This is a Criminal Justice Report Summary of the application under rule 41 for a search warrant to identify evidence of the crime. The creation of this report summary was facilitated by the use of the outline method of the note-taking strategy. The main points for this summary were drawn from the original report and placed along the left margin, answering the essential questions for the summary. Supporting information and details were added under each of the points.
There are several essential questions that were needed to be asked to gather the information included in the report:
- Who or what is the target of the search warrant?
- What is the reason for the search?
- What is the evidence supporting this reason?
- Does the target of the search have the potential to be exposed to any harm?
- How will the search be executed?
- How can this search facilitate further investigation?
A Special Agent with the Federal Bureau of Investigation in Anchorage, Alaska, has investigated the Kelihos botnet malware in violation of Title 18, United States Code, Sections 1030, 1343, and 2511. The application for a warrant under Federal Rule of Criminal Procedure 41 was submitted for authorization to disrupt the Kelihos botnet. Additionally, this operation will obtain the Internet Protocol addresses and associated routing information of computers infected with Kelihos malware, which would serve as evidence of crimes committed by Peter Yuryevich Levashov, a criminal hacker. The operation involves the distribution of updated peer lists, job messages, and IP filter lists to the infected computers. During the execution of the search, the content from the infected computers will not be modified or captured. The operation will only limit the targets’ ability to interact with the Kelihos botnet.
Kelihos has been determined to be a Peer to Peer botnet that functions to distribute spam emails to further criminal schemes, install malicious payloads, and harvest user credentials for the financial benefit of Levashov. Peter Yuryevich Levashov, a.k.a. “Petr Levashov,” “Peter Severa,” “Petr Severa,” and “Sergey Astakhov” was established to be in control of Kelihos. The location associated with the Kelihos botnet servers was identified to be outside of the United States. In cooperation with international law enforcement partners, real-time data from those servers was received. It revealed multiple associations between the Kelihos malware, servers connected to Kelihos, and Levashov, such as email addresses, Google and Apple accounts, and IP addresses. As a result, Peter Yuryevich Levashov of Saint Petersburg, Russia, was identified to have been offering the services of spreading a high volume of malicious spam.
The information in the report establishes a probable cause to presume that the items to be searched are protected computers that have been damaged without authorization and are located in five or more judicial districts. The IP addresses of the infected by Kelihos computers are possible to determine. The presence of Kelihos in the targeted computers exposes the victims to significant potential for harm, as well as a subject used for distribution of spam to others without knowledge.
Through this operation, the Federal Bureau of Investigation, with the assistance of private partners, will participate in the exchange of peer lists and job messages with the infected computers. By providing new routing information for the “sinkhole” server controlled by the Federal Bureau of Investigation, the infected by Kelihos computers will cease any malicious activity. This will stop most immediate harm under Levashov’s control. Additionally, in order to prevent Levashov from recapturing peers, certain domains used for that purpose are required to be kept out of the hacker’s reach. The Temporary Restraining Order was sought as part of this action, denying Levashov access to these domains.
The report provides a reasonable cause to deploy the updated peer lists and job messages to the infected by Kelihos computers without prior announcement. Since providing the notice has the potential to disclose the operation, Levashov or other operating criminal hackers operating in his direction could change the malware, destroying the evidence. That is, due to the fact, that the entire Kelihos botnet can be updated within 24 hours. Additionally, the report states a cause for seeking permission to execute the search at any time of day or night for 30 days after the warrant’s authorization date, instead of 14 days during the daytime. Since the timing of the infected computers accessing the peer lists is uncontrollable, such a method of execution will cause no additional intrusiveness or inconvenience to anyone. The 30 days period was chosen due to the fact that reaching thousands of computers infected by Kelihos may take weeks.
According to the information presented in the report, upon the successful execution of the search, additional information about Levashov and his botnet system Kelihos will be collected. Moreover, the operation will rid the victims of further harm caused by Kelihos malware. The gathered information can be used for the follow-up investigation of Levashov and his possible associates, determining a way to cease their future malicious activities.