Case 3:17-cv-05659-WHA Document 369-16 Filed 02/14/19 Page 1 of 3
`
` 
`
` 
`
` 
`
` 
`
` 
`
` 
`
`Exhibit 15
`
`

`

`Case 3:17-cv-05659-WHA Document 369-16 Filed 02/14/19 Page 2 of 3
`
`White Paper: Combatting Dri ve-By Downloads
`
`www.cyphort.com
`
`Even for the well
`aware. with new
`vulnerabilities
`discovered every
`other day, it becomes
`tedious for a user
`to go through the
`ritual of updating the
`software - closing
`all applications that
`use the software.
`wait for the update
`to complete and
`then start all the
`applications back
`again.
`
`An atomy of a Drive-by Download
`A drive-by download is a multi-stage attack:
`
`1. The attac ker embeds malicious code into an o nline advert isement disp layed on a tr usted
`website.
`
`2. A user visiting the website gets redi rected to the attacker's site w ithout the user cl icking
`on the ad ve rtisement.
`
`3. An exploit kit fro m t he attacker's site loo ks for po ssible vulnerabi lities on the user's
`endpoint.
`
`4. Based on the exploit discovered , a desi red malware is downloaded to the endpoint
`without the user's know ledge.
`
`A drive-by download is a sneaky attack where a user normally browsing a seemingly ha rmless site can
`get infected w ithout clicki ng on anyt hing. The benign website can be compromised in different ways
`-by embedding malicious code in a comment field on a blog or a poorly secured web form. But the
`easiest way to go about this is by taking advantage of a flaw in an online advertisement and injecting
`mal icious code in it. Trusted webs ites t hat are vis ited by tho usands every day can end up hosting
`advertisements runni ng ma licious code without their knowledge.
`
`The mal icious code injected into t he advertise ment redirects the user to the attacker's website by
`loadi ng the ma licious uri in a new window. This new window goes undetected because attackers
`make use of a common HTM L feature called lnline Frame or iFrame for short. An iFrame is an HTM L
`document that is e mbedded into another HTML docum ent. For exa mple, a YouTube video ca n be
`sea mlessly embedded into a ma in webpage. In reality, it is j ust a regular webpage playi ng a YouTube
`video that is inserted into the main page by adjusting the size and removing the borders. it gives an
`il lusion that the YouTu be video is actually a part of t he main webpage. So when the mal icious code
`redirects the user to a different webs ite, it ope ns up in a t iny window which can't be easily spotted by
`the human eye.
`
`Once th e user gets redirected to the attacker's web page, an exploit kit examines the endpoint for
`possible vulnerabilities to take advantage of. This is the beginning of the attack. The exploi t kit gathers
`information about the operating system. browser type, browser version and browser plugins and loo ks
`for security holes in them. Browser plugins such as Java Runtime Envi ronment. Adobe Flash Player.
`Adobe Reader are pop ular targets. Th e exp loit itself doesn't ca use any actu al damage- t he security
`codes of t he build ing have been cracked, but nothing has been stolen yet.
`
`Armed with the knowledge of how to attack t he victim, t he exploit kit proceeds to download an
`appropriate malwa re to the victi m's endpoint. The ma lware also known as "payload" is automat ically
`installed on the endpoi nt witho ut the user's know ledge. The payload d ownload goes unnoticed
`because it is usua lly obfusca ted. Obfuscation is a common technique used by attackers to evade
`traditional sig nature based detect ion engi nes and helps mask t he rea l purpose of th e malicious cod e.
`Once th e malware has been downloaded and executed, it proceeds to do what it's best designed fo r (cid:173)
`to make some green for the attacker. The malware can extract crucial banking information or lock you r
`folders in exchange for money (more commonly known as Ransomware). Even more insid ious attacks
`may start with reconnaissance tools that stay "low and slow" and take stock of critical assets on the
`network and sniff for access credent ials.
`
`3
`
`http://www.cypho•t.com/resources/l.teratu•e-downloads/
`
`FINJAN-JN 045341
`
`

`

`Case 3:17-cv-05659-WHA Document 369-16 Filed 02/14/19 Page 3 of 3
`
`White Paper: Com batting Dri ve-By Downloads
`
`www.cyphort.com
`
`Each of t hese existing solutio ns try to convince users that the ir "silver bullet" wil l protect users fro m
`drive-by downloads but addi ng more functional ity or signatures to products that were originally
`designed to detect viruses o r malicious websites, is no match fo r the sophisticated attacks we have
`seen in t he past few yea rs.
`
`The Cyphort Solution
`Cyphert has been desig ned from t he beginning to address t he dynamic nature of Adva nced Persistent
`Threats. For a compl icated problem such as a drive-by download, a single, t raditi onal approach wil l not
`do the trick. Cyphert attacks the prob lem fro m d ifferent angles:
`
`0 Chain Heuristics: Cyphert uses a heuristi cs model to identify potentially ma licio us traffic.
`As there are thousands of web pages being visi ted by employees in a com pany, this is
`a crucial step to focus on interesting traffic and provide quick results. Cyphert ana lyzes
`all the traffic and looks fo r some indicators such as "Is this browser running a vulnerable
`versio n of a browser plugin", "Was this web page referred from a val id resource link", "Why
`is a field missing in the header", "Is this webpage part of a t rusted domain" and other such
`questi ons.
`
`0 Browser Behavior Analysis Engine: If a partic ular HTTP session is determined to be
`potential ly malicious by the heuristics model, more analysis is done to co nfirm the verd ict.
`The entire HTTP session is simulated using a browser that runs in Cyphert's sandbox
`environme nt. Cyphort examines th e browser log s and downloaded arti facts to confirm any
`suspiciou s activity.
`
`0 Dropper Analysis: Cyphort looks for any executable artifacts (dropper) that are
`down loaded as part of t he chain. Cyphert subj ects the dropper to static analysis, be havior
`analysis and reputat ion analysis to identi fy if it is a malware.
`
`Cyphert's true strength in combatting d rive-by down loads lies in using a co mbination of techniques
`to counter different kinds of ex ploits. Each exploit has its own tra its and it would be difficult to detect
`them al l with a single method approach.
`
`Every exploit has a te ll- but it is important to know w hat to look for or it coul d easily end up being a
`w ild goose chase. These clues are subtle and spread across several requests and responses. Chain
`Heu ristics does not look at packets as mere zeroes and ones t hat it can match a signat ure against,
`it und e rstands t he co ntext by inspecting the sequence of HTTP requests and responses betwee n
`a particular source and a destination. Each of th ese se quences is cal led a chain. Cha in Heuristics
`checks for suspicio us indicators in t he headers and body of each HTTP req uest and respo nse and
`also overall in each chain.
`
`The suspicious indicators get constantly updated depe nding on what exploits are out there. Cyphert
`Labs researc hers study new expl o its in the wild and come up wi th these indicators. The indicators
`by t hemselves may not d raw attentio n, but when all t he indicators are ad d ed up alo ng with enoug h
`context, t hi ngs wil l start to look suspicious. For example, consider an en d point in an enterprise
`that fetches a few we b pages from an outs ide web server hosted o n port 8000. That doesn't seem
`suspicious at all. A lot of web servers run on non-standard ports fo r enhanced security, but if the same
`endpoint also downloa d s an encrypted executable file and its browser run s a vulne rable ve rsio n of
`a browser pl ugi n, the n t hings begin to fa ll into perspective. Th e strength of Chain Heuristics lies in
`the context that is extracted from th e t raffic. Wit h threa t intelligence data from Cyp he rt's Malwa re
`Researchers com bined wit h Heurist ics, this solution offers a unique angle to the prob lem.
`
`Depending on the verdict obtained from Chain Heurist ics, Cypho rt decides if t he suspicio us chai n
`needs to be looked at by the Browser Behavior Analysis Engine. It recreates the attack by executing
`
`6
`
`http://www.cypho•t.com/•esources/l.teratu•e-downloads/
`
`FINJAN-JN 045344
`
`