This post examines an opinion a U.S. District Court Judge
who sits in the Northern District of Georgia issued recently in a criminal
case: U.S. v. Bendelladj, 2015 WL 3650219 (U.S. District Court for the Northern District of Georgia 2015). The issue the judge addresses in the
opinion involves a motion to suppress evidence; if you are interested in the
charges, and the facts that gave rise to those charges, check out the news
stories you can find here and here. And you can find the indictment here.
The District Court Judge assigned Hamza Bendelladj’s motion
to suppress to a U.S. Magistrate Judge. U.S.
v. Bendelladj, supra. Pursuant to
Rule 59 of the Federal Rules of Criminal Procedure, the Magistrate Judge was to
review the motion, analyze the arguments it made and the relevant law, and
write a Report and Recommendation (“R&R”) reporting to the U.S. District
Court Judge whether the motion should be granted or denied. U.S. v.
Bendelladj, supra.
In his motion to suppress, Bendelladj “challenge[d]” the
February 25, 2011 search warrant which
authorized a search for
`Information associated with IP Address
75.127.109.16 and the domain name 100myr.com that is stored at premises owned,
maintained, controlled, or operated by Global Net Access, LLC, a company
headquartered at 1100 White St. S.W. Atlanta, Georgia, 20210.’
R&R - U.S. v.
Bendelladj, supra.
The Magistrate Judge began his analysis of Bendelladj’s
motion by explaining what the FBI Agent who obtained the warrant, Special Agent
Mark C. Ray, did to establish the probable cause on which the warrant had to be
based. U.S. v. Bendelladj, supra. Under Federal Rules of Criminal Procedure Rule 41(d)(1), a District Court Judge must issue a search warrant if a federal agent
submits an application for the warrant and an affidavit that establishes
probable cause for issuing the warrant. You can, if you interested, find an
example of a search warrant application and supporting affidavit here. In this case, the search warrant was issued
by another U.S. Magistrate Judge, i.e., not by the one who is
reviewing Bendelladj’s motion to suppress here.
The Magistrate Judge in this case explained that Agent Ray
submitted an affidavit, in support of his request for a search warrant, in
which he
recounted his training and experience
in the computer crimes area, including both law enforcement training and
experience and private industry. . . . He defined technical terms
such as `server,’ `IP address,’ `domain name,’ `hot [sic] and botnet,’ `Banking
Trojan,’ `keynote logging [sic],’ `form grabbing,’ and `malware.’ . . .He then
alleged that in December 2009, a new malware toolkit called SpyEye v1.0
appeared for sale on Russian underground online forums. . . .
Investigation revealed `Gribodemon’ to be SpyEye's creator. . . .
The affiant concluded that Spy Eye was similar to another malware called Zeus
Banking Trojan, in that each used keystroke logging and form grabbing
techniques designed to steal financial and personally identifying information
from unsuspecting computer users. . . .
The affidavit then recounted that the
creator of Zeus Banking Trojan announced that he intended to hand over the
source code for Zeus to Gribodemon, who indicated on online criminal forums
that he intended to combine Zeus and SpyEye into a larger more malicious
malware toolkit. . . .The affidavit then explained that thereafter
a combined malware, SpyEye v1.3.05, was released. . . .
The affidavit continued that a SpyEye
Command and Control (`C & C’) server is a computer system administered by
one or more individuals that is used remotely to send commands to the victim
computers (bots) under its control. . . . The affidavit related
that several SpyEye C & C servers had been identified worldwide by their IP
addresses, including one previously operating in this District and another
which was currently active in this District and the subject of the search
warrant application. . . .The affiant stated . . . that there are
several websites available in the malware research industry designed to locate
computers or servers connected to the Internet that are infected with or
operating malware and botnets.
Specifically, the website called Spy
Eye Tracker (https:// spyeyetracker.abuse.ch) identified SpyEye C & C
servers worldwide, by searching for and locating files on computer systems that
are uniquely associated with SpyEye. SpyEye Tracker was developed by the Swiss
internet security research firm Abuse.eh. Abuse.ch developed the well known
Zeus Tracker website (https:// zeustracker.abuse.ch). I have learned through
discussions with members of the internet security industry and law enforcement
that the Zeus Tracker website is utilized by corporations and law enforcement
agencies worldwide for identifying Zeus C & C servers. In addition, I have
learned from these discussions that many information security organizations and
law enforcement agencies around the world recognize SpyEye Tracker as a
reliable source of identifying SpyEye C & C servers. I am not aware of any
instances in which SpyEye Tracker has misidentified a particular IP address as
hosting a SpyEye C & C server.
18. On December 16, 2010, I obtained a
similar search warrant for another suspected SpyEye C & C server hosted by
a company in Omaha, Nebraska. The affidavit I submitted in support of the
search warrant application relied, in part, on the fact that the suspected
SpyEye C & C server had been identified as such on SpyEye Tracker.[ ] On
January 26, 2011, I obtained three other search warrants for suspected SpyEye C
& C servers hosted by companies in Orlando, Florida, Kansas City, Missouri,
and New York, New York. The affidavits I submitted in support of those search
warrant applications also relied, in part, on the fact that the suspected
SpyEye C & C servers had been identified as such on SpyEye Tracker.[ ] The
information obtained pursuant to all four search warrants confirmed that the
suspected SpyEye C & C servers were, in fact, SpyEye C & C servers;
thus, supporting the reliability of SpyEye Tracker in identifying SpyEye C
& C servers.
19. Based on my training and
experience, I know that malware research websites such as SpyEye Tracker use
various methods for identifying and labeling servers connected to the internet
as SpyEye C & C servers. For example, one common method is setting up a
computer as a “honey pot.” A honey pot in the malware research field is a
computer that is connected to the internet with the intention of becoming
infected with malware such as SpyEye. The computer is intentionally left in a
vulnerable state (that is, no anti-virus protection) so that the person who
establishes the honey pot can identify the source of the vims such as a SpyEye
C & C server once the computer becomes infected. This is done by capturing
the IP Addresses associated with distributing and operating the malware. While
I do not know the specific method SpyEye Tracker uses to identify any specific
server as a SpyEye C & C server, based on my training and experience, I
believe that the various methods of which I am aware are reliable.
20. On February 17, 2011, at 11:23
p.m., I reviewed the SpyEye Tracker website. The following information was
observed:
SpyEye C & C
|
IP address
|
Level
|
Status
|
Files Online
|
Country
|
AS numb er
|
100myr.com
|
75.127.109.16
|
4
|
online
|
2
|
USA
|
AS16626
|
This information indicates that the
server with IP address 75.127.109.16, utilizing the domain name 100myr.com, is
being utilized as a SpyEye C & C server. . . . This IP address is owned,
maintained, controlled, or operated by Global Net Access LLC, a web hosting
company headquartered at 1100 White St, SW, Atlanta, Georgia 30310. SpyEye
Tracker is updated on a daily basis, thus I have reason to believe that
malicious code is still on this server.
R&R - U.S. v.
Bendelladj, supra. (Unfortunately, Blogger truncates the full version of the information from the SpyEye Tracker site, which is given as a set of columns of figures, and I cannot find it anywhere online.)
The Magistrate Judge noted that the affidavit
also related that the suspected Omaha
SpyEye C & C server had been identified as such on another website,
malwaredomainlist.com (http://www.malwaredomainlist.com), while the servers in
this case and the ones in Orlando, Kansas City and New York had not been
identified as such on malwaredomainlist.com. . . .
Finally . . .the affidavit provided
that Global Net Access LLC is a business that maintains servers connected to
the Internet and offers those servers for customers to use to operate websites,
store and process information and perform other web-based activities. It also
stated that a provider such as Global Net Access gives customers, for a fee,
access to its servers and often offers related services such as domain name
registration and e-mail service. . . .
R&R - U.S. v.
Bendelladj, supra.
The Magistrate Judge then noted that Bendelladj alleged, in
support of his motion, that
the primary source of the information
in the warrant application is from a website called Abuse.ch, which Bendelladj
likens to a confidential informant. He argues that in effect Abuse.ch is just a
blog, that is, an unfiltered personal internet account, with no identifiable
contributor. Bendelladj submits that the unknown contributor associated with
Abuse.ch lists IP addresses asserted to be malware, however, this information
has not been shown to have been vetted, cannot be verified nor can it be
recreated since Abuse.ch does not maintain an archive.
In addition, he alleges that although
this website is associated with the `Swiss Information Security Research
Association’ and `Bernet Monika,’ the only cross-reference to this information
is the website itself. . . . Bendelladj also points out that the affiant
conceded he was unaware of the methodology Abuse.ch used to obtain the IP addresses
it puts on the suspected malware list, and argues therefore that the website's
reliability or accuracy cannot be checked. He also argues that the bald
statement that Abuse.ch is relied upon by security organizations and law
enforcement agencies around the world is not sufficient, since these entities
are not identified. . . .
Bendelladj next argues that the
supporting affidavit's acknowledgment that the suspected malware in this case,
SpyEye C & C, did not show up on another respected cyber-security website,
www.malwaredomainlist.com, is another reason to suspect Abuse.ch's reliability.
. . . Finally, he argues that the Abuse.ch webpage screenshot attached to the
affidavit shows `no results’ for linking 100myr.com to the Atlanta-based IP
address. . . .
R&R - U.S. v.
Bendelladj, supra.
The Magistrate Judge then addressed Bendelladj’s arguments,
starting with Abuse.ch:
[t]he issuing magistrate judge was
justified in concluding that the information from Abuse.ch was reliable and
thus probable cause existed to issue the search warrant.
First, the affiant related that
Abuse.ch was relied upon by other law enforcement officers (and private
security organizations) in their efforts in detecting both Zeus Banking Trojan
and SpyEye malware. Observations of fellow officers engaged in a common
investigation are a reliable source for a warrant. . . .U.S. v. Kirk, 781
F.2d 1498 (U.S. Court of Appeals for the 11th Circuit 1986). . . . The fact
that the law enforcement agencies were not identified does not render the
information unreliable; after all, search warrants may be based upon
information from anonymous lay informants. . . . See U.S. v. Brundidge, 170 F.3d 1350 (U.S. Court of Appeals for the
11th Circuit 1999). What is critical is that the confidential information
be reliable. In this case, it was.
R&R - U.S. v.
Bendelladj, supra.
The Magistrate Judge then pointed out that the affiant whose
statement supported issuing the warrant
asserted facts that corroborated the
reliability of both Abuse.ch and the opinion of Abuse.ch's reliability held by
the anonymous law enforcement agencies and private security organizations.
First, the fact that Abuse.ch accurately identified IP addresses associated
with the Zeus Banking Trojan makes it more likely that Abuse.ch's listing of
the subject IP address as SpyEye malware also was accurate. See U.S.
v. Morales, 238 F.3d 952 (U.S. Court of Appeals for the 8th Circuit 2001) (`Information
may be sufficiently reliable to support a probable cause finding if the person
providing the information has a track record of supplying reliable information,
or if it is corroborated by independent evidence’); U.S. v. Ridolf 76
F.Supp.2d 1305 (U.S. District Court of Appeals for the Middle District of Alabama 1999) (recognizing that one way to test reliability and veracity
is to examine the informant's `track record’ of providing reliable information
in the past).
R&R - U.S. v.
Bendelladj, supra.
The Magistrate Judge then explained that Bendelladj’s
arguments failed because,
[s]econd, Agent Ray utilized Abuse.ch's
information in support of search warrants for suspected SpyEye C & C
servers in Omaha, Orlando, Kansas City and New York, and the information was
shown to be reliable as these IP addresses were discovered to be SpyEye.
R&R - U.S. v. Bendelladj,
supra.
He also pointed out two more reasons why Bendelladj’s
arguments did not succeed:
Third, it appears from the affidavit
that Abuse.ch's SpyEye Tracker is just as reliable as another malware research
tool, malwaredomainlist.com, that Bendelladj holds up as accurate. While
he claims that the subject IP address appeared on Abuse.ch's list but did not
appear on malwaredomainlist.com, the affidavit also recounted that the SpyEye C
& C servers in Orlando, Kansas City and New York similarly did not appear
on malwaredomainlist.com but were found to be malware. Thus, that the instant
IP address did not appear on the other tracking list does not render SpyEye
Tracker unreliable.
Fourth, the warrant is not fatal
because Abuse.ch's methodology in creating its SpyEye Tracker list is unknown.
There is no precedent or authority demanding that the reliability standard
of Daubert v. Merrell Dow Pharms., Inc., 509 U.S. 579 (1993),
be applied to investigative procedures used by law enforcement in order for the
search warrant to contain probable cause for the search, nor does Daubert
hold that this standard must be applied to the probable cause
analysis. United States v. Pirosko, 2013 WL 5595224 (U.S.District Court for the Northern District of Ohio 2013).
Here the Court has found that the
information from Abuse.ch was reliable, and thus the issuing magistrate judge
was entitled to rely upon it in his consideration of whether probable cause to
search existed. The same holds true for Bendelladj's argument that he cannot
recreate Abuse.ch's results, since `probable cause must exist when the
magistrate judge issues the search warrant,’ U.S. v. Santa, 236
F.3d 662 (U.S. Court of Appeals for the 11th Circuit 2000) (quoting U.S.
v. Harris, 20 F.3d 445 (U.S. Court of Appeals for the 11th Circuit 1994)).
The fact that the information cannot be duplicated or recreated does not mean
it was not reliable at the time the warrant issued.
R&R - U.S. v.
Bendelladj, supra.
And, finally, the Magistrate Judge explained that the fact that
Bendelladj
could not find sufficient information
on the entity and person associated with Abuse.ch does not detract from the
reliability of Abuse.ch's SpyEye Tracker list as demonstrated in the affidavit
for the search warrant. The list is used by law enforcement and private
security organizations to detect the SpyEye malware, and in using IP addresses
listed on SpyEye Tracker, in addition to other information, the affiant was
able to discover SpyEye malware in at least four other IP addresses. That is
sufficient to demonstrate reliability.
Thus, the information from Abuse.ch was
reliable and, under the totality of circumstances, that the subject IP address
was listed on Abuse.ch's SpyEye Tracker list properly contributed to the
issuing magistrate judge's conclusion that probable cause existed to issue the
warrant.
Finally, the Court takes note of
Bendelladj's argument that Exhibit A to the search warrant affidavit shows `no
results’ for three of the URL searches performed by the affiant. However, it is
Bendelladj's burden to show that the warrant was invalid, and the bare statement
in his motion about these `no result’ entries, given that the same exhibit
shows that there was a `hit’ for SpyEye malware on the IP address, is not
sufficient to undermine the finding of probable cause in this case.
R&R - U.S. v.
Bendelladj, supra.
For these and other reasons, the Magistrate Judge
recommended that Bendelladj’s motion to suppress be denied. R&R -
U.S. v. Bendelladj, supra.
Then, as Rule 59(b)(3) of the Federal Rules of Criminal Procedure and 28 U.S. Code § 636(b)(1) require, the U.S. District Court Judge reviewed
the Magistrate Judge’s recommendations and accepted them. U.S. v. Bendelladj, supra. He then denied Bendelladj’s motion
to suppress. U.S. v. Bendelladj, supra.
