FBI Tries New Rule 41 Changes On For Size In Fight Against Long-Running Botnet

from the one-warrant;-all-the-computers dept

The DOJ is proud to announce it's flexing its new Rule 41 muscle. The changes proposed in 2015 sailed past a mostly-uninterested Congress and into law, giving the FBI and other DOJ entities permission to hack computers anywhere in the world with a single warrant.

With the new rules, the law has finally caught up with the FBI's activities. It deployed a Network Investigative Tool -- the FBI's nifty nickname for intrusive malware that sends identifying info from people's computers to FBI investigators -- back in 2012 during a child porn investigation and mostly got away with it. It tried it again in 2015 and ran into a bit more resistance.

Rule 41's (former) jurisdictional limitations meant the FBI wasn't supposed to be able to "search" computers all over the US using a single warrant issued in Virginia. This activity was supposed to be confined to the state of Virginia. The aftermath of the Playpen investigation has led to a multitude of conflicting judicial opinions. Some have found the warrant invalid and the evidence obtained worthless. Others have granted good faith exceptions or determined no privacy violation took place. In at least one case, the government has dismissed the charges rather than expose any information about its Rule 41-flouting NIT.

In this case, the FBI isn't hacking computers to uncover child porn site visitors. Instead, it's going to be fiddling with a lot of computers to take down a botnet. The DOJ press release makes particular note of how lawful this all is now, post-Rule 41 amending:

In seeking authorization to disrupt and dismantle the Kelihos botnet, law enforcement obtained a warrant pursuant to recent amendments to Rule 41 of the Federal Rules of Criminal Procedure. A copy of this warrant along with the other court orders are produced below.   The warrant obtained by the government authorizes law enforcement to redirect Kelihos-infected computers to a substitute server and to record the Internet Protocol addresses of those computers as they connect to the server. This will enable the government to provide the IP addresses of Kelihos victims to those who can assist with removing the Kelihos malware including internet service providers.

The search warrant [PDF] application leads off with this as well, waving it in front of its unusual request like a wary vampire hunter's cross.

I make this affidavit in support of an application for a warrant under Federal Rule of Criminal Procedure 41 to authorize an online operation to disrupt the Kelihos botnet currently under the control of Peter Yuryevich LEVASHOV, a criminal hacker. The operation, which is particularly described in Attachment A and Attachment B, involves the distribution of updated peer lists, job messages and/or IP filter lists, further described in Attachment B, to the TARGET COMPUTERS currently infected with the Kelihos botnet malware in violation of Title 18, United States Code, Sections 1030, L343, and 2511, as described in Attachment A. This operation will also obtain the Internet Protocol addresses and associated routing information of those infected computers, and those addresses are evidence of crimes committed by LEVASHOV. A PRTT order has been requested for the purpose of attaining those IP addresses and associated routing information. This operation will not capture content from the TARGET COMPUTERS or modify them in any other capacity except limiting the TARGET COMPUTERS' ability to interact with the Kelihos botnet.

The intent here is to dismantle the botnet by freeing zombie computers. All well and good, except it's not the government pointing victims to malware removal tools, but rather letting themselves into the "house" to size up infections before passing this info on to third parties to actually perform the removals.

This new form of intrusion raised concerns in Congress, but the DOJ insisted the changes were innocuous and please let's all stop talking about this before someone stops the Rule 41 amendments slow roll to tacit approval.

Here it is in action: thousands of computers temporarily hosting digital G-men. We're in unknown territory right now with the FBI's anti-botnet work. The FBI itself doesn't even appear all that sure about the extent of its new Rule 41 powers. As is noted in the warrant, the FBI also applied for a Pen Register/Trap and Trace (PRTT) order [PDF] just in case.

Other than the three elements described above, federal law does not require that an application for an order authorizing the installation and use of a pen register and a trap and trace device specify any facts. The following additional information is provided to demonstrate that the order requested falls within this Court's authority to authorize the installation and use of a pen register or trap and trace device under 18 U.S.C. g 3123(a)(1).

This is the FBI basically saying the law doesn't require this application, but here it is anyway. A CYA PRTT for the interception of communications metadata that might help identify botnet victims. And for all its talismanic waving of Rule 41, the FBI isn't even sure it's really required to seek a warrant to perform this botnet cleanup. From the warrant affidavit:

To effectively combat the P2P structure of the Kelihos botnet, the FBI with assistance of private partners will participate in the exchange of peer lists and job messages with other infected computers. The FBI's communications, however, will not contain any commands, nor will they contain IP addresses of any of the infected computers. Instead, the FBI replies will contain the IP and routing information for the FBI's "sinkhole" server. As this new routing information permeates the botnet, the Kelihos infected computers will cease any current malicious activity and learn to only communicate with the sinkhole. The effect of these actions will be to free individual infections from exchanging information with the Kelihos botnet and with LEVASHOV. This will stop Kelihos's most immediate harm, the harvesting of personal data and credentials, and the transmittal of that data to servers under LEVASHOV's control.

Another portion of the Kelihos job messages is a list, known as the IP filter list. This list functions as a type of blacklist, preventing communication with those IPs contained within the filter list. If necessary, the FBI also seeks authorization to send a filter list to TARGET COMPUTERS to block Kelihos infected computers from continuing to communicate with router nodes.

The footnote attached to this reads:

The law is unsettled as to whether the operation authorized by the proposed warrant constitutes a search or seizure. However, in an abundance of caution, the United States is seeking a warrant.

It looks like the FBI is tentatively exploring its new powers, making sure it has the paper trail it needs to stave off courtroom challenges. If it sticks to disrupting a botnet, it shouldn't face any. If it takes advantage of its new access privileges, it might.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: botnet, doj, fbi, hacking, nit, rule 41, warrant

Reader Comments

Subscribe: RSS

View by: Thread

  1. icon
    Bergman (profile), 12 Apr 2017 @ 10:25am


    Makes me wonder how many of the files on a compromised computer would be 'in plain view' as they access the computer to disrupt the botnet.

    My guess is somewhere around 100%.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.