OCR of the Document

View the Document >>

United States v. Levashov - Application for a Search Warrant in the United States District Court for the District of Alaska

AO 106 Rev 04 10 Application for a Search Warrant UNITED STATES DISTRICT COURT for the District ofAlaska In the Matter of the Search of Briefly describe the property to be searched or ide111ify rhe person by name and address In re Application for a Warrant Under Rule 41 of the Federal Rules of Criminal Procedure to Disrupt the Kelihos Botnet APPLICATIO Case No 3 18-mj-00324-DMS FOR A SEARCH WARRA T I a federal law enforcement officer or an attorney for the government request a search warrant and state under penalty ofperjury that I have reason to believe that on the following person or property identify the person or describe the property to be searched andgive its locarion See Attachment A incorporated here by reference located in the -------- District of person or describe the property ro be sei ed ------Alaska - - -- -- there is now concealed identify the See Attachment B incorporated here by reference The basis for the search under Fed R Crim P 4l c is checkoneor more evidence of a crime 0 contraband fruits of crime or other items illegally possessed 0 property designed for use intended for use or used in committing a crime 0 a person to be arrested or a person who is unlawfully restrained The search is related to a violation of Code Section 18 USC 1030 1343 and 2511 Offense Description Fraud and related activity in connection with computers wire fraud and illegal wiretapping The application is based on these facts See attached Affidavit in Support of Search Warrant Continued on the attached sheet 0 Delayed notice of _ _ days give exact ending date if more than 30 days _ __ _ _ is requested under 18 U S C 3103a the basis of which is set ant's signature 'oo t11 H Elliott Peterson Spt cial Agen 7 f ijJ r Sworn to before me and signed in my presence Date o f o i I City and state Anchorage Alaska I J C ' oo I f_ Judge's si$11ature Hon Deborah M Smith United States _ _- o I Magi-st aie J udge Printed 11ame 'a1id title' ' I -- o - ' 1 _ _ o _ 'o S DEBORAH M SMITH CHIEF U S MAGISTRATE JUDGE SIGNATURE REDACTED I o Printed nam e-iind title o o o _ r_ o -- '''' y IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF ALASKA IN RE APPLICATION FOR A WARRANTUNDERRULE41OFTHE FEDERAL RULES OF CRIMINAL PROCEDURE TO DISRUPT THE KELIHOS BOTNET Case No 3 18-mj-00324-DMS AFFIDAVIT IN SUPPORT OF AN APPLICATION UNDER RULE 41 FOR A SEARCH WARRANT I Elliott Peterson being first duly sworn hereby depose and state as follows INTRODUCTION AND AGENT BACKGROUND 1 I am a Special Agent with the Federal Bureau of Investigation in Anchorage Alaska I currently investigate criminal and national security computer intrusions in the Anchorage Field Office as a member of the Counter Intelligence Cyber Squad I have investigated cyber and computer intrusion matters for over five years and I specialize in the investigation of complex botnets including Peer to Peer botnets as well as botnets facilitating account takeover fraud and Distributed Denial Of Service attacks DDOS 2 I make this affidavit in support of an application for a warrant under Federal Rule of Criminal Procedure 41 to authorize an online operation to disrupt the Kelihos botnet currently under the control of Peter Yuryevich LEVASHOV a criminal hacker The operation which is particularly described in Attachment A and Attachment B involves the distribution of updated peer lists job messages and or IP filter lists further described in Attachment B to the TARGET MAY 3 0 20l8 Case o 3 18-mj-00324-DMS COMPUTERS currently infected with the Kelihos botnet malware in violation of Title 18 United States Code Sections 1030 1343 and 2511 as described in Attachment A This operation will also obtain the Internet Protocol addresses and associated routing information of those infected computers and those addresses are evidence of crimes committed by LEVASHOV A PRTT order has been issued for the purpose of attaining those IP addresses and associated routing information This operation will not capture content from the TARGET COMPUTERS or modify them in any other capacity except limiting the TARGET COMPUTERS' ability to interact with the Kelihos botnet This limitation is achieved through the distribution of peer lists andjob messages described below 3 Unless otherwise noted the following information was obtained by your affiant other special agents and officers of the Federal Bureau of Investigation FBI third-party witness interviews and or from other law enforcement officers who conducted additional investigation into the subject matter of this criminal enterprise all of whom I believe to be truthful and reliable TECHNICAL DEFINITIONS 4 As used herein the following terms have the following meanings a Malware is malicious software usually loaded onto a computer without the knowledge of the computer's owner or user For example computer viruses are malware b A ''botnet is a network of computers that cybercriminals have infected with malware that gives a cyber criminal access to each computer and allows a cyber criminal to control each c o m remotely MAY 3 0 2018 Page 2 of 41 ' i Case o 3 18-mj-00324-DMS c An Internet Protocol IP address is the globally unique address of a computer or other device connected to a network and is used to route Internet communications to and from the computer or other device d Peer to peer refers to a means of networking computers such that they communicate directly with each other rather than through a centralized management point PROBABLE CAUSE 5 There is probable cause to believe that the TARGET COMPUTERS identified in Attachment A are infected by malicious software that causes them to collectively receive and obey commands from a common command and control infrastructure controlled by LEVASHOV forming a botnet that has been named Kelihos 6 I have determined that Kelihos is a Peer to Peer botnet whose principal functions are to 1 distribute high volumes of spam email to further criminal schemes 2 install malicious payloads such as ransomware and 3 harvest user credentials from infected computers Each of these schemes are conducted for the financial benefit ofLEVASHOV and other cybercriminals 7 Based upon the investigation described below I believe that Kelihos is operated and controlled by an individual identified as Peter Yuryevich LEVASHOV a k a Petr LEVASHOV Peter Severa ''Petr Severa and Sergey Astakhov I am aware that on or about April 7 2017 LEVASHOV was arrested in Spain and remains detained in Spain 1 On April 20 2017 the District of Connecticut unsealed I am also aware that an indictment was filed in 2007 in the Eastern District of Michigan for conspiracy to commit electronic mail fraud mail fraud and wire fraud in 1 Page 3 of 41 o 1 - 1 MAY 3 0 2018 Case No 3 18-mj-00324-DMS an indictment charging LEVASHOV in 3 17CR83 with offenses related to the activities described in this affidavit I have also determined that the botnet has been used for the financial benefit ofLEVASHOV and other cybercriminals 8 In February 2018 LEVASHOV entered US custody in New Haven Connecticut 9 I have also determined that in addition to distributing spam email the Kelihos botnet functions to harvest user credentials and distribute malicious payloads including ransomware as well as facilitating other schemes meant to enrich LEVASHOV These activities will be described more fully in subsequent paragraphs 10 Based on my investigation to date I h ave observed that the number of computers infected with Kelihos at any one time can vary At times over 100 000 computer s have been simultaneously infected worldwide with Kelihos When the initial warrant in this case was issu ed there were between 25 000 and 100 000 infected computers approximately 5-10% of which wer e computers located in the United States Based on m y review of computers which are infected with the violation of 18 U S C 371 1037 a 2 - a 3 1037 b 2 C 1341 and 1343 and several substantive counts of violating 18 U S C 1037 a 2 1037 b 2 C and Section 2 That indictment remains pending I am also aware that a criminal complaint filed in the U S District Court for the District of Columbia which in 2009 charged LEVASHOV in his true name with two substantive counts of violating 18 U S C 1030 a 5 A i 1030 a 5 B i 1030 a 5 A i and 1030 a 5 B V as well as one count of conspiracy to commit these offenses in violation of 18 U S C 371 These charges resulted from LEVASHOV's operating the Storm Botnet from January 2007 until September 22 2008 That botnet like th at which is the subject of this prosecution sent spam to facilitate pump and dump schemes and the purchase of grey market pharmaceuticals Because the government wa unable to apprehend and detain LEVASHOV it dismissed the complaint in 2014 Page 4 of 41 MAY 3 0 2018 Case o 3 18-mj -00324-DMS Kelihos malware and conversations with other FBI agents and computer security researchers who have investigated the code used to create the Kelihos botnet I know that it can be difficult for computer users to detect Kelihos infections Kelihos is designed to persist on a victim's computer despite any overt actions by the victim to remove it For example the first time that Kelihos runs it sets its property setting to invisible so that it cannot be seen or manipulated by the victim Based on my investigation and the investigation of others I have found evidence of computers infected with Kelihos throughout the United States including the District of Alaska District of Connecticut Western District of Washington Central District of California and the Southern District of New York and the Northern District of California A OPERATION OF THE KELIBOS BOTNET 11 As described above Kelihos utilizes Peer to Peer P2P connectivity Instead of utilizing a traditional Command and Control C2 server to control all of the bots control is distributed across the entire infection base The P2P design prevents law enforcement from merely taking over the C2 server and gaining immediate control of the entire botnet 12 Kelihos infects computers and divides them into two groups router nodes and worker nodes Router nodes are so named based upon their ability to route communications directly to both backend servers as well as other infected peers Router nodes are Kelihos infections that have publicly accessible IP addresses Router nodes are important to Kelihos as they permit direct Page 5 of 41 MAY 3 0 2018 Case o 3 18-mj-00324-DMS communication to the infected computer Router nodes comprise approximately 10% of the Kelihos botnet 13 In contrast worker nodes comprise 90% of the Kelihos botnet and utilize private IP addresses Most internet enabled devices utilize private IP addresses as they are separated from the Internet by one or more networking devices For example in many U S households a Wi-Fi router is connected directly to a cable or DSL modem This Wi-Fi router would then be assigned the household's public IP address Each device then connected to the Wi-Fi router would be assigned a private IP address Worker nodes are harder to maintain for the botnet operator as they are not directly accessible like a router node with a public IP address would be 14 To counteract the difficulty of contacting worker nodes with private IP addresses Kelihos commands its worker nodes to check in regularly with the router nodes That check in takes the form of exchanging peer lists and job messages Peer lists maintain the IP addresses of other Kelihos infections that is an infected computer's peers This information informs each peer who else it can communicate with Then when a set amount of time has passed the worker node will contact another router node to exchange data including each other's peer lists In response the worker node then compares its own peer list with the received peer list and updates its own peer list with new IP addresses until it reaches a maximum number of 3 000 MAY 3 0 20 8 Page 6 of 41 Case No 3 18-mj -00324-DMS 1 15 Overview Of Kelihos's Spam Distribution Based upon my training and experience I know that spam email messages distributed by botnets such as Kelihos are intended to facilitate various activities including the sale of grey market pharmaceuticals the manipulation of thinly-traded securities the solicitation offraudulent affiliate and work from home schemes and the distribution of malicious payloads such as ransomware Spam emails directing the r ecipients to participate in all of these schemes have been directed to Alaskan recipients 16 For example Kelihos generates massive volumes of spam emails directing recipients to web sites advertising the sale of branded pharmaceuticals Based upon my training and experience I know that many of these branded pharmaceuticals normally require prescriptions Additionally I know that the pharmaceuticals are offered at or below market rates indicating that they are likely counterfeit 17 Kelihos also distributes high volumes of emails intended to manipulate the value of thinly-traded securities including so-called penny stocks In these messages th e recipient is led to believe that a specific stock will soon trade at a much higher value For example one email I reviewed stated that it was an Advanced Trading Alert Notice with a hot pick that will gain 100% The email urges recipients to a quire a specific thinly-traded security on March 1 and receive 100% profit Another email stated Don't you crave to purchase a deal at $0 07 and cash at $ 21 200% gains simple Get the stock See curren Page 7 of 41 MAY 3 0 2018 Case No 3 18-mj-00324-DMS ask is 0 21 it's 200% than the todays bid On Monday they will announce big news and it sure spike to 21 Start buying quick Because these emails target stocks which generally experience very low trade volume they are vulnerable to price manipulation associated with small increases in trade volume 18 Spam distributed by Kelihos is also a primary vector for affiliate recruitment scams commonly called work from home In these messages the unwitting recipient is directed to an email address or website from which they can receive more information about performing escrow or private buyer services I have previously investigated these types of schemes and know them to principally be vehicles to further money laundering For example in an escrow scheme individuals are instructed to receive and transfer funds in short time periods often 1-3 days The incoming funds are usually proceeds of other criminal schemes which are then laundered through the unwitting recipient's bank account Due to the short time period from which money is received and then resent the victim often is left responsible for the full amount laundered through their accounts after the financial institution detects the fraud and ceases further payment These email schemes are also evidence oflarger wire fraud schemes as they make fraudulent claims of profit and opportunity or sell fraudulent goods and drugs 19 As described in greater detail below I know that Kelihos distributes spam in at least two distinct ways FBI personnel have observed Kelihos distribute spam from infected computers directly Kelihos can command infected computers to function in essence as mail servers and distribute spam to recipient email Page 8 of 41 MAY 3 0 2018 Case No 3 18-mj -00324-DMS addresses passed to th e computer from the botnet In these cases Kelihos uses email addresses and randomly generated first and last name combinations not obviously associated with the true account from which the spam was sent Known as spoofing the result is that the spam will be made to appear to come from user name @gmail com wh en in reality it was sent by an infected computer with no association to the referen ced email account Kelihos accomplishes this by manually editing the header information The spoofing makes the spam much more difficult to detect and block while also concealing the true origins of the email messages Kelihos can also send spam dir ectly from mail server s such as those owned by Earthlink or 1 1 Mail Media by gaining unauthorized access to them through the use of authentic email addresses and passwords harvested by Kelihos In those instances the spam is in essence sent from the victim's email address through the mail server but without the victim's knowledge or authorization 2 20 Kelihos Distributes Malicious Payloads In addition to sending spam emails with URL hyperlinks that cause the downloading ofmalware the Kelihos botnet can also command infected computers to download and execute malware directly By commanding Kelihos victims to download and execute malware Kelihos can retain near total control of the victim's computer system by infecting them with payloads that can include banking trojans malware designed to steal financial credentials and ransomware malware that encrypts the contents of a computer and then seeks a ransom payment in exchange for decryption Based on ongoing FBI investigations and Page 9 of 41 MAY 3 0 2018 Case No 3 18-mj-00324-DMS experience I am aware that LEVASHOV will receive payment from other cybercriminals in exchange for distributing malicious payloads to infected computers within his botnet This allows LEVASHOV to monetize his botnet beyond the distribution of spam 3 21 Kelihos Harvests Credentials In addition to distributing spam email and malicious payloads Kelihos malware also harvests user credentials from victim computers through a number of methods First Kelihos searches text-based files stored on victim computers for email addresses Second Kelihos searches locations on victim computers for files known to contain usemames and passwords including files associated with Internet browsers Chrome Firefox and Internet Explorer Any email addresses and passwords located in these searches are harvested by Kelihos and subsequently transmitted back to LEVASHOV 22 To capture additional user credentials Kelihos installs a software program called WinPCAP on infected machines WinPCAP is a powerful packet capture utility that intercepts in real time electronic communications traversing the victim computer's network card Usemames and passwords found within this network traffic are transmitted back to LEVASHOV B KELffiOS RESEARCH TESTING AND EVIDENCE OF CRIMES 23 Many techniques were utilized to analyze and study the Kelihos malware One of the first steps was to gather appropriate samples of the malware One feature of the Kelihos botnet circa 2015 is that the Kelihos malware could b Page 10 of 41 MAY 3 O2Ci8 Case o 3 18-mj-00324-DMS downloaded directly from backend servers A specific type of backend servers were described by Kelihos administrators as Golden Parachute Domains I believe t hat the naming convention relates to the role these servers play as redundant mechanisms of command and control When a computer infected with Kelihos can no longer communicate with any other peer infections it is programmed to reach out to domains websites that are hardcoded into its configuration These domains the Golden Parachutes provide a peer list t o the infected computer so that it can r egain communication with other infected peers For the purposes of this affidavit there are at least three su ch domains presently r elevant to the functioning of the Kelihos botnet gorodkoff com goloduha info and combach com 2 In a ddition to providing peer lists research has shown that these Golden Parachute Domains were at times configured to distribute Kelihos malware 24 Kelihos like many malware families uses an affiliate client system At any given time there appears to be ten to twenty separate Kelihos affiliates These affiliates are paid by LEVASHOV to infect computers with his Kelihos malware The affiliates are paid according to the number of victims they infect and wher e those victims are located I am aware of the affiliate model because I previously downloaded LEVASHOV's pricing structure from a website known as Smoney that LEVASHOV maintained A webpage labeled loads0 l _rules html listed instructions for affiliates as well as the payment r ate per 1000 infections 2 While the actual web addresses do not include I have added them here to avo accidental hyperlinking to these sites Page 11 of 41 MAY 3 0 2018 Case o 3 18-mj-00324-DMS 25 Based on my investigation to date I have determined that Kelihos like many botnet families prioritizes the infection of U S victims This can be seen in the higher rates paid for U S victims Based on my training and experience I believe U S infections are prized by LEVASH OV because many of his schemes are directed against an English speaking audience and U S IP addresses tend to be trusted by many firewalls and spam detection systems 26 In September 2015 I downloaded Kelihos malware directly from gorodkoff com I downloaded the malware by querying the server according to the following format gorodkoff com affiliateID exe I was able to determine the affiliate IDs because the Smoney website maintained a full listing of active affiliates For example one such affiliate was boxi002 By issuing a query for gorodkoff com boxi002 exe I downloaded a Windows executable named boxi002 exe Subsequent analysis of this executable determined that it was in fact the Kelihos malware This analysis was based upon comparing characteristics of the downloaded malware to known characteristics of the Kelihos malware In this case the downloaded boxi002 exe file interacted with the Windows Registry in a manner identical to Kelihos That is key registry values were modified so that the executable would be loaded each time the system started up This occurs without the consent of the legitimate user and is a persistence mechanism designed to ensure that Kelihos remains on the victim's computer despite any overt actions by the victim to remove the malware Page 12 of 41 Case No 3 18-mj-00324-DMS 27 My conclusions were similar to those of agents with the FBI's New Haven Connecticut Field Office who have also examined the Kelihos malware The New Haven Field Office conducted additional testing and activated a sample of the Kelihos malware and observed the infected computer attempting to send high volumes of spam emails Many of those emails supported a pump and dump scheme for a penny stock related to a known company KCl 28 Through coordination with international law enforcement partners I have monitored live traffic related to backend servers maintained by LEVASHOV in furtherance of the Kelihos scheme In doing so I observed commands issued from those servers to Kelihos infected computers Many of those commands or job messages included commands to distribute emails relating to KCl The emails suggested to the recipients that the stock would significantly increase in value in the short term 29 The investigation by FBI's New Haven Division also revealed the extent to which Kelihos harvests credentials from infected computers Kelihos searches specific locations on computers for files known to contain usernames and passwords including locations which store such data for several common internet browsers including Chrome Firefox and Internet Explorer New Haven Division stored a fictitious email address and password in Internet Explorer on an infected FBI computer Shortly after Kelihos was installed this usemame and password was observed within Kelihos's process memory indicating that it had been identified and harvested Page 13 of 41 Case o 3 18-mj-00324-DMS 30 Kelihos also searches for usernames and passwords for Windows programs that use File Transfer Protocol FTP As its name suggests FTP is a standard network protocol used for the transfer of computer files between computers For example pictures located on a computer could be backed up to a server in another location using FTP functionality New H aven Division stored a FTP username and password combination on an infected FBI computer and the username and password were observed in Kelihos process memory 31 Finally the New Haven Division observed that Kelihos installed on an FBI computer a software program called WinPCAP which is able to intercept and examine electronic communications traversing the computer's network card in a Windows computer They observed Kelihos commanding WinPCAP to intercept the contents of all incoming and outgoing network traffic on an infected computer More specifically Kelihos used this WinPCAP functionality to search for email usernames and passwords in the self-infections' network traffic C 32 EVIDENCE ESTABLISHING LEVASHOV'S CONTROL OF KELIHOS In cooperation with private sector partners I previously identified two servers associated with the Kelihos botnet Both were located outside the United States In cooperation with international law enforcement partners I received real- time data from those servers which revealed multiple associations between the Kelihos malware servers connected to Kelihos and LEVASHOV 33 One of the servers bearing the IP address 94 242 250 88 functione s a portion of the Kelihos backend Additionally it was utilized by LEVASHOV a Page 14 of 41 AY 3 0 2018 Case No 3 18-mj-00324-DMS proxy meaning that some portion of his Internet activities are directed through the server As a result of this configuration I have been able to observe backend panels or websites that provide status updates on the Kelihos botnet Panels such as this are very commonly encountered in the investigation ofbotnets as they facilitate the operator's administration and troubleshooting of the botnet 34 In this case the Kelihos panel is constructed as a website and includes information such as the status of its servers and the status of the Golden Parachute Domains Gorodkoffi com goloduha info combach com and others are specifically referenced with color codes used to indicate their readiness status Another portion of the webpage shows various backend servers the spam messages they are being used to distribute and data such as the speed at which the messages are being distributed For example as shown below the email lists being utilized are pharma_b pharma trade This is the same list described below in the Jurisdiction section of this affidavit which contained thousands of entries for Alaskan email addresses Ip 193 28 179 38 Sat 20 Feb 16 18 25 29 0400 List lists pharma_b pharma trade Body Perfect method to ha ldrugmarket ru Subject Do you wan his night Counter 712910562 1424874532 Speed 79677 m h Ip 176 103 48 27 Sat 20 Feb 16 18 47 54 0400 List pharma_b pharma trade Body Giveto your babe nig ng hxilgusk ru Subject Evoke your admiration Counter 608715981 1424874532 Speed 10323 m h 'vL MAY 3 0 2018 Page 15 of 41 Case No 3 18-mj-00324-DMS 35 Other portions of the Kelihos panel include antivirus and blacklisting reports This indicates that the operator can actively monitor whether or not their various servers have been identified by antivirus or other blacklisting services This is important for the operator as blacklisting could reduce the reliability of their botnet For example the panel indicated that both of the servers referenced above appear to be tracked by at least one antivirus vendor 36 Additionally the server appeared to contain copies of many of the spam email messages distributed by Kelihos Subject lines of emails that appear to have been sent to email accounts including many hosted by Alaskan ISP General Communication Inc Gel net include ''Very good way to reveal your intimate life No amorous failure risk Attack your woman harder and Are you ready to please your female partner tonight These emails contained links to websites that appear to facilitate the purchase of gray market pharmaceuticals 37 Also appearing to have been sent to Gel net email accounts were emails with the subject lines This Company looks ready for a major run this week Big Gainers Since My Alert It is about to wake up and ROAR and Its trading levels could change in no time MUST READ The content of all of these emails were similar as they are intended to persuade the recipient to purchase a specific U S listed stock For example one email's content listed This Stock is our New WILD Sub-Penny Pick Get Ready for Multi-Bagger Gains Top 10 Reasons Why We Love This Pick Company Name KCl Traded as KCl Long Term Target $1 70 MAY 3 0 201S Page 16 of 41 Case No 3 18-mj-00324-DMS Trade Date February 29th Closed at 0 30 38 These spam emails facilitate pump and dump stock schemes as previously described in this affidavit I have examined historical prices for several stocks for which Kelihos has conducted spam email campaigns and noted that such campaigns usually result in a temporary increase of the stock price of anywhere from 30 to 80 percent 39 In addition to the explicit Kelihos activity on the server I observed that this server was utilized thousands of times to log into the mail ru website tied to the email account pete777@mail ru Based on my training and experience this indicates that the user of the Kelihos server was also utilizing the email pete777@mail ru The website 3038 org l istn html associates this email address with Pete LEVASHOV a websmith and programmer located in Russia with a date of birth of 8 13 1980 The website 3038 org appears to be the website for a high school in St Petersburg Russia that focuses on mathematics and physics 40 The email address pete777@mail ru is also associated with an Apple iCloud account in the name of Petr LEVASHOV According to Apple's records LEVASHOV is a resident of the Russian Federation A second email a9-dress is also associated with this iCloud account levashov@knyazev-spb ru Apple subscriber information indicates that this account was registered with Apple using the IP address 83 243 67 25 Moreover Apple's records list the Apple Digital Signaling Identifier DSID 1972828024 with pete777@mail ru's account An Apple DSID is a unique ID assigned to a user when registering with Apple's iCloud service Page 17 of 41 Case 41 o 3 l 8-mj-00324-DMS 83 243 67 25 is the same IP address utilized to register the Google account peteknyazev777@gmail com The accounts peteknyazev777@gmail com and Apple DSID 1972828024 share extensive overlap of IP addresses utilized to access these accounts including 91 122 62 16 Additionally access logs from Apple and Google indicate that these accounts share temporal overlap with IP addresses as well meaning that the same IP addresses are utilized during similar time periods Based upon my training and experience common IP addresses particularly during the same time period suggest that the same individual is accessing both accounts 42 The IP address 91 122 62 16 was also used by LEVASHOV to negotiate the purchase of a digital certificate from the company GeoTrust An email was sent from renew@geotrust com to petr@hottaby4 ru on November 23 2016 This email referenced an order for a Rapid Wildcard certificate These records were subsequently attained by agents within FBI's New Haven Division and indicate that a customer named Peter LEVASHOV of Saint Petersburg Russia initiated an order for the certificates utilizing the IP address 91 122 62 16 Moreover the certificate order was then completed minutes later utilizing the IP address 94 242 250 88 94 242 250 88 is the same IP address utilized thousands of times to log into the aforem entioned pete777@mail ru email account This evidence of other use of the same IP by LEVASHOV is further evidence that LEVASHOV is utilizing both the Kelihos server and Google and Apple accounts which point to him Page 18 of 41 MAY 3 O20i8 Case No 3 18-mj-00324-DMS 43 Furthermore Foursquare a social media application that provides recommendations on restaurants and shopping establishments to users possessed records for an account in the name Petr LEVASHOV registered with email address pete777@mail ru This account also displayed the same pattern of temporal overlap within the IP access logs when compared to the previously mentioned Apple and Google accounts Again this indicates the account is likely used by LEVASHOV 44 One IP address appearing within LEVASHOV's Foursquare account is 85 17 31 90 This IP address also appears within LEVASHOV's Apple DSID iCloud account 1972828024 and the Google account pr@hottaby4 ru Google records from 2016 indicate that pr@hottaby4 ru had been accessed by only two other IPs one of which is the Kelihos server IP address 94 242 250 88 45 The server corresponding to IP address 94 242 250 88 also contained many references to LEVASHOV For example an email sent on February 26 2016 from no_reply@email apple com to petr@hottaby4 ru with the subject line Your app iOS status is In Review is addressed to Petr LEVASHOV'' and contains a status update on an iOS application There are many such emails sent from this Apple email account to petr@hottaby4 ru 46 Furthermore analysis on data provided by Google revealed that on or about June 4 2013 the following search terms ''kelihos and kelihos f' were attributed to the account peteknyazev777@gmail com Further analysis of the data provided by Google showed that the cellphone number associated to this Google account is LEVASHOV's mobile number ending in 0594 as indicated in Apple Page 19 of 41 MAY 3 0 2G 8 Case o 3 18-mj-00324-DMS records Based upon my training and experience I know that it is common for individuals operating botnets to conduct searches for their malware 47 It is also common for criminals engaged in cybercrime to utilize nicknames especially on the criminal forums on which they exchange data on criminal techniques and offer products and services for sale The use of nicknames allows them to protect their true identity while still allowing for the benefits of name and product recognition While there are a large number of Internet forums devoted to the exchange of criminal services and techniques many criminals will use the same nickname on different forums This is likely due to perceptions of anonymity as well as the reliance upon reputations tied to nicknames In th ese communities actors are known principally by either their given nickname or an email jabber or ICQ handle Jabber and ICQ are chat applications These reputations become important both in the exchange of data and access to marketplaces in which products and services are sold LEVASHOV utilized multiple nicknames but the most common was Severa or P eter Severa 48 Upon examination of many criminal forum accounts in the name S evera I have noted that in the majority the ICQ number 104967 has been utilized since at least 2010 ICQ is a popular Internet instant message service in which users are identified by unique numerical values known as ICQ numbers Based upon my training and experience I know that online monikers such as ICQ numbers are r arely changed or transferred by online criminals Therefore I Page 20 of 41 MAY 3 0 2018 Case o 3 18-mj-00324-DMS conclude that the combination of an identical ICQ number and nickname are indicative of the same individual accessing and utilizing these accounts 49 Severa has used this ICQ number to advertise his botnets For instance in May 2015 the FBI received the following information pertaining to a vendor on the Russian criminal site Korovka cc The vendor was advertising webmailer email spam capability and the information he provided read as follows Username Severa Registration 12 2 2011 Jabber contact jabber@honese com ICQ 104967 Service Email spam Details The service was offered since 1999 and delivered spam to a recipients inbox Every spam launched used several thousand clean IP addresses and accounts Unique algorithms and technologies were constantly improved Seller has US and Europe email databases for spam and fresh databases received daily Prices per million spam delivered were $200 USD legal advertisement adult mortgage leads pills replies etc $300 USD job spam drops mules employment and $500 USD scam phishing attacks 50 This information conveyed that Severa's spamming was superior to that of his competition and would be less likely to be detected clean IP addresses and accounts and unique algorithms and that he had been doing this for a long time since 1999 51 The nickname Severa and communication accounts such as jabber@honese com appeared frequently on the servers wiretapped by international law enforcement partners J abber@honese com is an XMPP account XMPP is a type of instant messaging service widely utilized on the internet Becaus Page 21 of 41 Case No 3 18-mj-00324-DMS servers can be individually hosted and managed rather than hosted and managed by a company such as Google they are often trusted by criminal actors 52 Similarly on or about January 14 2017 Severa posted the following advertisement3 an online forum called Club2CRD Hello I am offering my spamming service via electronic mail to everybody who is interested I have been serving you since the distant year 1999 and during these years there has not been a single day that I keep still by constantly improving quality of spamming Now at your service there is the only one in the world unique technology ofspamming via electronic mail which provides maximum possible probability of delivering your message to the final recipient Today I conduct all spamming via webmail Each spamming is being done from dozens of thousands of clean IP addresses and accounts To generate a message there are used unique algorithms and technologies which I have been constantly developing and improving Every spamming is being automatically monitored for quality with regular automatic spamming and running test messages I conduct spamming on my databases of USA PH Europe or other countries you are interested in I am constantly collecting and testing new addresses from different sources Databases are updated daily and I have enough of collected volume in order to provide individual databases of addresses for each new spamming The prices for one spamming for a million of delivered messages are $200 00 - legal advertising adult mortgage PH leads pills PH replication PH and etc $300 00- drops also known as employment spam $500 00 - scam phishing I am interested in large clients and I actively incentive that with large discounts The larger is the order volume the bigger is a discount 3 The advertisement which was written in Russian was later translated into Engh s by a FBI linguist The r eferences in the advertisement to PH are those of the linguist an reflect that a word has been translated phonetically Page 22 of 41 MAY 3 0 2018 Case o 3 l 8-mj-00324-DMS Discounts start just at two million and they may exceed 50% Verify prices for any amount more than one million For contact use Jabber XMPP jabber@honese com An alternative communication channel is ICQ 104967 I always welcome new and old clients as well as feedback Good luck and keep it up Petr Severa 53 LEVASHOV continues to use the nickname Severa in operation of the Kelihos botnet On or about March 20 2017 an individual known to law enforcement contacted LEVASHOV who is currently believed to be traveling outside of Russia via a chat application to express interest in purchasing one or more spam deliveries Upon an initial inquiry looking for the services of Peter Severa and a request to confirm pricing and services offered LEVASHOV responded on March 21 2017 Hi I am Peter Severa I were away what do you want to send job offe r s dating phishing malware or what 54 In subsequent exchanges between Severa and the individual on March 20 2017 Severa stated that he accepts bitcoins Job offers -which I know based on my training and experience refers to money mule solicitations4-were priced at 300 usd per 1 million emails 450 per 2 mil lion However Severa also indicated price differentials for different kinds of spam deliveries phishing scam etc 500 usd per 1 mil 750 per 2 Severa also confirmed that the individual could purchase spam to be sent only to a specific country including the United States Severa 4 A mule or money mule is an individual who is used to transport or launder st o money in furtherance of criminal activity and its related organizations These individua can be either wittingly or unwittingly participating in the fraud Page 23 of 41 tAAY 3 0 ZG18 Case o 3 18-mj-00324-DMS stated i need j ust payment and letter to start and instructed that A fter payment put it to archive with password and upload to sendspace com According to sendspace com's website Sendspace is the best way to send large files too big for email attachments to friends family and businesses anywhere in the world Severa also indicated that he has 10-15 orders daily 55 On or about March 21 2017 the individual paid Severa in bitcoin to purchase a spam campaign to be directed at the United States The spam email submitted to Severa included a link to a website advertising work from home job opportunities Severa responded that the Mailing takes 3-4 hours but response can come during 2-4 days people don't read emails instantly He again reiterated that he has 10-15 orders daily 56 The individual then asked Severa I had client recontact me about ransomware you can do Within approximately twenty minutes Severa responded via chat I do mailings for installs it costs 500 usd per 1 million emails 750 usd per 2 mil lk per 3 mil I can't send attached file inbox on volume nobody can now so send letter just with link to file or landing I need just payment and letter to start you need fresh text which never sent before and you should randomize it by synonyms by my template You can use synonym com service to find variants You can do html message but images only by links not attachments Template Spam I Blackmailing IPhishing Mailing is good Ivery good Ithe best Always send Iuse I order Iask for it Ithis I I Samples don't write these it's generating automatically 1 Blackmailing is good Always order it Page 24 of 41 Case No 3 18-mj-00324-DMS 2 Phishing Mailing is the best Always use it 3 Spam is the best Always send this 57 Based on my training and experience and the exchange between Severa and this individual I believe that Severa's reference to mailings for installs refers to the distribution of malware including ransomware 58 The individual then asked Severa if he send s out stocks or pharma does pricing change Severa immediately responded SEVERA legal offers stocks what do you mean pharma is 200 usd per 1 million emails Individual penny stocks buy sell SEVERA it's PD pump and dump i have 25 mil traders list my price usually is 5% of trade with 5-l0k deposit Individual fair SEVERA 5% by yahoo numbers Individual ok good to know in advance SEVERA PrevClose LastPrice 2 Volume 5% i can move it good just find the stock and we need deposit i'll subtract each day numbers when it 0 i stop Individual i've know some people in the market who suggest stocks from time to time SEVERA ask them we need the stock if they can release news on it - it's cool too Page 25 of 41 MAY 3 0 2018 Case o 3 18-mj-00324-DMS people buy on news 5-l0k usd deposit I accept btc or wire or wmz II 59 Based on my training and experience I believe that ''btc is a common abbreviation for bitcoin and wmz is a common abbreviation for WebMoney WebMoney is a very popular alternative online payment system WebMoney allows its users to store funds in different purses where each purse can be maintained as a separate currency such as U S dollars or Russian Federation rubles I have examined WebMoney account records tied to LEVASHOV Those records revealed the use of IP address 91 122 62 16 the same IP utilized to access LEVASHOV's iCloud account in his real name This same IP address was also found to have accessed a WebMoney identifier i e account ending in 4986 Of note registered under this account is the WebMoney purse ending in 1018 which is the purse supplied by LEVASHOV under his Severa alias when requesting payment for his spamming services with the individual referenced above 60 Additionally I identified two instances when 91 122 62 16 accessed the WebMoney account ending in 4986 expressed by WebMoney in terms of dates times when access would ''begin and end In the first instance I observed that LEVASHOV received an iTunes update from Apple via 91 122 62 16 approximately 11 hours prior to when the WebMoney account was accessed from that same IP address In the second instance the same IP address accessed the WebMoney account between May 17 and 18 2016 and I observed one iTunes update a little over an hour prior to that period and another update approximately 14 hours after Page 26 of 41 l' V fl- X r - 1 lu Case o 3 18-mj-00324-DMS that access period ended Based on my training and experience the overl apping use of the IP address for an iTunes account in LEVASHOV's name and a criminally used WebMoney account by the alias Peter Severa indicates that Peter Severa is LEVASHOV JURISDICTION 61 This Court has jurisdiction to issue the requested warrant under Rule 41 b 6 B because the above facts establish there is probable cause to believe that the items to be searched are protected computers that have been damaged without authorization and are located in five or more judicial districts and that there is probable cause to believe that activities related to the crime being investigated occurred within this judicial district 5 62 It is possible to determine the IP addresses of computers infected by Kelihos by passively participating in the Kelihos botnet Because it is a Peer to Peer botnet infected computers exchange data on other known Kelihos infections In this way the botnet remains connected internally 63 Examination of peer lists exchanged between peers in the botnet has revealed IP addresses that geolocated to Alaska Connecticut the Western District of Washington Central District of California and the Southern District of New York the Northern District of California and numerous other judicial districts Geolocation is a term that denotes the examination of where an IP address is likely 5 Fed R Crim P 41 was amended on December 1 2016 Rule 4l b 6 B is a new venue provision which went into effect on that date Page 27 of 41 h ' f Y 3 0 u 8 Case o 3 l 8-rnj-00324-DMS to be located For example IP addresses assigned to an ISP based in Alaska likely belong to subscribers also based in Alaska After identifying one such victim located in Alaska in April 2016 I received consent to examine h er computer for evidence of a Kelihos infection I found that her computer's configuration settings had been changed and that an executable file was set to open any time her computer started up Examination of this executable file revealed that it was Kelihos 64 The presence of Kelihos exposed this victim to significant potential for harm in the form of stolen credentials personal information and victimization of other malicious payloads such as ransomware Moreover the victim's computer was also subject to be used for the distribution of high volumes of spam to others without h er knowledge While an Alaskan-based Kelihos infected computer would send spam emails to victims worldwide my investigation revealed that these emails were frequently directed to other Alaskan recipients 65 Furthermore Kelihos targeted Alaskans with a high volume of m alicious spam I have studied a list of email addresses used by the Kelihos botnet one of which was titled pharma_b pharma tra de and contained almost 100 email addresses whose domains include k12 ak us meaning that these addresses are utilized by employees of school districts within Alaska The same list has nearly 5 000 entries of emails utilizing the GCI net domain This domain administered by General Communication Inc GCI is one of the most popular Internet service providers within Alaska I have also examined a March 28 201 Page 28 of 41 MAY 3 0 L8i8 Case o 3 18-mj-00324-DMS Kelihos job message that directed the distribution of a spam message to 10 000 email accounts three of which utilized email addresses with the domain uas alaska edu which corresponds to the University of Alaska Southeast Another included email account utilized the ci juneau ak us domain which corresponds to the city of Juneau The subject line of the spam email was ''Do you want to impress your female partner tonight and the email included a link to a website which purported to be the Canadian Health and Care Mall The website offered for sale a large number of prescription medications including drugs such as Viagra and Cialis pain relief medications such as Celebrex and Toradol antibiotics such as Amoxicillin and Zithromax and Antidepressants such as Prozac and Wellbutrin The website itself contained fraudulent endorsements from the Federal Drug Administration American Pharmacists Association and Verisign 66 On April 5 2017 a search warrant was issued in Case No 3 17-mj- 00135 DMS for a period of 14 days a Pen Register and Trap and Trace Order was issued in Case No 3 17-mj-00136 DMS for a period of 60 days and a Temporary Restraining Order was issued in Case No 3 17-cv-00074 TMB On April 6 2017 the FBI together with individuals acting under the direction or control of the FBI began conducting the online operation and steps authorized by those Orders On April 12 2017 a Preliminary Injunction was issued in Case No 3 17-cv-00074 TMB at docket 21 To date the disruption has proceeded as planned Based on data from the sinkhole servers and industry researchers it appears that the vast majority ofKelihos-infected computers are no longer communicating with the Page 29 of 41 MAY 3 0 2018 Case o 3 18-rnj-00324-DMS Defendant's infrastructure and are reporting exclusively to the sinkhole servers controlled by the government The data further shows that as time has passed a number of previously unobserved computers have communicated with the sinkhole servers These new connections are likely the result of computers connecting to the internet after a period of dormancy 67 As explained in the Applications for a Search Warrant in Case Nos 3 17-mj-00135 DMS 3 17-mj-00184 DMS 3 17-mj-00202 DMS 3 17-mj-00232 3 17mj-00285 3 17-mj-00301 3 l7-mj-00308 3 l 7-mj-00327 3 l7-mj-00352 3 17-mj00368 3 l7-mj-00404-DMS 3 17-mj-00425-DMS 3 17-mj-442-DMS 3 l7-mj-00471DMS 3 l7-mj-00489-DMS 3 17-mj-00499-DMS 3 17-mj-00524-DMS 3 17-mj00540-DMS 3 18-mj-00006 3 18-mj-00026-DMS 3 18-mj-00077-DMS 3 18-mj00097-DMS 3 18-mj-00164-DMS 3 18-mj-193-DMS 3 18-mj-00220-DMS 3 18-mj00244-DMS 3 18-mj-00264-DMS 3 18-mj-00302-DMS and this Application the Kelihos malware furthers criminal activity which the government continues to disrupt utilizing sinkhole servers The chart below summarizes data from the sinkhole servers and shows that tens of thousands of computers are infected with Kelihos and that Kelihos-infected computers can be found within five or more districts within the United States The location of U S -based infections is derived by geo-locating the IP addresses of the infected computers The list of five districts is not representative of all districts with Kelihos infections but rather provided merely to indicate that at least five districts continue to face ongoing harm from Kelihos Page 30 of 41 MAY 3 G2G 8 Case No 3 18-mj-00324-DMS 68 Of note for the date range of 3 7 2018 - 3 20 2018 as depicted below the logging component of the sinkhole failed This did not affect the integrity of the sinkhole but it meant that the sinkhole was not logging the daily interaction with infected devices This was discovered late into the two week period when I began work to prepare the next affidavit I was able to get the logging feature reenabled on the final day of the reporting period I believe that the number of infected computers observed during this period 2 078 is an underrepresentation of the total number of infections during this period The total number should have been approximately 6 000 based upon the preceding and following reporting period which were 6 261 and 5 839 respectively Date Range Infected Computers Districts 4 6 2017 - 4 14 2017 52 755 Alaska Connecticut Western District of Washington Central District of California Southern District of New York 4 15 2017 - 5 1 2017 35 909 Alaska Connecticut Western District of Washington Central District of California Southern District of New York 5 2 2017 - 5 14 2017 32 328 Connecticut Western District of Washington Central District of California Northern District of California Southern District of New York 5 15 2017-5 30 2017 28 238 Connecticut Western District o l I - a Page 31 of 41 MAY 3 0 2018 Case No 3 1 8-mj-00324-DMS Washington Central District of California Northern District of California Southern District of New York 5 31 2017-6 14 2017 23 329 Connecticut Western District of Washington Central District of California Northern District of California Southern District of New York 6 15 2017-6 26 2017 18 982 Central District of California Northern District of California Southern District of California Southern District of New York Western District of Washington 6 27 2017-7 11 2017 17 395 Central District of California Northern District of California District of Colorado Southern District of New York District of Utah 7 12 2017-7 25 2017 16 102 Central District of California Northern District of California District of Colorado Southern District of New York District of Utah 7 26 2017-8 8 201 7 14 210 Central District of California Northern District of California District of Colorado Southern District ofNew York D Page 32 of 41 r v ' -l O2018 Case No 3 18-mj-00324-DMS Utah 8 9 2017-8 22 2017 13 085 Central District of California Northern District of California District of Colorado Southern District of New York District of Utah 8 23 2017-9 5 2017 11 326 Central District of California Northern District of California District of Colorado Southern District of New York District of Utah 9 7 2017-9 19 2017 11 260 Central District of California Northern District of California District of Colorado Southern District of New York District of Utah 9 20 2017-10 3 2017 10 385 Central District of California Northern District of California District of Colorado Southern District of New York District of Utah 10 4 2017-10 16 2017 9 943 Central District of California Northern District of California District of Colorado Southern District of New York District of Utah 10 17 2017- 9 665 Central District of California Page 33 of 41 r r 'l IU 'l lltan J _ tV Case o 3 18-mj-00324-DMS 10 30 2017 District of California District of Colorado Southern District of New York District of Utah 10 31 2017 - 9 090 11 13 2017 Central District of California Northern District of California District of Colorado Southern District of New York District of Utah 11 14 2017 - 7 694 11 28 2017 Central District of California Northern District of California District of Colorado Southern District of New York District of Utah 11 29 2017 - 7 634 12 12 2017 Central District of California Northern District of California District of Colorado Southern District of New York District of Utah 12 13 2017 - 7 538 12 26 2017 Central District of California Northern District of California District of Colorado Southern District of New York District of Utah 12 27 2017 1 09 2018 7 020 Central District of California Northern District of California District of Colorado Southern District of New York District of 11 - Page 34 of 41 J - Case No 3 18-mj-00324-DMS Utah 1 10 2018- 6 998 1 23 2018 Central District of California Northern District of California District of Colorado Southern District of New York District of Utah 1 24 2018- 6 993 2 6 2018 Central District of California Northern District of California District of Colorado Southern District of New York District of Utah 2 7 2018- 6 468 2 20 2018 Central District of California Northern District of California District of Colorado Southern District of New York District of Utah 2 21 2018 - 3 6 2018 6 261 Central District of California Northern District of California District of Colorado Southern District of New York District of Utah 3 7 2018 - 3 20 2018 2 078 District of Arizona Central District of California Northern District of California District of Colora do District of Nevada 3 21 2018 - 4 4 2018 5 839 Central District of California Northern District of California District ac lorado a Page 35 of 41 Case No 3 18-mj-00324-DMS District of Nevada Southern District of New York 4 5 2018-4 17 2018 5 585 Central District of California Northern District of California District of Colorado District of Nevada Southern District of New York 5 286 4 18 2018- Central District of California Northern District of California District of Colorado 4 30 2018 District of Nevada Southern District of New York 5 1 2018 - 5 15 2018 5 047 Central District of California Northern District of California District of Colorado District of Nevada Southern District of New York 5 16 20185 29 2018 4 855 Central District of California Northern District of California District of Nevada Southern District of N ew York Western District of Washington 69 Efforts to remediate the current Kelihos infections are ongoing The government h as issued a press r elease advising the public how to safely remove Kelihos from infected computers and- togeth er with private sector partners Page 36 of 41 Case No 3 18-mj-00324-DMS operating at its direction - has engaged with Computer Emergency Response Teams CERTs and ISPs around the world to provide in real time the IP addresses of Kelihos victims In the year since the commencement of the Kelihos takedown the total number of devices infected with Kelihos has dropped by n early 90 percent This significant reduction in the total number of Kelihos infections is a strong indication that the government's ongoing mitigation efforts are succeeding 70 This application marks the final renewal of the Kelihos sinkhole The FBI has begun notification procedures which consist of determining which victims are associated with a given ISP and providing the ISPs a list of victim IPs as well as date time stamps for which the given victim IP interacted with the Kelihos sinkhole This information is provided to facilitate the ISPs ability to notify their customers ISPs will also be provided with a letter explaining the purpose of the sinkhole and information on the location of affidavits associated with the sinkhole operation Within the n ext 15 day period the FBI will cease receiving any data r elated to t h e Kelihos sinkhole and operation of the sinkhole and final mitigation measures will b e controlled by private and public sector partners TIME AND MANNER OF EXECUTION OF THE SEARCH 71 To effectively combat the P2P structure of the Kelihos botnet the FBI with assistance of private partners will participate in the exchange of peer lists and job messages with other infected computers 6 The FBI's communications however 6 The law is unsettled as to whether the operation authorized by the proposed warrant constitutes a search or seizure However in an abundance of caution the United States is seeking a warrant Page 37 of 41 - rs 3 - o i Case o 3 18-mj-00324-DMS will not contain any commands nor will they contain IP addresses of any of the infected computers Instead the FBI replies will contain the IP and routing information for the FBI's sinkhole server As this new routing information permeates the botnet the Kelihos infected computers will cease any current malicious activity and learn to only communicate with the sinkhole The effect of these actions will be to free individual infections from exchanging information with the Kelihos botnet and with LEVASHOV This will stop Kelihos's most immediate harm the harvesting of personal data and credentials and the transmittal of that data to servers under LEVASHOV's control Another portion of the Kelihosjob messages is a list known as the IP filter list This list functions as a type of blacklist preventing communication with those IPs contained within the filter list If necessary the FBI also seeks authorization to send a filter list to TARGET COMPUTERS to block Kelihos infected computers from continuing to communicate with router nodes 72 The sinkhole server will be a dead end destination that does not capture content from the infected computers The sinkhole server however will record the unique IP address and associated routing information of the infected machine so that the FBI can alert the proper Internet Service Providers of the existence of infected machines on their network and to monitor the effectiveness of the disruption effort By notifying Internet Service Providers the unwitting victims can be alerted as to their status of victims and be assisted in the removal of Kelihos from their computers The IP filter list was utilized to blacklist Kelihos supemodes Page 38 of 41 Case o 3 18-mj-00324-DMS for the purpose of propagating the initial takeover The IP filter list is no longer utilized 73 Additionally because the Kelihos malware directs infected machines to request peer lists from the Golden Parachute Domains when they are unable to reach any peers the disruption effort will not be effective unless the domains are also redirected to the sinkhole In order to prevent LEVASHOV from using the Golden Parachute Domains to recapture peers it is essential that these domains be kept out of LEVASHOV's hands The Temporary Restraining Order sought as part of this action denies LEVASHOV these domains through an order to the Domain Registries responsible for the U S -based top level domains requiring them to redirect connection attempts to the sinkhole server 74 Rule 41 e 2 of the Federal Rules of Criminal Procedure requires that the warrant command the law enforcement officer a to execute the warrant within a specified time no longer than 14 days and b to execute the warrant during the daytime unless the judge for good cause expressly authorizes execution at another time The government seeks permission to transmit the updated peer list at any time of day or night for 30 days after the date the warrant is authorized There is good cause to allow such a method of execution as the time of deployment causes no additional intrusiveness or inconvenience to anyone More specifically the government has no control of the timing or when the infected computers will access the peer list In addition the government seeks to transmit the peer list and job messages for 30 days because based on my training and Page 39 of 41 i ' l l' u oJ 0 2QM 1CJ Case o 3 18-mj-00324-DMS experience I am aware that it may take many weeks to reach the thousands of computers infected by Kelihos While the technical disruption should see immediate results computers that are powered off or not connected to the Internet will not be redirected until they connect to the Internet which could be weeks after the initiation of the disruption Because any privacy invasion that may occur during this 30 day time period is minimal and the benefits of continuing to disrupt the Kelihos botnet are significant the government believes that the extended time period for execution of this warrant is appropriate in this case SEARCH AUTHORIZATION REQUESTS 75 Accordingly for each of the aforementioned reasons it is respectfully requested that this Court issue a search warrant authorizing the following a a deployment of updated peer lists and job messages to the TARGET COMPUTERS within 14 days from the date this Court issues the requested warrant b that the government may receive and review at any time of day or night within 14 days from the date the Court authorizes the use of the specified interactive techniques such IP and routing information that is subsequently transmitted to a computer controlled by the FBI or its private partners working under the direction and control of law enforcement c that provision of a copy of the search warrant and receipt may in addition to any other methods allowed by law be effectuated by electronic delivery of true and accurate electronic copies e g Adobe PDF file to any owners of affected computers by means of internet publication These affidavits are posted online for viewing by Kelihos victims and shared with ISPs for mitigation purposes Page 40 of 41 WW 3 0 20 ia Case o 3 18-mj-00324-DMS Special Agent Federal Bureau of Investigation Su bscRhed and sworn to befor e me on-M y t 2018 ' -- - ISi DEBORAH M SMITH - - CHIEF U S MAGISTRATE JUDGE ' SIGNATURE REDACTED o C o ' HON D_E_B_O_RAH- -- M _S_M_I_T H _ _ _ _ __ v NITED STATES MAGISTRATE JUDGE ' '- ' t o' '11 o ''' Page 41 of 41 MAY 3 0 _ 18 Case Io 3 18-mj-00324-DMS ATIACHMENT A This warrant authorizes any law enforcement officer or individual acting under the direction and control of law enforcement to conduct an online operation only against the TARGET COMPUTERS A computer is a TARGET COMPUTER if and only if the following condition is met with respect to that computer The computer is identified during the 14 day execution of this warrant as a peer in the Kelihos botnet by virtue of its current or former communication with a Kelihos-infected computer including computers simulating a Kelihos infection maintained by a law enforcement officer or Crowdstrike and Shadow Server private partners working under the direction and control of law enforcement This Warrant does not authorize the physical entry by a law enforcement officer into any home business or other literal physical space This Warrant only authorizes conduct occurring within the United States Page 1 of 1 4y 1 0 o U Case o 3 18-mj-00324-DMS ATIACHMENT B This warrant authorizes an online operation designed to 1 disrupt the Kelihos botnet and disable LEVASHOV's ability to control the TARGET COMPUTERS and 2 obtain evidence of the extent of LEVASHOV's criminal activity to wit violations of Title 18 United States Code Sections 1030 1343 and 2511 by gauging the size of the botnet This warrant authorizes only the distribution of an updated peer list and job message to the TARGET COMPUTERS described in Attachment A which are intended to have only the following effects a Causing the computers identified in Attachment A to cease Kelihos activities and communicate to a sinkhole server b P ermitting the sinkhole server to record the Internet Protocol address and associated routing information of the computers identified in Attachment A so that the FBI can alert the proper Internet Service Providers of the existence ofinfected machines on their network and to monitor the effectiveness of the disruption effort c Sending a filter list to the computers identified in Attachment A to prevent those computers from communicating with r outer nodes associated with the Kelihos botnet command and control infrastructure Page 1 of 2 ' AY 3 0 JIB Case o 3 1 8-mj-00324-DMS This warrant only authorizes seizure of IP addresses and routing information from target computers No content may be captured or seized No action is to be taken that blocks a target computer from access to the Internet Page 2 of2 tl W 2 0 20 i8 AO 93 Rev 11 13 Search and Seizure Warrant U NITED STATES DISTRJCT COURT for the District of Alaska In the Matter of the Search of Briefly describe the property to be searched or idemify the perso11 by name and address In re Application for a Warrant under Rule 41 of the Federal Rules of Criminal Procedure to Disrupt the Kelihos Botnet Case No 3 18-mj-00324-DMS SEARCH AND SEIZURE WARRANT To Any authorized law enforcement officer An application by a federal law enforcement officer or an attorney for the government requests the search of the following person or property located in the _ _ _ _ _ _ _ _ District of Alaska identify rhe perso11 or describe the property robe searched a11d gil'e its locario11 See Attachment A incorporated here by reference I find that the affidavit s or any recorded testimony establish probable cause to search and seize the person or property described above and that such search will reveal ide11rif v rhe person or describe rhe property co be sei ed See Attachment B incorporated here by reference YOU ARE COMMAl' lJ ED to execute this warrant on or before June 13 2018 110110 exceed 14 days 0 in the daytime 6 00 a m to I 0 00 p m 0 at any time in the day or night because good cause has been established Unless delayed notice is authorized below you must give a copy of the warrant and a receipt for the property taken to the person from whom or from whose premises the property was taken or leave the copy and receipt at the place where the property was taken The officer executing this warrant or an officer present during the exe uti n of the warra1 m ii ct pn repare an inventory as required by law and promptly return this warrant and inventory to - - --'- - - ---'dt --'--''- _ ___---' 1't-t_ -'----------- Uni1ed Srares Magis1ra1e Judge 0 Pursuant to 18 U S C 3103a b I find that immediate notification may have an adverse result listed in 18 U S C 2705 except for delay of trial and authorize the officer executing this warrant to delay notice to the g i son who or whose - oo o o property will be searched or seized clreck the appropriare box 0 for _ _ days 110110 exceed 30 0 until the facts justifying the later 5tJecific date j' - Date and time issued S DEBORAH M _sMrrH ' ' ' ' - - - - - - - - CHIEF U S MAGISTRATE JUDGE SIGNATURE REDACTED I Judge's sig11G111re ' City and state Anchorage Alaska Hon Deborah M Sniltli Unit d ates Magistrate Judge Primed name and ritle ' AO 93 Rev 11 13 Search and Seizure Warrant Page 2 Return Case No Date and time warrant executed Copy of warrant and inventory left with 3 18-mj-00324-DMS Inventory made in the presence of Inventory of the property taken and name of any person s seized Certification I declare under penalty ofperjury that this inventory is correct and was returned along with the original warrant to the designated judge Date GBPxec111ing officer's signature Primed name and title Case o 3 18-mj-00324-DMS ATTACHMENT A This warrant authorizes any law enforcement officer or individual acting under the direction and control oflaw enforcement to conduct an online operation only against the TARGET COMPUTERS A computer is a TARGET COMPUTER if and only if the following condition is met with respect to that computer The computer is identified during the 14 day execution of this warrant as a peer in the Kelihos botnet by virtue of its current or former communication with a Kelihos-infected computer including computers simulating a Kelihos infection maintained by a law enforcement officer or Crowdstrike and Shadow Server private partners working under the direction and control of law enforcement This Warrant does not authorize the physical entry by a law enforcement officer into any home business or other literal physical space This Warrant only authorizes conduct occurring within the United States Page 1 of 1 Case o 3 18-mj-00324-DMS ATTACHMENT B This warrant authorizes an online operation designed to 1 disrupt the Kelihos botnet and disable LEVASHOV's ability to control the TARGET COMPUTERS and 2 obtain evidence of the extent of LEVASHOV's criminal activity to wit violations of Title 18 United States Code Sections 1030 1343 and 2511 by gauging the size of the botnet This warrant authorizes only the distribution of an updated peer list and job message to the TARGET COMPUTERS described in Attachment A which are intended to have only the following effects a Causing the computers identified in Attachment A to cease Kelihos activities and communicate to a sinkhole server b Permitting the sinkhole server to record the Internet Protocol address and associated routing information of the computers identified in Attachment A so that the FBI can alert the proper Internet Service Providers of the existence of infected machines on their network and to monitor the effectiveness of the disruption effort c Sending a filter list to the computers identified in Attachment A to prevent those computers from communicating with router nodes associated with the Kelihos botnet command and control infrastructure Page 1 of 2 Case o 3 18-mj-00324-DMS This warrant only authorizes seizure of IP addr esses and routing information from target computers No content may be captured or seized No action is to be taken that blocks a target computer from access to the Internet Page 2 of 2