FBI Tries New Rule 41 Changes On For Size In Fight Against Long-Running Botnet

from the one-warrant;-all-the-computers dept

The DOJ is proud to announce it’s flexing its new Rule 41 muscle. The changes proposed in 2015 sailed past a mostly-uninterested Congress and into law, giving the FBI and other DOJ entities permission to hack computers anywhere in the world with a single warrant.

With the new rules, the law has finally caught up with the FBI’s activities. It deployed a Network Investigative Tool — the FBI’s nifty nickname for intrusive malware that sends identifying info from people’s computers to FBI investigators — back in 2012 during a child porn investigation and mostly got away with it. It tried it again in 2015 and ran into a bit more resistance.

Rule 41’s (former) jurisdictional limitations meant the FBI wasn’t supposed to be able to “search” computers all over the US using a single warrant issued in Virginia. This activity was supposed to be confined to the state of Virginia. The aftermath of the Playpen investigation has led to a multitude of conflicting judicial opinions. Some have found the warrant invalid and the evidence obtained worthless. Others have granted good faith exceptions or determined no privacy violation took place. In at least one case, the government has dismissed the charges rather than expose any information about its Rule 41-flouting NIT.

In this case, the FBI isn’t hacking computers to uncover child porn site visitors. Instead, it’s going to be fiddling with a lot of computers to take down a botnet. The DOJ press release makes particular note of how lawful this all is now, post-Rule 41 amending:

In seeking authorization to disrupt and dismantle the Kelihos botnet, law enforcement obtained a warrant pursuant to recent amendments to Rule 41 of the Federal Rules of Criminal Procedure. A copy of this warrant along with the other court orders are produced below.   The warrant obtained by the government authorizes law enforcement to redirect Kelihos-infected computers to a substitute server and to record the Internet Protocol addresses of those computers as they connect to the server. This will enable the government to provide the IP addresses of Kelihos victims to those who can assist with removing the Kelihos malware including internet service providers.

The search warrant [PDF] application leads off with this as well, waving it in front of its unusual request like a wary vampire hunter’s cross.

I make this affidavit in support of an application for a warrant under Federal Rule of Criminal Procedure 41 to authorize an online operation to disrupt the Kelihos botnet currently under the control of Peter Yuryevich LEVASHOV, a criminal hacker. The operation, which is particularly described in Attachment A and Attachment B, involves the distribution of updated peer lists, job messages and/or IP filter lists, further described in Attachment B, to the TARGET COMPUTERS currently infected with the Kelihos botnet malware in violation of Title 18, United States Code, Sections 1030, L343, and 2511, as described in Attachment A. This operation will also obtain the Internet Protocol addresses and associated routing information of those infected computers, and those addresses are evidence of crimes committed by LEVASHOV. A PRTT order has been requested for the purpose of attaining those IP addresses and associated routing information. This operation will not capture content from the TARGET COMPUTERS or modify them in any other capacity except limiting the TARGET COMPUTERS’ ability to interact with the Kelihos botnet.

The intent here is to dismantle the botnet by freeing zombie computers. All well and good, except it’s not the government pointing victims to malware removal tools, but rather letting themselves into the “house” to size up infections before passing this info on to third parties to actually perform the removals.

This new form of intrusion raised concerns in Congress, but the DOJ insisted the changes were innocuous and please let’s all stop talking about this before someone stops the Rule 41 amendments slow roll to tacit approval.

Here it is in action: thousands of computers temporarily hosting digital G-men. We’re in unknown territory right now with the FBI’s anti-botnet work. The FBI itself doesn’t even appear all that sure about the extent of its new Rule 41 powers. As is noted in the warrant, the FBI also applied for a Pen Register/Trap and Trace (PRTT) order [PDF] just in case.

Other than the three elements described above, federal law does not require that an application for an order authorizing the installation and use of a pen register and a trap and trace device specify any facts. The following additional information is provided to demonstrate that the order requested falls within this Court’s authority to authorize the installation and use of a pen register or trap and trace device under 18 U.S.C. g 3123(a)(1).

This is the FBI basically saying the law doesn’t require this application, but here it is anyway. A CYA PRTT for the interception of communications metadata that might help identify botnet victims. And for all its talismanic waving of Rule 41, the FBI isn’t even sure it’s really required to seek a warrant to perform this botnet cleanup. From the warrant affidavit:

To effectively combat the P2P structure of the Kelihos botnet, the FBI with assistance of private partners will participate in the exchange of peer lists and job messages with other infected computers. The FBI’s communications, however, will not contain any commands, nor will they contain IP addresses of any of the infected computers. Instead, the FBI replies will contain the IP and routing information for the FBI’s “sinkhole” server. As this new routing information permeates the botnet, the Kelihos infected computers will cease any current malicious activity and learn to only communicate with the sinkhole. The effect of these actions will be to free individual infections from exchanging information with the Kelihos botnet and with LEVASHOV. This will stop Kelihos’s most immediate harm, the harvesting of personal data and credentials, and the transmittal of that data to servers under LEVASHOV’s control.

Another portion of the Kelihos job messages is a list, known as the IP filter list. This list functions as a type of blacklist, preventing communication with those IPs contained within the filter list. If necessary, the FBI also seeks authorization to send a filter list to TARGET COMPUTERS to block Kelihos infected computers from continuing to communicate with router nodes.

The footnote attached to this reads:

The law is unsettled as to whether the operation authorized by the proposed warrant constitutes a search or seizure. However, in an abundance of caution, the United States is seeking a warrant.

It looks like the FBI is tentatively exploring its new powers, making sure it has the paper trail it needs to stave off courtroom challenges. If it sticks to disrupting a botnet, it shouldn’t face any. If it takes advantage of its new access privileges, it might.

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “FBI Tries New Rule 41 Changes On For Size In Fight Against Long-Running Botnet”

Subscribe: RSS Leave a comment
Anonymous Coward says:

This will enable the government to provide the IP addresses of Kelihos victims to those who can assist with removing the Kelihos malware including internet service providers.

And also give added impetus to all those fake Microsoft support scams. "The FBI has informed us that…." and send them to an official site "validating£ that claim…

Anon E. Mous (profile) says:

So the FBI wants to tip toe around in computer that it can access around the world, and there saying this is to deal with botnets? Yeah ask me how much I think they will only use it for that.

So why wouldn’t they go after the main infrastructure of the botnet rather than the computers swept up in it? It wouldnt be the fact that they can have a peak in say those 50k computers that were made part of the botnet and see what is all in them would it?

What is to stop the FBI from searching around or looking for anything else that they deem to be of importance to them and send it back to their own servers or servers off shore that they could rent, nothing really other than there word that they wont do this.

No offense but I dont exactly believe that the FBI wouldn’t use anything else it gleaned that they thought has value to further an investigation.

This is a slippery slope, in that they dont want to target the offending infrastructure and send out a command or an update to infected computers to poit to malware removal tools or to remove an infection at so and so site, they want to access the zombies with a NIT, and that is an issue in my mind

There is a high potential for abuse and you can bet your ass that everyone who wants something done with the FBI new ability to gain access to computers elsewhere will be all over to have the FBI do what they were unable to do thru legal means, like say are good friend at the MPAA and RIAA or say Microsoft or Apple to site that is selling illegal software or jail breaking apps.

There is a high potential that the FBI could become a gun for hire to do what some groups cant thru legal channels for the above mentioned companies and organisations, and once that path gets taken then it’s open season

Anonymous Coward says:

I know this opinion will not be very popular on this site, but I would like to share anyway.

The government has a long and well document history of invading our privacy. From snooping on our reading habits in libraries, to snooping around in our computers. They will get what they want eventually. They will shop court venues until they get it, or they will flat out break the law. I could spend all day cutting and pasting “citations”, but I’m not going too. It’s so prevalent I shouldn’t have too. They have significant resources, and patience. Just the right “Think of the children” moment will happen, and they will get what they want.

Knowing this, I think the only REAL way for citizens to combat this is by making it so difficult and costly that they cannot afford to do these bulk invasions. I believe the only way we can do that, is if we somehow thrust the threat of losing our privacy into the spotlight for the common citizen so they begin learning and implementing protections. This would significantly cut down on the Bot population as well right?

The average citizen is not going to do that when they have a false sense of security from organizations with no teeth such as the FCC. They need something really shocking and “scary”. I’m hoping that the destruction of the broadband rules is it. I hope it catapults VPN’s, Ghostery, and a host of other tools to mainstream.

How ironic would it be? Huge surge in private sector privacy tools takes place, making it significantly more difficult for the government to snoop. All because the bought and paid for politicians were trying to make the corporations happy.

I think the Government just started the biggest whack a mole game since the AA’s took the field.

John Cressman (profile) says:

So what if...

So, what if… in the course of “disrupting the botnet” they discover say… child porn, downloaded movies or *gasp* unpaid parking tickets… can they then request a new warrant based on the former breaking into systems.

I’m sorry, but that warrant, even if it passed muster, is too overbroad.

To put it in physical terms- Hi, judge, we think a bad guy is hiding somewhere in the US, can you give us a warrant to search every house in the US?

Personanongrata says:

Incrementalists and their Mechanisms of Control

The DOJ press release makes particular note of how lawful this all is now, post-Rule 41 amending

How comforting DOJ (HAHA) has pronounced how lawful this all is now.

"Official" government acts carried out in National Socialist Germany and in the Soviet Union were lawful too.

A governments definition of lawful is a wholly different definition than that found in a dictionary.

How is the water frogs?

That One Guy (profile) says:

Some good, some not so good

I actually applaud their decision to go the extra mile to get a warrant and a PRTT order ‘just in case’, and think that that part at least is good.

Not too thrilled about the idea of ‘One warrant to search them all’ LoTR style, but I’ve often argued that if the action is questionable police and/or government agencies should get a warrant anyway, to create some sort of paper trail of what they intend if nothing else.

As for the ‘not so good’…

This operation will not capture content from the TARGET COMPUTERS or modify them in any other capacity except limiting the TARGET COMPUTERS’ ability to interact with the Kelihos botnet.

If I felt I could believe them when they said they’ll only identify infected computers and use that info to disrupt the botnet, I might see this as a good use of their new toy. Killing a botnet is a tricky thing, and if all they’re doing is identifying them so they can stop them from communicating to the owner of the botnet, that seems like a reasonable use of their power.


As history has made abundantly clear, a new power will always grow in scope. Where today they pinky promise that they will most certainly not investigate the contents of the computers they’re finding, now that they have the ability I wouldn’t expect that to last. Warrants are specifically gears towards allowing searches, and now that all it takes is one warrant for any number of computers, I fear it’s merely a matter of time until they put that to use.

@b says:

Two hacks dont make a Right

That list of infected IP Addresses is basically a list of vulnerable machines.

If it is copied, shared or leaked then the victims are at real risk of being re-victimised.

I would rather the counter-hackers would clean my computer, rather than patch it. And then keep re-cleaning it robotically, as required. You know, like, free house work rather than pop my address on a list of suckers for their builder mates to go visit.

oliver says:

Those jack-booted thugs have to relieve themselves from the myth that an IP address is anything to go for!! An IP address harvested in the wide bowls of the internet does not lead anyone to a person to deal with, or in this case to help “remove malware”! The harvesting of IP addresses is first of all trivially easy to compromise by how easy it is to FAKE an IP address, ansd secondly any one such fishing expedition of IP addresses has a scientificaly proven false-positive rate of 50%. ..nuff said!

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...