own government, is concerned for our kids’ safety,” he said via Internet chat. “For example companies like CloudFare, Twitter and Facebook say they are against terrorism, but any time of the day you can log in and watch beheading videos, graphic imagery and recruitment propaganda. Our kids, our future generation motivates me.”

In November WauchulaGhost published a list of 97 websites allegedly used for ISIS propaganda and recruitment. WauchulaGhost now says he dedicates 8 to 12 hours of his personal time every day on Twitter logging ISIS accounts and each account’s followers, then providing that information to Twitter.

Twitter has said it does not respond to online list submissions, only users' direct complaints. Anonymous members are likely submitting complaints, though how much impact the group has had on stopping ISIS remains unclear. Twitter did not immediately respond to a request for comment.

“Sometimes it seems Twitter is on the ball and other times it's like they are on vacation,” WauchulaGhost said, adding that the company is not typically responsive to help from hackers. “There are many, many people that appreciate what we have done and are doing. I get messages every day from supporters. Some are just normal citizens, some are government employees and others are active and retired military.”

The private sector has been itching to do some hacking back of its own, as well. An executive at JP Morgan Chase famously suggested the bank, which has been besieged by cyberattacks from multiple countries, be allowed to launch a wave of retaliatory strikes against the nations believed to be responsible. The U.S. government has repeatedly warned banks and other corporations not to act unilaterally, in part over concerns that a counterattack would spark an international incident, according to published media reports.

“There are a lot of white hats, or gray hats, in the community who are probably doing more offensive research,” Jerome Segura, a senior security researcher at Malwarebytes, said after the Dridex botnet was hacked. “When you work for a big company it’s tempting to cross lines you can’t cross, but by doing that you would potentially be violating some laws.”

Microsoft, for one, has worked with the FBI and other technology companies to combat cybercrime, most recently the Dorkbot botnet in December, which is used to launch distributed denial-of-service attacks and steal log-in credentials for popular websites. No arrests were announced in the Dorkbot case, though the U.S. Department of Homeland Security issued a public advisory warning the public to be on the lookout.

Before that, in 2013, Microsoft worked with the FBI and financial services industry to disrupt the Citadel botnet, which was used to commit $500 million in fraud. A court ruling in that case authorized Microsoft to take control of botnet servers located in New Jersey and Pennsylvania.

“It’s frustrating sometimes when you hear in the press about takedowns, but in terms of what’s happening in the field, often nothing has really changed,” Segura said. “In reality there’s still a lot of bad activity going on. We report and report and report bad activity and on malvertising, and sometimes it is easy to think: if no one is doing anything about this, then who is going to do something?”