FBI, Federal Judge Agree Fighting Botnets Means Allowing The FBI To Remotely Install Software On People’s Computers
from the all's-fair-in-love-and-cyber-war dept
The ends aren’t always supposed to justify the means. And a federal agency that already raised the hackles of defense lawyers around the nation during a CSAM investigation probably shouldn’t be in this much of hurry to start sending out unsolicited software to unknowing recipients.
But that’s the way things work now. As a result of the DOJ-propelled push to change Rule 41 jurisdiction limitations, the FBI is now able to infect computers anywhere in the United States using a single warrant. In the “Playpen” case, the software was used to obtain information about users and devices visiting a seized (but still live) dark web CSAM site.
A couple of years later, the lack of jurisdiction limitations were used for something a bit more useful for even innocent computer users: the FBI secured a single warrant authorizing it to send its botnet-battling software to computers all over the nation, resulting in the disinfection of thousands of computers.
And while this all seems like a net positive for US computer users, the underlying facts are a bit more worrying: judges will allow the FBI to place its software on any user’s computer at any time, provided it can convince a court the end result will be something other than a massive number of privacy violations.
It’s inarguable that disrupting botnets is a public good. But is it inarguable that disruption should occur by any means necessary… or, at least, any means convenient. The disruption of another botnet has been achieved with the assistance of the FBI, a federal judge, and some government software deployed without notification to an unknown number of infected devices.
The FBI quietly wiped malicious programs from more than 700,000 computers around the world in recent days, the agency said Tuesday, part of an operation to take down a major component of the cybercrime ecosystem.
[…]
The FBI got a court’s permission to proceed with the operation on Aug. 21, according to a copy of the warrant. Agents proceeded to hack into Qakbot’s central computer infrastructure four days later, the FBI announced, and forced it to tell the computers in its botnet to stop listening to Qakbot.
An unnamed FBI “source” added this:
Victims will not be notified that their devices had been fixed or that they had ever been compromised, he said.
All of that was accomplished with a five-page warrant [PDF] that doesn’t have much to say about the probable cause compelling this invasion of users’ computers. The warrant authorized the FBI to, in effect, “search” every computer it sent its software to.
PROPERTY TO BE SEARCHED
This warrant applies to the electronic storage media contained in victim computers located in the United States onto which malicious cyber actors have installed, without authorization, the Qakbot malware, and which computers are in communication with the Qakbot botnet infrastructure.
What’s not immediately clear is how the FBI determined which computers were infected. Instead, it seems to authorize an intrusion into all computers it could access, with infections determined following the mass search.
The warrant says “remote access techniques may be used:”
To search the electronic storage media identified in Attachment A [PROPERTY TO BE SEARCHED, as shown above] and to seize or copy from those media any electronically stored information, such as encryption keys and server lists, used by the administrators of the Qakbot botnet to communicate with computers that are part of the Qakbot botnet infrastructure; and
To search the electronic storage media identified in Attachment A and to seize or copy from those media any electronically stored information, such as IP addresses and routing information, necessary to determine whether any digital device identified in Attachment A continues to be controlled by the Qakbot administrators after the seizure or copying of the electronically stored information identified in Paragraph 1.
At first glance, it might appear that the FBI limited its software deployment to known infected devices. But that’s clearly not the case, as was noted earlier in the NBC report quoted above. Here are the facts again, given a bit more weight with the addition of the FBI’s RAT warrant:
The FBI got a court’s permission to proceed with the operation on Aug. 21, according to a copy of the warrant. Agents proceeded to hack into Qakbot’s central computer infrastructure four days later, the FBI announced…
So, odds are the FBI didn’t know which computers were infected when it deployed its “remote access technique.” That means it was given permission to target any device it could access via the internet, with controlling factors only appearing four days after it had already performed its “search.”
The only mitigating factor is the last paragraph of the approved warrant. And that’s only mitigating if you believe the FBI would not use this opportunity to sniff around for others things it might be interested in.
This warrant does not authorize the seizure of any tangible property. Except as provided in the accompanying affidavit and in Paragraphs 1 and 2, this warrant does not authorize the seizure or copying of any content from the electronic storage media identified in Attachment A or the alteration of the functionality of the electronic storage media identified in Attachment A.
All this means is the court trusts the FBI not to abuse this access. And it forces all of us to operate by the same questionable standard, since the FBI has made it clear it is not willing, nor legally obligated, to inform computer users their computers were compromised by FBI software, however briefly or usefully.
Given that lack of disclosure, it’s going to make it almost impossible to challenge evidence of other criminal activity that might have been obtained during this mass search. It also means users aren’t able to double-check the FBI’s work by ensuring their devices are free of either botnet infections or FBI software.
And there’s a very good chance the FBI handled this all honestly and decently and actually performed a useful public service. The point is there are now court-accepted mechanisms in place that would easily allow the FBI to engage in activities that are more abusive of people’s rights without worrying too much about judicial oversight and/or victims of questionable spyware deployments ever finding out they were targeted during FBI activities ostensibly meant to take down botnets.
Filed Under: 4th amendment, botnets, fbi, qakbot, remote installs, warrant
Comments on “FBI, Federal Judge Agree Fighting Botnets Means Allowing The FBI To Remotely Install Software On People’s Computers”
The FBI view on this.
To find the source of the infections we can downloaded all you files do that we can examine them for signs of infection. Anything else we find can be used under the in plain view doctrine. Ignore that big bit barn in Utah, its contents are none of your concern.
warrant: victim computers in united states
fbi: “the world is our oyster”
Used the botnet to install the code
My understanding was the FBI used the botnet it compromised to install the code removing the botnet. They didn’t randomly access whatever computers they could, they accessed the botnet!
In fact, by uninstalling the botnet client software on the affected computers the FBI removed the method by which the FBI could access these computers.
Re:
But did they see if they had an interesting target, like say a journalist, and give themselves access to the computer while they had the opportunity?
Re: Re: ¯_(ツ)_/¯
Who knows? But the way this article is written implies that the fbi had some superset of computers that may or may not have been infected and then it executed a warrant to remove stuff against the superset that might have included non-infected systems.
That’s not what happened. Infected computers checked in with the botnet the FBI gained control of. They announced themselves.
It’s possible, as you imply, that it did other things with that access outside the warrant. And maybe it excluded some computers, but generally what happened is the botnet computers checked in with the FBI controlled central botnet control and then the FBI told the computers to uninstall the software that allowed the botnet to control them.
A more detailed look
BleepingComputer has a more detailed breakdown on how the botnet operated and what the FBI did to disrupt it:
https://www.bleepingcomputer.com/news/security/how-the-fbi-nuked-qakbot-malware-from-infected-windows-pcs/
Re: All you need to know, in one line
Well, at least they had a warrant!
… which is much like prescribing a 4 month Tuberculosis treatment regimen, and then stopping after 3 months with “they’ve stopped coughing, that’s good enough”.
Without the operators being aware that their systems were hacked, and particularly without those operators taking steps to tighten security, those systems will be reinfected quite soon. Perhaps even based on a list of nodes from the now-defunct botnet.
“but those systems might be in (mission-critical/life support/etc) positions!” Right. And when the next ransomware attack comes through, I’m sure that system will continue operating as normal because ransomware gangs have a heart, right? /s
Re: Are you suggesting…
Are you suggesting the FBI should push patches to the affected devices?
And what if the FBI turned off my known and legitimate botnet client!
If your box is part of a botnet, it’s not your box anymore. FBI should be fine turning it down. But it certainly brings up many reasons why there needs to be a public policy and oversight for these kinds of actions. Of course, Law Enforcement is second only to IT for the ability to dodge accountability.
Re: Re:
Sorry, only the One True BOFH is able to escape culpability. You know what that means for the PFY in such a scenario, right?
Humor aside, there is another small problem, and that is the nature of assigned IP addresses. Most of those 700K units are on dynamic assignments, not static. After a month, or less in some cases, IP addresses are often “recycled” back into the pool, and a new address is assigned to a particular user. That’s going to throw a major portion of the remedial effort for a loop, I’m sure.
While the upshot is largely reasonable, and something to be expected via some mechanism at some point, i would agree with at least parts of some comments above that the article seesmore excess thanthere is here.
Having a hell of a time checking the warrant application on this phone, so i can’t tell if Attachment A is there, much less read it. But i already suspect they targeted exactly the infected nodes because they used the C&C server to reverse the infection. Possibly with the malware’s own functions or its toolset, and possibly minus any FBI uh… software on the client side.
Rights don't exist any time a computer is involved?
A general warrant, anathema to the spirit of the Fourth Amendment. Actually, this is worse than a general warrant because the warrant is focused on searching victims rather than searching for suspects.
This is analogous to the FBI’s being able to enter my house at any time of the day and as often as the FBI desires to search my entire house to determine whether an uninvited stranger secretly planted a bomb in my house, without evidence to suggest that an uninvited stranger ever entered, never mind planted a bomb. And of course if I’m told neither about the visit nor about whether there was a stranger in my attic, how the hell am I supposed to believe that the FBI’s reasons for searching and the scope of the search are in any way related to a supposed bomb planting?
Re:
I changed my analogy but forgot to update this part. I meant to say:
And of course if I’m told neither about the visit nor about whether they found a bomb in my house, how the hell am I supposed to believe that the FBI’s reasons for searching and the scope of the search are in any way related to a supposed bomb planting?
Search? Who cares
The problem with this case isn’t what the feds did or didn’t search, how they managed to install software, nor whatever their method of targeting might have been. For the sake of argument, assume that all The feds did is use the botnet itself to send out a nugget of code to a bunch of machines already infected with botnet code. Once that nugget of code is there, the next step would be to consult any data that The bot might have left behind in order to find other infected computers. The real world equivalent would be that the fbi would need individual warrants for each point of entry, and then individual warrants to search each location listed by each discovered bot, at an exponential rate. This is obviously impossible.
The problem is that if one were to believe that the fbi were indeed honestly trying to dismantle a dangerous botnet, then perhaps this weapons-grade shit-pile of a warrant might seem acceptable, but in reality, now that this turd has been delivered and carefully planted in the US legal system, it will slowly mature and ferment, until it can be dug up, refined, distilled, and bottled so when the next major blanket rights violation comes up, we will all be given a nice bottle of artisan, hand-crafted, slow-brewed precedent bullshit that will convince us all to relax and continue our mindless grazing in the wonderful green pastures of ignorance.
All right, maybe I went off the rails there, but you get my point. It’s the precedent that fucks you in the end.
Re:
Rich is correct, the danger isn’t in the warrant itself, it’s the precedent that the warrant could possibly set, sometime in the future.
I’m unaware (yes, woefully so) of the current state of affairs in re this fiasco, so I’ll not make any predictions or such, but I do hope that the courts see it for the turd it is and flush all of the collected evidence down the shitter.
Good thing I’m on a Debian derivative. Open source may lead a state actor to say “Hey, if I insert this line of code right here, I can then hack into anyone running this OS (or any other piece of software)”. Of course the big BUT here is, he’ll first have to install it on to my rig.
And even though many eyes are checking open source code on an almost daily basis, I still compare the hash values before installing anything, even updates from trusted repositories. Good luck getting past that, G-man.
What if those botnets are put there by the NSA?
3rd Amendment
Seems like a potential 3rd Amendment question, which has been construed by the courts much more broadly than the quartering of troops in private homes of the literal text.
See, for example, “When Cyberweapons End Up on Private Networks: Third Amendment Implications for Cybersecurity Policy,” by an attorney at EPIC, at:
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2257078
Misleading article
This article makes it seem like FBI has carte Blanche access to any computer in the world which is absolutely not how these softwares are deployed. The author is minimizing the way in which the computers are targeted ie by visiting a csam for site or being part of an active botnet. They can’t just hack any random computer using an exploit. In fact they’re not even using software exploits to achieve code execution
Even if the FBI can identify computers with searching all computers, they sorely lack the “particularly describing the place to be searched” requirement. “All computers with this malware” is not a particular description.
Re: Awww...that's so cute...
You still seem to be under the misapprehension that the government gives two fucks about the constitution.
It only takes is the right person in the right place to quietly utter the word “terrorism”, and all that pesky nonsense about probable cause, due process, fair trials, and even habeas corpus will be brushed aside, because when delusions of push come to the imaginings of shove, we are “governed” by the Patriot act, and the damage it has wrought that still spiderwebs its way through the legal system.
So now my question is...
If I run a homelab, and I detect and mitigate a law enforcement connection to privately owned networks or devices, am I in violation of some Federal statute or precedent or court order unknown to me?
For protecting my own stuff from intrusion?
This is some murky territory opened up by this case, and we wouldn’t have even known about it had they not bragged about shutting down a botnet campaign. Points for blabbing disclosure, I guess.