Wednesday, July 01, 2015

The Laptop, ColorTyme Rental and Grand Larceny

After Charleston Alexandria Williams, Jr. “was convicted in a bench trial of grand larceny in violation of [Virginia] Code § 18.2–95”, he appealed.  Williams v. Commonwealth, 2015 WL 1782088 (Court of Appeals of Virginia 2015). As the Court of Appeals explained, in Williams’ appeal
he challenges the sufficiency of the evidence. Specifically, he argues that, as a matter of law, the Commonwealth failed to prove that the value of the item stolen was $200 or more, and therefore, his conviction of grand larceny should be reversed and remanded for further proceedings. . . .
Williams v. Commonwealth, supra.  (As Wikipedia explains, a few U.S. states define themselves as “Commonwealths”, rather than “States.”  The use of Commonwealth is apparently, as Wikipedia notes, a matter of history, since each of the Commonwealth states either were, or were parts of, one of the original colonies.)
The court begins its opinion by explaining how, and why, the prosecution arose:
On June 5, 2012, Aaron Rye, the store manager for ColorTyme Rental, discovered that a laptop computer was missing. This particular laptop recently had been returned to the store by a customer who had been renting it. The record reflects that the computer was infested with roaches upon its return. In keeping with ColorTyme's customary procedures for dealing with roach-infested electronics, Rye removed the battery and power cord, placed the computer in a plastic bag, and then put the laptop in the freezer over the weekend to kill the roaches. Rye did not test or otherwise inspect the laptop before placing it in the freezer.

Rye removed the laptop from the freezer on June 4, 2012, and he placed the laptop, still in the bag, on Jeff Temper's desk. Neither the power cord nor the battery were reunited with the computer before it was placed on Temper's desk. Temper then moved the bag from his desk to the top of a clothes dryer in the back of the store. Based upon the store's video surveillance, Rye determined that [Williams], an employee of ColorTyme, put the laptop inside the dryer and then moved the dryer onto a truck.

Temper, the owner of ColorTyme, initially testified [at Williams’ trial] that the computer was worth `like eight hundred and something dollars’ and that, without the power cord and battery, it was `absolutely’ worth more than $200 to him. Temper conceded on cross-examination that he was unaware of the brand of the laptop that had been taken and that his estimate of value was based on a conversation he had had with Rye. [Williams] moved to strike Temper's testimony, arguing that, because Temper did not know what property was lost, he could not testify as to its value.
Williams v. Commonwealth, supra.
The Court of Appeals goes on to explain that the Commonwealth (the prosecution)
attempted to rehabilitate Temper's testimony by refreshing his recollection by showing him a copy of the police report. After some questioning from the Commonwealth and arguments by the parties, the trial court granted [Williams’] motion to strike, expressly finding that the Commonwealth had successfully refreshed Temper's recollection as to the brand of laptop taken, but had not successfully established that Temper had knowledge of the value. The trial court stated that the fact that the laptop was a Compaq was in evidence, `but nothing else about value.’
Williams v. Commonwealth, supra.
The opinion explains that after the trial judge issued his ruling, the attorneys for the prosecution and defense
engaged in a brief colloquy that resulted in the trial court asking questions of the witness. In response to the trial court's inquiry regarding value, Temper testified that the computer was worth more than $800. On cross-examination, Temper conceded that this was the value for which he would have sold the laptop when it was new. After the trial court struck his initial testimony as to value, Temper was never asked about and never testified that the computer, in its condition at the time of the theft, had a value in excess of $200.

Ultimately, the trial court found Temper's testimony regarding value sufficient to establish that the laptop was worth more than $200 when it was stolen. Accordingly, the trial court found [Williams] guilty of grand larceny.
Williams v. Commonwealth, supra.  
As is explained below, the $200 figure was significant because one of the ways Virginia Code § 18.2-95 defines “grand larceny” is that a person “commits simple larceny not from the person of another of goods and chattels of the value of $200 or more”.  In other words, the prosecution in this case could prove Williams committed grand larceny if it could prove he took property valued at $200 or more from his employer, ColorTyme Rental, without the company’s consent. Williams v. Commonwealth, supra.  
On appeal, Williams challenged the sufficiency of the evidence to support his conviction.  Williams v. Commonwealth, supra.  The Court of Appeals then explained that, therefore,
we must `”examine the evidence that supports the conviction and allow the conviction to stand unless it is plainly wrong or without evidence to support it.”’ Commonwealth v. McNeal, 282 Va. 16, 710 S.E.2d 733 (Virginia Supreme Court 2011) (quoting Vincent v. Commonwealth, 276 Va. 648, 668 S.E.2d 137 (Virginia Supreme Court 2008)). . . . [W]e review the evidence in the light most favorable to the Commonwealth, as the prevailing party below, and determine whether `”any rational trier of fact could have found the essential elements of the crime beyond a reasonable doubt.”’ Vincent v. Commonwealth, supra (quoting Jackson v. Virginia, 443 U.S. 307 (1979)).

This means the trial court's decision cannot be overturned on appeal unless no `”rational trier of fact”’ could have come to the conclusion it did. Kelly v. Commonwealth, 41 Va. App. 250, 584 S.E.2d 444 (Virginia Court of Appeals 2003) (en banc ) (quoting Jackson v. Virginia, supra). . . . `An appellate court does not “ask itself whether it believes that the evidence at the trial established guilt beyond a reasonable doubt.”’ Williams v. Commonwealth, 278 Va. 190, 677 S.E.2d 280 (Virginia Supreme Court 2009) (quoting Jackson v. Virginia supra) (emphasis in the original). Instead, the only `relevant question is, after reviewing the evidence in the light most favorable to the prosecution, whether any rational trier of fact could have found the essential elements of the crime beyond a reasonable doubt.’ Sullivan v. Commonwealth, 280 Va. 672, 701 S.E.2d 61 (Virginia Supreme Court 2010) (emphasis added).

This deferential appellate standard `applies not only to the historical facts themselves, but the inferences from those facts as well.’ Clanton v. Commonwealth, 53 Va.App. 561, 673 S.E.2d 904 (Virginia Court of Appeals 2009) (en banc). . . . Thus, a factfinder may ‘draw reasonable inferences from basic facts to ultimate facts,’ Tizon v. Commonwealth, 60 Va.App. 1, 723 S.E.2d 260 (Virginia Court of Appeals (2012) (quoting Haskins v. Commonwealth, 44 Va.App. 1, 602 S.E.2d 402 (Virginia Court of Appeals 2004)), `unless doing so would push “into the realm of non sequitur,’” Tizon v. Commonwealth, supra (quoting Thomas v. Commonwealth, 48 Va.App. 605, 633 S.E.2d 229 (Virginia Court of Appeals 2006)).
Williams v. Commonwealth, supra.  
The Court of Appeals then took up the substance of Williams’ argument on appeal, explaining that
Larceny, a common law crime, is the wrongful or fraudulent taking of another's property without the owner's permission and with the intent to permanently deprive the owner of that property. Commonwealth v. Taylor, 256 Va. 514, 506 S.E.2d 312 (Virginia Supreme Court 1998). Code § 18.2–95 defines the offense of grand larceny. It provides, in part, that `[a]ny person who . . . (ii) commits simple larceny not from the person of another of goods and chattels of the value of $200 or more . . . shall be guilty of grand larceny. . . .’
Williams v. Commonwealth, supra.  
The Court of Appeals then began its analysis of Williams’ argument on appeal:
[Williams] does not dispute that he was the thief. Rather, he argues that the evidence was insufficient to prove, beyond a reasonable doubt, that the value of the property he stole was $200 or more. `The value of the goods specified in [Code § 18.2–95] is an essential element of the crime, and the Commonwealth must prove that element beyond a reasonable doubt.’ Walls v. Commonwealth, 248 Va. 480, 450 S.E.2d 363 (Virginia Supreme Court 1994). Further, `[t]he value of the stolen property is measured as of the time of the theft. . . .’ Parker v. Commonwealth, 254 Va. 118, 489 S.E.2d 482 (Virginia Supreme Court 1997).

`It is well established that “the opinion testimony of the owner of personal property is competent and admissible on the question of the value of such property, regardless of the owner's knowledge of property values.”’ Burton v. Commonwealth, 58 Va.App. 274, 708 S.E.2d 444 (Virginia Court of Appeals 2011) (quoting Walls v. Commonwealth, supra). The witness need only to have had an opportunity to become familiar with the property and to form an opinion as to its true value. Kerr v. Clinchfield Coal Corp., 169 Va. 149, 192 S.E. 741 (Virginia Supreme Court 1937).

Here, without the stricken testimony, the only evidence of the laptop's value was Temper's testimony that he would have sold the laptop new for more than $800. There was no evidence to establish how old the laptop was, what its capabilities were when new or at the time of the theft, whether it still worked, what software, if any, was installed on the laptop, what its memory capability was, or any other factor that could be used to allow a factfinder to divine a value for it at the time of the theft.

`”While the original purchase price of an item may be admitted as evidence of its current value, there must also be ‘due allowance for elements of depreciation.’” Dunn v. Commonwealth, 222 Va. 704, 284 S.E.2d 792 (Virginia Supreme Court 1981) (quoting Gertler v. Bowling 202 Va. 213, 116 S.E.2d 268 (Virginia Supreme Court 1960)). As this Court recognized in Lester v. Commonwealth, 30 Va.App. 495, 518 S.E.2d 318 (Virginia Court of Appeals 1999), `technical equipment generally depreciates in value over time and that equipment which does not operate properly has significantly reduced value.’
Williams v. Commonwealth, supra.  
It went on to explain that in
Dunn v. Commonwealth, supra, evidence that a 10–year–old typewriter originally had been purchased for $150 was held to be insufficient to establish that it was worth the then statutory threshold of $100 when stolen. . . . . Although the factfinder knew both the original purchase price and the age of the typewriter, the Supreme Court found that a jury could conclude that it met the statutory threshold only by relying on `speculation and conjecture’ because there had been no evidence offered regarding “the effect of age and wear and tear on the value of” the typewriter. Dunn v. Commonwealth, supra.  

Here, the factfinder did not even know the age of the laptop, let alone have any information about wear and tear or whether the laptop was even operable. Accordingly, the evidence of value was insufficient to demonstrate that the statutory threshold was met.

The Commonwealth conceded at oral argument that, absent Temper's testimony that the laptop was worth more than $200 to him, the evidence was insufficient to establish that the laptop was worth more than $200 at the time of the theft. The Commonwealth argues that although the trial court did strike this testimony initially, it implicitly reversed that ruling in rendering its decision, allowing the testimony to form the basis of the trial court's ultimate finding as to value. We disagree with the Commonwealth.

There is no dispute that the trial court initially struck the testimony, expressly ruling that Temper's initial testimony established the brand of laptop stolen, `but nothing else about value.’ The trial court never expressly revisited this ruling.

The Commonwealth's position that the trial court implicitly reversed itself is based on the Commonwealth's argument at trial in response to a motion to strike the evidence after the close of the Commonwealth's evidence.  That argument referenced both Temper's testimony that the laptop was worth more than $200 to him and that it was worth more than $800 new. In denying the motion to strike, the Court noted that it was doing so based on what the Commonwealth had `said’ and that the Commonwealth had `proved value of over two hundred dollars on the evidence.’
Williams v. Commonwealth, supra.  
The Court of Appeals therefore found that the
better reading of the record is that the trial court, in denying the motion to strike, was relying on the testimony as to the purchase price of the laptop when new rather than the reference to the stricken evidence. It is axiomatic that stricken evidence may not form the basis for a trial court's conclusion. Absent some express statement from the trial court that it was reversing its prior evidentiary ruling, we will not assume that the trial court based its decision on testimony that it had stricken. See Mason v. Commonwealth, 219 Va. 1091, 254 S.E.2d 116 (Virginia Supreme Court 1979) (`In non-jury cases, it will be presumed that[,] . . . in the absence of an affirmative showing to the contrary, that only material and competent evidence is considered’).

As noted above, the Commonwealth conceded that, without the stricken testimony, the evidence failed to establish that the value of the laptop at the time of the theft met the statutory threshold. While we are not bound by this concession, the concession, coupled with the utter lack of evidence about the condition and capabilities of the laptop at the time of the theft, makes clear that the evidence was insufficient to support appellant's conviction for grand larceny.
Williams v. Commonwealth, supra.  
It went on to explain that
[h]aving found that the conviction for grand larceny must be reversed, we must remand the case to the trial court for further proceedings. [Williams’] brief seeks only to have the matter `remanded back to the trial court for sentencing on the charge of petit larceny.’ Although the evidence at trial supports such a result, the Virginia Supreme Court's decision in Britt v. Commonwealth, 276 Va. 569, 667 S.E.2d 763 (2008), precludes that resolution on the record before us.
Williams v. Commonwealth, supra.  
The Court of Appeals then pointed out that in Britt v. Commonwealth, supra, the
[Virginia] Supreme Court set aside a conviction for grand larceny after finding that the evidence did not establish that the value of the goods stolen met the $200 statutory threshold. In overturning the conviction, the Court directed

`that the case be remanded to the circuit court for a new trial on a charge of petit larceny if the Commonwealth be so advised. We do not remand solely for imposition of a new sentence on the lesser offense as we did in Commonwealth v. South, 272 Va. 1, 630 S.E.2d 318 (Virginia Supreme Court 2006), because here, unlike in South, both parties have not consented to that relief.’
 Commonwealth v. South, supra (emphasis added).
Here, although [Williams] has affirmatively consented to remand for sentencing on the lesser-included offense, the record is silent as to whether the Commonwealth consents. Given these circumstances, it may be logical to assume that the Commonwealth would consent; however, we read Britt as requiring an affirmative indication of consent on the record. Without such an indication in the record before us, we must, consistent with Britt, remand the matter to the trial court for a new trial on the lesser-included offense of petit larceny if the Commonwealth be so advised. 

Williams v. Commonwealth, supra. The court therefore did just that, i.e., remanded “the case to the trial court for a new trial on the lesser-included offense of petit larceny should the Commonwealth be so advised.” Williams v. Commonwealth, supra.  

Monday, June 29, 2015

The SpyEye Trojan, Abuse.ch and the Motion to Suppress

This post examines an opinion a U.S. District Court Judge who sits in the Northern District of Georgia issued recently in a criminal case:  U.S. v. Bendelladj, 2015 WL 3650219 (U.S. District Court for the Northern District of Georgia 2015). The issue the judge addresses in the opinion involves a motion to suppress evidence; if you are interested in the charges, and the facts that gave rise to those charges, check out the news stories you can find here and here. And you can find the indictment here
The District Court Judge assigned Hamza Bendelladj’s motion to suppress to a U.S. Magistrate Judge. U.S. v. Bendelladj, supra.  Pursuant to Rule 59 of the Federal Rules of Criminal Procedure, the Magistrate Judge was to review the motion, analyze the arguments it made and the relevant law, and write a Report and Recommendation (“R&R”) reporting to the U.S. District Court Judge whether the motion should be granted or denied.  U.S. v. Bendelladj, supra.
In his motion to suppress, Bendelladj “challenge[d]” the
February 25, 2011 search warrant which authorized a search for

`Information associated with IP Address 75.127.109.16 and the domain name 100myr.com that is stored at premises owned, maintained, controlled, or operated by Global Net Access, LLC, a company headquartered at 1100 White St. S.W. Atlanta, Georgia, 20210.’
R&R - U.S. v. Bendelladj, supra.  
The Magistrate Judge began his analysis of Bendelladj’s motion by explaining what the FBI Agent who obtained the warrant, Special Agent Mark C. Ray, did to establish the probable cause on which the warrant had to be based.  U.S. v. Bendelladj, supra.  Under Federal Rules of Criminal Procedure Rule 41(d)(1), a District Court Judge must issue a search warrant if a federal agent submits an application for the warrant and an affidavit that establishes probable cause for issuing the warrant. You can, if you interested, find an example of a search warrant application and supporting affidavit here. In this case, the search warrant was issued by another U.S. Magistrate Judge, i.e., not by the one who is reviewing Bendelladj’s motion to suppress here.
The Magistrate Judge in this case explained that Agent Ray submitted an affidavit, in support of his request for a search warrant, in which he
recounted his training and experience in the computer crimes area, including both law enforcement training and experience and private industry. . . . He defined technical terms such as `server,’ `IP address,’ `domain name,’ `hot [sic] and botnet,’ `Banking Trojan,’ `keynote logging [sic],’ `form grabbing,’ and `malware.’ . . .He then alleged that in December 2009, a new malware toolkit called SpyEye v1.0 appeared for sale on Russian underground online forums. . . . Investigation revealed `Gribodemon’ to be SpyEye's creator. . . . The affiant concluded that Spy Eye was similar to another malware called Zeus Banking Trojan, in that each used keystroke logging and form grabbing techniques designed to steal financial and personally identifying information from unsuspecting computer users. . . .

The affidavit then recounted that the creator of Zeus Banking Trojan announced that he intended to hand over the source code for Zeus to Gribodemon, who indicated on online criminal forums that he intended to combine Zeus and SpyEye into a larger more malicious malware toolkit. . . .The affidavit then explained that thereafter a combined malware, SpyEye v1.3.05, was released. . . .

The affidavit continued that a SpyEye Command and Control (`C & C’) server is a computer system administered by one or more individuals that is used remotely to send commands to the victim computers (bots) under its control. . . . The affidavit related that several SpyEye C & C servers had been identified worldwide by their IP addresses, including one previously operating in this District and another which was currently active in this District and the subject of the search warrant application. . . .The affiant stated . . . that there are several websites available in the malware research industry designed to locate computers or servers connected to the Internet that are infected with or operating malware and botnets.

Specifically, the website called Spy Eye Tracker (https:// spyeyetracker.abuse.ch) identified SpyEye C & C servers worldwide, by searching for and locating files on computer systems that are uniquely associated with SpyEye. SpyEye Tracker was developed by the Swiss internet security research firm Abuse.eh. Abuse.ch developed the well known Zeus Tracker website (https:// zeustracker.abuse.ch). I have learned through discussions with members of the internet security industry and law enforcement that the Zeus Tracker website is utilized by corporations and law enforcement agencies worldwide for identifying Zeus C & C servers. In addition, I have learned from these discussions that many information security organizations and law enforcement agencies around the world recognize SpyEye Tracker as a reliable source of identifying SpyEye C & C servers. I am not aware of any instances in which SpyEye Tracker has misidentified a particular IP address as hosting a SpyEye C & C server.

18. On December 16, 2010, I obtained a similar search warrant for another suspected SpyEye C & C server hosted by a company in Omaha, Nebraska. The affidavit I submitted in support of the search warrant application relied, in part, on the fact that the suspected SpyEye C & C server had been identified as such on SpyEye Tracker.[ ] On January 26, 2011, I obtained three other search warrants for suspected SpyEye C & C servers hosted by companies in Orlando, Florida, Kansas City, Missouri, and New York, New York. The affidavits I submitted in support of those search warrant applications also relied, in part, on the fact that the suspected SpyEye C & C servers had been identified as such on SpyEye Tracker.[ ] The information obtained pursuant to all four search warrants confirmed that the suspected SpyEye C & C servers were, in fact, SpyEye C & C servers; thus, supporting the reliability of SpyEye Tracker in identifying SpyEye C & C servers.

19. Based on my training and experience, I know that malware research websites such as SpyEye Tracker use various methods for identifying and labeling servers connected to the internet as SpyEye C & C servers. For example, one common method is setting up a computer as a “honey pot.” A honey pot in the malware research field is a computer that is connected to the internet with the intention of becoming infected with malware such as SpyEye. The computer is intentionally left in a vulnerable state (that is, no anti-virus protection) so that the person who establishes the honey pot can identify the source of the vims such as a SpyEye C & C server once the computer becomes infected. This is done by capturing the IP Addresses associated with distributing and operating the malware. While I do not know the specific method SpyEye Tracker uses to identify any specific server as a SpyEye C & C server, based on my training and experience, I believe that the various methods of which I am aware are reliable.

20. On February 17, 2011, at 11:23 p.m., I reviewed the SpyEye Tracker website. The following information was observed:
SpyEye C & C
IP address
Level
Status
Files Online
Country
AS numb er
100myr.com
75.127.109.16
4
online
2
USA
AS16626
This information indicates that the server with IP address 75.127.109.16, utilizing the domain name 100myr.com, is being utilized as a SpyEye C & C server. . . . This IP address is owned, maintained, controlled, or operated by Global Net Access LLC, a web hosting company headquartered at 1100 White St, SW, Atlanta, Georgia 30310. SpyEye Tracker is updated on a daily basis, thus I have reason to believe that malicious code is still on this server.
R&R - U.S. v. Bendelladj, supra. (Unfortunately, Blogger truncates the full version of the information from the SpyEye Tracker site, which is given as a set of columns of figures, and I cannot find it anywhere online.) 
The Magistrate Judge noted that the affidavit
also related that the suspected Omaha SpyEye C & C server had been identified as such on another website, malwaredomainlist.com (http://www.malwaredomainlist.com), while the servers in this case and the ones in Orlando, Kansas City and New York had not been identified as such on malwaredomainlist.com. . . .

Finally . . .the affidavit provided that Global Net Access LLC is a business that maintains servers connected to the Internet and offers those servers for customers to use to operate websites, store and process information and perform other web-based activities. It also stated that a provider such as Global Net Access gives customers, for a fee, access to its servers and often offers related services such as domain name registration and e-mail service. . . .
R&R - U.S. v. Bendelladj, supra.
The Magistrate Judge then noted that Bendelladj alleged, in support of his motion, that
the primary source of the information in the warrant application is from a website called Abuse.ch, which Bendelladj likens to a confidential informant. He argues that in effect Abuse.ch is just a blog, that is, an unfiltered personal internet account, with no identifiable contributor. Bendelladj submits that the unknown contributor associated with Abuse.ch lists IP addresses asserted to be malware, however, this information has not been shown to have been vetted, cannot be verified nor can it be recreated since Abuse.ch does not maintain an archive.

In addition, he alleges that although this website is associated with the `Swiss Information Security Research Association’ and `Bernet Monika,’ the only cross-reference to this information is the website itself. . . . Bendelladj also points out that the affiant conceded he was unaware of the methodology Abuse.ch used to obtain the IP addresses it puts on the suspected malware list, and argues therefore that the website's reliability or accuracy cannot be checked. He also argues that the bald statement that Abuse.ch is relied upon by security organizations and law enforcement agencies around the world is not sufficient, since these entities are not identified. . . .

Bendelladj next argues that the supporting affidavit's acknowledgment that the suspected malware in this case, SpyEye C & C, did not show up on another respected cyber-security website, www.malwaredomainlist.com, is another reason to suspect Abuse.ch's reliability. . . . Finally, he argues that the Abuse.ch webpage screenshot attached to the affidavit shows `no results’ for linking 100myr.com to the Atlanta-based IP address. . . .
R&R - U.S. v. Bendelladj, supra.
The Magistrate Judge then addressed Bendelladj’s arguments, starting with Abuse.ch:
[t]he issuing magistrate judge was justified in concluding that the information from Abuse.ch was reliable and thus probable cause existed to issue the search warrant.

First, the affiant related that Abuse.ch was relied upon by other law enforcement officers (and private security organizations) in their efforts in detecting both Zeus Banking Trojan and SpyEye malware. Observations of fellow officers engaged in a common investigation are a reliable source for a warrant. . . .U.S. v. Kirk, 781 F.2d 1498 (U.S. Court of Appeals for the 11th Circuit 1986). . . . The fact that the law enforcement agencies were not identified does not render the information unreliable; after all, search warrants may be based upon information from anonymous lay informants. . . . See U.S. v. Brundidge, 170 F.3d 1350 (U.S. Court of Appeals for the 11th Circuit 1999). What is critical is that the confidential information be reliable. In this case, it was.
R&R - U.S. v. Bendelladj, supra.
The Magistrate Judge then pointed out that the affiant whose statement supported issuing the warrant
asserted facts that corroborated the reliability of both Abuse.ch and the opinion of Abuse.ch's reliability held by the anonymous law enforcement agencies and private security organizations. First, the fact that Abuse.ch accurately identified IP addresses associated with the Zeus Banking Trojan makes it more likely that Abuse.ch's listing of the subject IP address as SpyEye malware also was accurate. See U.S. v. Morales, 238 F.3d 952 (U.S. Court of Appeals for the 8th Circuit 2001) (`Information may be sufficiently reliable to support a probable cause finding if the person providing the information has a track record of supplying reliable information, or if it is corroborated by independent evidence’); U.S. v. Ridolf 76 F.Supp.2d 1305 (U.S. District Court of Appeals for the Middle District of Alabama 1999) (recognizing that one way to test reliability and veracity is to examine the informant's `track record’ of providing reliable information in the past).
R&R - U.S. v. Bendelladj, supra.
The Magistrate Judge then explained that Bendelladj’s arguments failed because,
[s]econd, Agent Ray utilized Abuse.ch's information in support of search warrants for suspected SpyEye C & C servers in Omaha, Orlando, Kansas City and New York, and the information was shown to be reliable as these IP addresses were discovered to be SpyEye.
R&R - U.S. v. Bendelladj, supra.
He also pointed out two more reasons why Bendelladj’s arguments did not succeed:
Third, it appears from the affidavit that Abuse.ch's SpyEye Tracker is just as reliable as another malware research tool, malwaredomainlist.com, that Bendelladj holds up as accurate. While he claims that the subject IP address appeared on Abuse.ch's list but did not appear on malwaredomainlist.com, the affidavit also recounted that the SpyEye C & C servers in Orlando, Kansas City and New York similarly did not appear on malwaredomainlist.com but were found to be malware. Thus, that the instant IP address did not appear on the other tracking list does not render SpyEye Tracker unreliable.

Fourth, the warrant is not fatal because Abuse.ch's methodology in creating its SpyEye Tracker list is unknown. There is no precedent or authority demanding that the reliability standard of Daubert v. Merrell Dow Pharms., Inc., 509 U.S. 579 (1993), be applied to investigative procedures used by law enforcement in order for the search warrant to contain probable cause for the search, nor does Daubert hold that this standard must be applied to the probable cause analysis. United States v. Pirosko, 2013 WL 5595224 (U.S.District Court for the Northern District of Ohio 2013).

Here the Court has found that the information from Abuse.ch was reliable, and thus the issuing magistrate judge was entitled to rely upon it in his consideration of whether probable cause to search existed. The same holds true for Bendelladj's argument that he cannot recreate Abuse.ch's results, since `probable cause must exist when the magistrate judge issues the search warrant,’ U.S. v. Santa, 236 F.3d 662 (U.S. Court of Appeals for the 11th Circuit 2000) (quoting U.S. v. Harris, 20 F.3d 445 (U.S. Court of Appeals for the 11th Circuit 1994)). The fact that the information cannot be duplicated or recreated does not mean it was not reliable at the time the warrant issued.      
R&R - U.S. v. Bendelladj, supra.
And, finally, the Magistrate Judge explained that the fact that Bendelladj
could not find sufficient information on the entity and person associated with Abuse.ch does not detract from the reliability of Abuse.ch's SpyEye Tracker list as demonstrated in the affidavit for the search warrant. The list is used by law enforcement and private security organizations to detect the SpyEye malware, and in using IP addresses listed on SpyEye Tracker, in addition to other information, the affiant was able to discover SpyEye malware in at least four other IP addresses. That is sufficient to demonstrate reliability.

Thus, the information from Abuse.ch was reliable and, under the totality of circumstances, that the subject IP address was listed on Abuse.ch's SpyEye Tracker list properly contributed to the issuing magistrate judge's conclusion that probable cause existed to issue the warrant.

Finally, the Court takes note of Bendelladj's argument that Exhibit A to the search warrant affidavit shows `no results’ for three of the URL searches performed by the affiant. However, it is Bendelladj's burden to show that the warrant was invalid, and the bare statement in his motion about these `no result’ entries, given that the same exhibit shows that there was a `hit’ for SpyEye malware on the IP address, is not sufficient to undermine the finding of probable cause in this case.
R&R - U.S. v. Bendelladj, supra.
For these and other reasons, the Magistrate Judge recommended that Bendelladj’s motion to suppress be denied.  R&R - U.S. v. Bendelladj, supra.
Then, as Rule 59(b)(3) of the Federal Rules of Criminal Procedure and 28 U.S. Code § 636(b)(1) require, the U.S. District Court Judge reviewed the Magistrate Judge’s recommendations and accepted them. U.S. v. Bendelladj, supra. He then denied Bendelladj’s motion to suppress.  U.S. v. Bendelladj, supra.