Monday, June 29, 2015

The SpyEye Trojan, Abuse.ch and the Motion to Suppress

This post examines an opinion a U.S. District Court Judge who sits in the Northern District of Georgia issued recently in a criminal case:  U.S. v. Bendelladj, 2015 WL 3650219 (U.S. District Court for the Northern District of Georgia 2015). The issue the judge addresses in the opinion involves a motion to suppress evidence; if you are interested in the charges, and the facts that gave rise to those charges, check out the news stories you can find here and here. And you can find the indictment here
The District Court Judge assigned Hamza Bendelladj’s motion to suppress to a U.S. Magistrate Judge. U.S. v. Bendelladj, supra.  Pursuant to Rule 59 of the Federal Rules of Criminal Procedure, the Magistrate Judge was to review the motion, analyze the arguments it made and the relevant law, and write a Report and Recommendation (“R&R”) reporting to the U.S. District Court Judge whether the motion should be granted or denied.  U.S. v. Bendelladj, supra.
In his motion to suppress, Bendelladj “challenge[d]” the
February 25, 2011 search warrant which authorized a search for

`Information associated with IP Address 75.127.109.16 and the domain name 100myr.com that is stored at premises owned, maintained, controlled, or operated by Global Net Access, LLC, a company headquartered at 1100 White St. S.W. Atlanta, Georgia, 20210.’
R&R - U.S. v. Bendelladj, supra.  
The Magistrate Judge began his analysis of Bendelladj’s motion by explaining what the FBI Agent who obtained the warrant, Special Agent Mark C. Ray, did to establish the probable cause on which the warrant had to be based.  U.S. v. Bendelladj, supra.  Under Federal Rules of Criminal Procedure Rule 41(d)(1), a District Court Judge must issue a search warrant if a federal agent submits an application for the warrant and an affidavit that establishes probable cause for issuing the warrant. You can, if you interested, find an example of a search warrant application and supporting affidavit here. In this case, the search warrant was issued by another U.S. Magistrate Judge, i.e., not by the one who is reviewing Bendelladj’s motion to suppress here.
The Magistrate Judge in this case explained that Agent Ray submitted an affidavit, in support of his request for a search warrant, in which he
recounted his training and experience in the computer crimes area, including both law enforcement training and experience and private industry. . . . He defined technical terms such as `server,’ `IP address,’ `domain name,’ `hot [sic] and botnet,’ `Banking Trojan,’ `keynote logging [sic],’ `form grabbing,’ and `malware.’ . . .He then alleged that in December 2009, a new malware toolkit called SpyEye v1.0 appeared for sale on Russian underground online forums. . . . Investigation revealed `Gribodemon’ to be SpyEye's creator. . . . The affiant concluded that Spy Eye was similar to another malware called Zeus Banking Trojan, in that each used keystroke logging and form grabbing techniques designed to steal financial and personally identifying information from unsuspecting computer users. . . .

The affidavit then recounted that the creator of Zeus Banking Trojan announced that he intended to hand over the source code for Zeus to Gribodemon, who indicated on online criminal forums that he intended to combine Zeus and SpyEye into a larger more malicious malware toolkit. . . .The affidavit then explained that thereafter a combined malware, SpyEye v1.3.05, was released. . . .

The affidavit continued that a SpyEye Command and Control (`C & C’) server is a computer system administered by one or more individuals that is used remotely to send commands to the victim computers (bots) under its control. . . . The affidavit related that several SpyEye C & C servers had been identified worldwide by their IP addresses, including one previously operating in this District and another which was currently active in this District and the subject of the search warrant application. . . .The affiant stated . . . that there are several websites available in the malware research industry designed to locate computers or servers connected to the Internet that are infected with or operating malware and botnets.

Specifically, the website called Spy Eye Tracker (https:// spyeyetracker.abuse.ch) identified SpyEye C & C servers worldwide, by searching for and locating files on computer systems that are uniquely associated with SpyEye. SpyEye Tracker was developed by the Swiss internet security research firm Abuse.eh. Abuse.ch developed the well known Zeus Tracker website (https:// zeustracker.abuse.ch). I have learned through discussions with members of the internet security industry and law enforcement that the Zeus Tracker website is utilized by corporations and law enforcement agencies worldwide for identifying Zeus C & C servers. In addition, I have learned from these discussions that many information security organizations and law enforcement agencies around the world recognize SpyEye Tracker as a reliable source of identifying SpyEye C & C servers. I am not aware of any instances in which SpyEye Tracker has misidentified a particular IP address as hosting a SpyEye C & C server.

18. On December 16, 2010, I obtained a similar search warrant for another suspected SpyEye C & C server hosted by a company in Omaha, Nebraska. The affidavit I submitted in support of the search warrant application relied, in part, on the fact that the suspected SpyEye C & C server had been identified as such on SpyEye Tracker.[ ] On January 26, 2011, I obtained three other search warrants for suspected SpyEye C & C servers hosted by companies in Orlando, Florida, Kansas City, Missouri, and New York, New York. The affidavits I submitted in support of those search warrant applications also relied, in part, on the fact that the suspected SpyEye C & C servers had been identified as such on SpyEye Tracker.[ ] The information obtained pursuant to all four search warrants confirmed that the suspected SpyEye C & C servers were, in fact, SpyEye C & C servers; thus, supporting the reliability of SpyEye Tracker in identifying SpyEye C & C servers.

19. Based on my training and experience, I know that malware research websites such as SpyEye Tracker use various methods for identifying and labeling servers connected to the internet as SpyEye C & C servers. For example, one common method is setting up a computer as a “honey pot.” A honey pot in the malware research field is a computer that is connected to the internet with the intention of becoming infected with malware such as SpyEye. The computer is intentionally left in a vulnerable state (that is, no anti-virus protection) so that the person who establishes the honey pot can identify the source of the vims such as a SpyEye C & C server once the computer becomes infected. This is done by capturing the IP Addresses associated with distributing and operating the malware. While I do not know the specific method SpyEye Tracker uses to identify any specific server as a SpyEye C & C server, based on my training and experience, I believe that the various methods of which I am aware are reliable.

20. On February 17, 2011, at 11:23 p.m., I reviewed the SpyEye Tracker website. The following information was observed:
SpyEye C & C
IP address
Level
Status
Files Online
Country
AS numb er
100myr.com
75.127.109.16
4
online
2
USA
AS16626
This information indicates that the server with IP address 75.127.109.16, utilizing the domain name 100myr.com, is being utilized as a SpyEye C & C server. . . . This IP address is owned, maintained, controlled, or operated by Global Net Access LLC, a web hosting company headquartered at 1100 White St, SW, Atlanta, Georgia 30310. SpyEye Tracker is updated on a daily basis, thus I have reason to believe that malicious code is still on this server.
R&R - U.S. v. Bendelladj, supra. (Unfortunately, Blogger truncates the full version of the information from the SpyEye Tracker site, which is given as a set of columns of figures, and I cannot find it anywhere online.) 
The Magistrate Judge noted that the affidavit
also related that the suspected Omaha SpyEye C & C server had been identified as such on another website, malwaredomainlist.com (http://www.malwaredomainlist.com), while the servers in this case and the ones in Orlando, Kansas City and New York had not been identified as such on malwaredomainlist.com. . . .

Finally . . .the affidavit provided that Global Net Access LLC is a business that maintains servers connected to the Internet and offers those servers for customers to use to operate websites, store and process information and perform other web-based activities. It also stated that a provider such as Global Net Access gives customers, for a fee, access to its servers and often offers related services such as domain name registration and e-mail service. . . .
R&R - U.S. v. Bendelladj, supra.
The Magistrate Judge then noted that Bendelladj alleged, in support of his motion, that
the primary source of the information in the warrant application is from a website called Abuse.ch, which Bendelladj likens to a confidential informant. He argues that in effect Abuse.ch is just a blog, that is, an unfiltered personal internet account, with no identifiable contributor. Bendelladj submits that the unknown contributor associated with Abuse.ch lists IP addresses asserted to be malware, however, this information has not been shown to have been vetted, cannot be verified nor can it be recreated since Abuse.ch does not maintain an archive.

In addition, he alleges that although this website is associated with the `Swiss Information Security Research Association’ and `Bernet Monika,’ the only cross-reference to this information is the website itself. . . . Bendelladj also points out that the affiant conceded he was unaware of the methodology Abuse.ch used to obtain the IP addresses it puts on the suspected malware list, and argues therefore that the website's reliability or accuracy cannot be checked. He also argues that the bald statement that Abuse.ch is relied upon by security organizations and law enforcement agencies around the world is not sufficient, since these entities are not identified. . . .

Bendelladj next argues that the supporting affidavit's acknowledgment that the suspected malware in this case, SpyEye C & C, did not show up on another respected cyber-security website, www.malwaredomainlist.com, is another reason to suspect Abuse.ch's reliability. . . . Finally, he argues that the Abuse.ch webpage screenshot attached to the affidavit shows `no results’ for linking 100myr.com to the Atlanta-based IP address. . . .
R&R - U.S. v. Bendelladj, supra.
The Magistrate Judge then addressed Bendelladj’s arguments, starting with Abuse.ch:
[t]he issuing magistrate judge was justified in concluding that the information from Abuse.ch was reliable and thus probable cause existed to issue the search warrant.

First, the affiant related that Abuse.ch was relied upon by other law enforcement officers (and private security organizations) in their efforts in detecting both Zeus Banking Trojan and SpyEye malware. Observations of fellow officers engaged in a common investigation are a reliable source for a warrant. . . .U.S. v. Kirk, 781 F.2d 1498 (U.S. Court of Appeals for the 11th Circuit 1986). . . . The fact that the law enforcement agencies were not identified does not render the information unreliable; after all, search warrants may be based upon information from anonymous lay informants. . . . See U.S. v. Brundidge, 170 F.3d 1350 (U.S. Court of Appeals for the 11th Circuit 1999). What is critical is that the confidential information be reliable. In this case, it was.
R&R - U.S. v. Bendelladj, supra.
The Magistrate Judge then pointed out that the affiant whose statement supported issuing the warrant
asserted facts that corroborated the reliability of both Abuse.ch and the opinion of Abuse.ch's reliability held by the anonymous law enforcement agencies and private security organizations. First, the fact that Abuse.ch accurately identified IP addresses associated with the Zeus Banking Trojan makes it more likely that Abuse.ch's listing of the subject IP address as SpyEye malware also was accurate. See U.S. v. Morales, 238 F.3d 952 (U.S. Court of Appeals for the 8th Circuit 2001) (`Information may be sufficiently reliable to support a probable cause finding if the person providing the information has a track record of supplying reliable information, or if it is corroborated by independent evidence’); U.S. v. Ridolf 76 F.Supp.2d 1305 (U.S. District Court of Appeals for the Middle District of Alabama 1999) (recognizing that one way to test reliability and veracity is to examine the informant's `track record’ of providing reliable information in the past).
R&R - U.S. v. Bendelladj, supra.
The Magistrate Judge then explained that Bendelladj’s arguments failed because,
[s]econd, Agent Ray utilized Abuse.ch's information in support of search warrants for suspected SpyEye C & C servers in Omaha, Orlando, Kansas City and New York, and the information was shown to be reliable as these IP addresses were discovered to be SpyEye.
R&R - U.S. v. Bendelladj, supra.
He also pointed out two more reasons why Bendelladj’s arguments did not succeed:
Third, it appears from the affidavit that Abuse.ch's SpyEye Tracker is just as reliable as another malware research tool, malwaredomainlist.com, that Bendelladj holds up as accurate. While he claims that the subject IP address appeared on Abuse.ch's list but did not appear on malwaredomainlist.com, the affidavit also recounted that the SpyEye C & C servers in Orlando, Kansas City and New York similarly did not appear on malwaredomainlist.com but were found to be malware. Thus, that the instant IP address did not appear on the other tracking list does not render SpyEye Tracker unreliable.

Fourth, the warrant is not fatal because Abuse.ch's methodology in creating its SpyEye Tracker list is unknown. There is no precedent or authority demanding that the reliability standard of Daubert v. Merrell Dow Pharms., Inc., 509 U.S. 579 (1993), be applied to investigative procedures used by law enforcement in order for the search warrant to contain probable cause for the search, nor does Daubert hold that this standard must be applied to the probable cause analysis. United States v. Pirosko, 2013 WL 5595224 (U.S.District Court for the Northern District of Ohio 2013).

Here the Court has found that the information from Abuse.ch was reliable, and thus the issuing magistrate judge was entitled to rely upon it in his consideration of whether probable cause to search existed. The same holds true for Bendelladj's argument that he cannot recreate Abuse.ch's results, since `probable cause must exist when the magistrate judge issues the search warrant,’ U.S. v. Santa, 236 F.3d 662 (U.S. Court of Appeals for the 11th Circuit 2000) (quoting U.S. v. Harris, 20 F.3d 445 (U.S. Court of Appeals for the 11th Circuit 1994)). The fact that the information cannot be duplicated or recreated does not mean it was not reliable at the time the warrant issued.      
R&R - U.S. v. Bendelladj, supra.
And, finally, the Magistrate Judge explained that the fact that Bendelladj
could not find sufficient information on the entity and person associated with Abuse.ch does not detract from the reliability of Abuse.ch's SpyEye Tracker list as demonstrated in the affidavit for the search warrant. The list is used by law enforcement and private security organizations to detect the SpyEye malware, and in using IP addresses listed on SpyEye Tracker, in addition to other information, the affiant was able to discover SpyEye malware in at least four other IP addresses. That is sufficient to demonstrate reliability.

Thus, the information from Abuse.ch was reliable and, under the totality of circumstances, that the subject IP address was listed on Abuse.ch's SpyEye Tracker list properly contributed to the issuing magistrate judge's conclusion that probable cause existed to issue the warrant.

Finally, the Court takes note of Bendelladj's argument that Exhibit A to the search warrant affidavit shows `no results’ for three of the URL searches performed by the affiant. However, it is Bendelladj's burden to show that the warrant was invalid, and the bare statement in his motion about these `no result’ entries, given that the same exhibit shows that there was a `hit’ for SpyEye malware on the IP address, is not sufficient to undermine the finding of probable cause in this case.
R&R - U.S. v. Bendelladj, supra.
For these and other reasons, the Magistrate Judge recommended that Bendelladj’s motion to suppress be denied.  R&R - U.S. v. Bendelladj, supra.
Then, as Rule 59(b)(3) of the Federal Rules of Criminal Procedure and 28 U.S. Code § 636(b)(1) require, the U.S. District Court Judge reviewed the Magistrate Judge’s recommendations and accepted them. U.S. v. Bendelladj, supra. He then denied Bendelladj’s motion to suppress.  U.S. v. Bendelladj, supra.


No comments: