`Case 3:17-cv-05659-WHA Document 470-11 Filed 05/13/19 Page 1of 8
`
`
`
`
`
`EXHIBIT 9
`EXHIBIT 9
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Case 3:17-cv-05659-WHA Document 470-11 Filed 05/13/19 Page 2 of 8
`
`Combatting Drive-By
`Downloads
`
`A Next Generation Appoach to an Emerging Threat
`
`DRIVE-BY
`DOWNLOADS
`AHEAD
`
`FINJAN-JN 045339
`
`WHITE PAPER
`
`CY PHORT.
`
`
`
`Case 3:17-cv-05659-WHA Document 470-11 Filed 05/13/19 Page 3 of 8
`
`White Paper: Com batting Dri ve-By Downloads
`
`www.cyphort.com
`
`Introduction
`
`When was the last time you bought a cool gadget because you heard an advertisement for it on the
`radio, or a nice pair of jeans because you saw a commercia l for it on the television? You're probab ly
`guilty of spending a few hours every month looking for something to buy on Amazon or any other
`online retailer. Thanks to its convenience, online shopping has become a major trend over the last few
`years and lets face it, it's here to stay. With the rise of onl ine shopping, marketing experts capitalized
`on this new avenue to advertise their products. Now your friends nudge you on Facebook to buy a
`product they love and Google suggests a friendly place across the street where you can get your car
`fixed. It's become hard to browse even a few pages without running into an ad and because of this
`increases, malware experts also saw a new avenue of attack- Ma lvertising.
`
`Malvertising involves injecting malicious code into legitimate advertisements. These attacks started
`off as amateur "Click on Me!" buttons which fooled a lot of people. A popular example of this is a link
`that tricks the user into installing a fake Antivirus program which is actually a malware in disguise.
`However. over t ime with enough awareness and educating users not to give into the "Ooh, what does
`this button do71" reaction, people became mindful of what they clicked and attackers had to become
`more soph isticated, paving the way for a new type of threat ca lled "Drive-by Downloads". Drive-by
`download is a method that attackers use to automatica lly download a malware to the endpoint without
`a conscious user action such as clicking on a button or link.
`
`2
`
`http://www.cypho•t.com/•esources/l.teratu•e-downloads/
`
`FINJAN-JN 045340
`
`
`
`Case 3:17-cv-05659-WHA Document 470-11 Filed 05/13/19 Page 4 of 8
`
`White Paper: Combatting Dri ve-By Downloads
`
`www.cyphort.com
`
`Even for the well
`aware. with new
`vulnerabilities
`discovered every
`other day, it becomes
`tedious for a user
`to go through the
`ritual of updating the
`software - closing
`all applications that
`use the software.
`wait for the update
`to complete and
`then start all the
`applications back
`again.
`
`An atomy of a Drive-by Download
`A drive-by download is a multi-stage attack:
`
`1. The attac ker embeds malicious code into an o nline advert isement disp layed on a tr usted
`website.
`
`2. A user visiting the website gets redi rected to the attacker's site w ithout the user cl icking
`on the ad ve rtisement.
`
`3. An exploit kit fro m t he attacker's site loo ks for po ssible vulnerabi lities on the user's
`endpoint.
`
`4. Based on the exploit discovered , a desi red malware is downloaded to the endpoint
`without the user's know ledge.
`
`A drive-by download is a sneaky attack where a user normally browsing a seemingly ha rmless site can
`get infected w ithout clicki ng on anyt hing. The benign website can be compromised in different ways
`-by embedding malicious code in a comment field on a blog or a poorly secured web form. But the
`easiest way to go about this is by taking advantage of a flaw in an online advertisement and injecting
`mal icious code in it. Trusted webs ites t hat are vis ited by tho usands every day can end up hosting
`advertisements runni ng ma licious code without their knowledge.
`
`The mal icious code injected into t he advertise ment redirects the user to the attacker's website by
`loadi ng the ma licious uri in a new window. This new window goes undetected because attackers
`make use of a common HTM L feature called lnline Frame or iFrame for short. An iFrame is an HTM L
`document that is e mbedded into another HTML docum ent. For exa mple, a YouTube video ca n be
`sea mlessly embedded into a ma in webpage. In reality, it is j ust a regular webpage playi ng a YouTube
`video that is inserted into the main page by adjusting the size and removing the borders. it gives an
`il lusion that the YouTu be video is actually a part of t he main webpage. So when the mal icious code
`redirects the user to a different webs ite, it ope ns up in a t iny window which can't be easily spotted by
`the human eye.
`
`Once th e user gets redirected to the attacker's web page, an exploit kit examines the endpoint for
`possible vulnerabilities to take advantage of. This is the beginning of the attack. The exploi t kit gathers
`information about the operating system. browser type, browser version and browser plugins and loo ks
`for security holes in them. Browser plugins such as Java Runtime Envi ronment. Adobe Flash Player.
`Adobe Reader are pop ular targets. Th e exp loit itself doesn't ca use any actu al damage- t he security
`codes of t he build ing have been cracked, but nothing has been stolen yet.
`
`Armed with the knowledge of how to attack t he victim, t he exploit kit proceeds to download an
`appropriate malwa re to the victi m's endpoint. The ma lware also known as "payload" is automat ically
`installed on the endpoi nt witho ut the user's know ledge. The payload d ownload goes unnoticed
`because it is usua lly obfusca ted. Obfuscation is a common technique used by attackers to evade
`traditional sig nature based detect ion engi nes and helps mask t he rea l purpose of th e malicious cod e.
`Once th e malware has been downloaded and executed, it proceeds to do what it's best designed fo r (cid:173)
`to make some green for the attacker. The malware can extract crucial banking information or lock you r
`folders in exchange for money (more commonly known as Ransomware). Even more insid ious attacks
`may start with reconnaissance tools that stay "low and slow" and take stock of critical assets on the
`network and sniff for access credent ials.
`
`3
`
`http://www.cypho•t.com/resources/l.teratu•e-downloads/
`
`FINJAN-JN 045341
`
`
`
`Case 3:17-cv-05659-WHA Document 470-11 Filed 05/13/19 Page 5 of 8
`
`White Paper: Com batting Dri ve-By Downloads
`
`www.cyphort.com
`
`Drive-By Downloads On the Rise
`Drive-by downloads have become a serious threat and the re are several reasons for this:
`
`One of the most compelling reasons is the fact that any person with a malicious intent
`and almost zero malware writing skills can stage a drive-by download attack on
`several endpoints across the world. Exploit kits and payloads are sold in the darknet
`or underground markets and it has become easy for an attacker to get hold of one.
`Since the darknets are anonymous, it is sufficiently harder to trace these purchases.
`Sophisticated hackers have also developed exploit kits that are easy to use. Modern
`exploit kits provide a graphical user interface to help the attacker decide who his next
`victims wi ll be and also show the progression of infections on a victim 's machine. It even
`has a fancy dashboard that shows statistics on the number of machines the attacker was
`able to infect that day. The attacker can sort all this data by OS, browser or country, and
`yes, they can even generate pie charts and graphs to organize the victim data. Some
`exploit kits have taken it to the next level by including multiple-user support and an
`authorization system to allow groups of users to manage their data.
`
`4lAflnLI
`
`600nAOIOCTb
`
`ttACTP<»1KM
`
`~ 1
`
`I
`
`::J ... AI5T oo6Hoenett~te: 5 cc ..
`
`0 Blackhole 11
`
`aAn tcn1KA
`
`norotrn
`
`""""'"
`
`D
`
`""""~
`
`CTATIKlMlA
`
`3A6fO.I"E'MQ~
`
`1 3269 »mo~
`
`11506 XOCTbl
`
`1 187 3ArW3KH •
`
`3KOlJIOMTbl
`
`10.32%
`
`.JaYa X>
`
`.Jaya Sf\'1! >
`
`JACEfO,llH~
`3013 J(Kll,l
`
`-
`
`DENIS >
`
`"""' '
`
`2760 XOC'llol
`
`300 3ArP'VJKio1 -
`
`11 .55%
`
`XHTbl t
`
`10.32. .
`
`0.00
`
`.. ,
`
`•
`
`•
`
`POF '
`
`lllvaDES •
`
`. . 1'1JAC >
`
`CTPAHbl
`
`United States
`
`I!J I>""
`
`I•I Meloal
`
`= Argenti'la
`
`.......-j1
`
`, ..
`""'
`"
`
`lOS
`
`"'"~ '
`12417
`
`l098 l
`
`I H9
`
`"
`
`37
`
`3l
`
`35
`
`,.
`
`l 2
`
`.. ,
`
`9.10 .
`
`:2.44 .
`
`0.51 .
`
`10.19 .
`s.sn e
`
`11.43 .
`
`33.33 •
`o.oo
`
`. .....
`. """'
`- """"'
`_ ....,.,
`
`I I R.orn.Jri.}
`
`1!1 Patdt:tan
`
`:ll ~es
`
`I
`
`Israd
`
`ii. CI'i<
`
`"
`"
`
`26
`
`26
`
`"
`
`22
`
`l9
`
`l7
`
`"
`"
`"
`
`l 3
`
`16.67 .
`o.oo
`
`29.41 -
`
`0.00
`
`],(;f)
`
`.
`
`6.25 .
`
`1"1.29 .
`
`0.00
`
`r- Singapore
`
`=....,....,
`
`ll
`
`lS
`
`IS
`
`0.00
`
`0.00
`
`f) Clvome >
`
`. ,..,.. .
`
`eJ FYefox>
`
`Q Opera >
`(J HSIE •
`""'"'
`
`2213
`
`Ill<
`
`50 33
`
`"'
`
`1ll1
`
`l2S7
`
`72
`
`""'
`"'"
`
`l8ll
`
`1102
`
`oc
`!!. \'JndiYNS '2003
`:JI \VindoM:2000
`
`{), "'""
`WindowsXP
`
`2l
`
`4l
`
`l 79
`
`21
`
`"''
`
`lal
`
`21
`
`U.99
`
`.. ,
`
`27.18 -
`
`18. 1.8 .
`
`13.18
`
`1241 .
`
`..
`"'
`"'
`""'
`""'
`The recent Ang le r exploit gives us some insig ht into how mature exploit kits have become. The
`developers of Ang ler Exploit Kit were always one step ahead in the game. Updates to the kit to exploit
`new v ulnerabilities were faster than security updates to patch the targeted software. The A ngler
`Exploit Kit cou ld detect if an antivirus was installed on the endpoint or if it was being run in a sandbox.
`
`Anothe r reason for the increase in drive-by download attacks is the means by which hackers
`spread exploits. Planting drive-by downloads on trusted webs ites using vulnerab ilities in on li ne
`advertisements increased the prol iferation of exploits by mul t iple fo lds. Cyphort La bs investigated
`the Ang ler Expl oit Kit and discovered several infected doma ins spread across the United States, Italy,
`Germany, Japan, India and more. At least 10 million people visited those web sites within a period of 10
`days. One of the popu lar domains that was infected was The Huffington Post.
`
`4
`
`http://www.cyphoct.com/resources/l.teratuce-downloads/
`
`FINJAN-JN 045342
`
`
`
`Case 3:17-cv-05659-WHA Document 470-11 Filed 05/13/19 Page 6 of 8
`
`White Paper: Combatting Dri ve-By Downloads
`
`www.cyphort. com
`
`Last but not least, there is a lack of awareness to keep software applications up to date. People use
`Net flix. Hulu and You Tube everyday but only a handfu l know that these internal ly use other applications
`such as Flash Player. Microsoft Silverlight and Java. whic h need frequent security patches. Even for t he
`we ll awa re, with new v ul nerab ilities discovered every ot her day, it becomes tedious for a user to go
`throug h the ritual of updating the software- clos ing all applicati ons that use the softwa re, wait for the
`update to complete and then start all th e applications back again. It is hard to worry about a Microsoft
`Silverlight update w hen the next season of Ho use of Cards has just been released. A sophist icated tool
`that ca n be used with ease, a co nvenient medium to spread the attack and unsuspecting victi ms has
`really made drive-by downloa ds stand out among other types of attacks.
`
`Exploit kits and
`payloads are sold
`in the darknet or
`underground markets
`and it has become
`easy for an attacker to
`get hold of one.
`
`Shortcoming of Existing Security Solutions
`The earliest occurrence of a drive-by download ca n be dated to 2006 an d it started getting more
`attention in 2012 with th e Blackhole attack. Existi ng solutio ns are just not equippe d to cope with Drive(cid:173)
`by Down loads effectively and here is why:
`
`0 Antivirus Products: Antivirus products main ly rely on signature detection. When it comes
`to zero day exploits, antivirus engines are always a few days behind, giving the exploit
`enough time to spread undetected. Even after signatu re updates are pushed. they are
`ineffective in some cases. Angler Exploit and Nuclear Exp loit had the capability to detect
`the presence of an antivirus product on an endpoint. If detected. they would decide not to
`run. Some ma lware also use several obfuscation techn iques to hide from antivirus engines.
`0 Sandbox Solutions: Sandbox solutions have rece ived a lot of attention in the Advanced
`Persistent Threats market for identifying zero-day malware which antivirus products cannot.
`But the Ang ler exploit was able to evade a standalone Sandbox solution as well. If the
`exp loit kit found out that it was being run in a Virtual Box or VMware or Parallels Desktop
`environment, it would bail out.
`0 Web-Filtering Software: Web-filtering classifies websites into catego ries based on their
`content and historic reputation. This approach requires constant updates making it difficult
`to keep pace with drive-by downloads.
`
`0 Software Updates: This solution is recommended by several Operating Systems and
`Software vendors. Although this is an essentia l step to keeping malware at bay, it is
`not sufficient. With attackers eager to update their exploit kits based on new found
`vulnerab ilities. software patches are not instal led quick enough to defend t he endpoint
`aga inst exploits, leaving long periods of vulnerability. Some updates involve human
`intervention and interruption of current tasks which may significantly increase the t ime
`involved in installing the patches.
`
`5
`
`http://www.cyphoct.com/cesources/l.teratuce-downloads/
`
`FINJAN-JN 045343
`
`
`
`Case 3:17-cv-05659-WHA Document 470-11 Filed 05/13/19 Page 7 of 8
`
`White Paper: Com batting Dri ve-By Downloads
`
`www.cyphort.com
`
`Each of t hese existing solutio ns try to convince users that the ir "silver bullet" wil l protect users fro m
`drive-by downloads but addi ng more functional ity or signatures to products that were originally
`designed to detect viruses o r malicious websites, is no match fo r the sophisticated attacks we have
`seen in t he past few yea rs.
`
`The Cyphort Solution
`Cyphert has been desig ned from t he beginning to address t he dynamic nature of Adva nced Persistent
`Threats. For a compl icated problem such as a drive-by download, a single, t raditi onal approach wil l not
`do the trick. Cyphert attacks the prob lem fro m d ifferent angles:
`
`0 Chain Heuristics: Cyphert uses a heuristi cs model to identify potentially ma licio us traffic.
`As there are thousands of web pages being visi ted by employees in a com pany, this is
`a crucial step to focus on interesting traffic and provide quick results. Cyphert ana lyzes
`all the traffic and looks fo r some indicators such as "Is this browser running a vulnerable
`versio n of a browser plugin", "Was this web page referred from a val id resource link", "Why
`is a field missing in the header", "Is this webpage part of a t rusted domain" and other such
`questi ons.
`
`0 Browser Behavior Analysis Engine: If a partic ular HTTP session is determined to be
`potential ly malicious by the heuristics model, more analysis is done to co nfirm the verd ict.
`The entire HTTP session is simulated using a browser that runs in Cyphert's sandbox
`environme nt. Cyphort examines th e browser log s and downloaded arti facts to confirm any
`suspiciou s activity.
`
`0 Dropper Analysis: Cyphort looks for any executable artifacts (dropper) that are
`down loaded as part of t he chain. Cyphert subj ects the dropper to static analysis, be havior
`analysis and reputat ion analysis to identi fy if it is a malware.
`
`Cyphert's true strength in combatting d rive-by down loads lies in using a co mbination of techniques
`to counter different kinds of ex ploits. Each exploit has its own tra its and it would be difficult to detect
`them al l with a single method approach.
`
`Every exploit has a te ll- but it is important to know w hat to look for or it coul d easily end up being a
`w ild goose chase. These clues are subtle and spread across several requests and responses. Chain
`Heu ristics does not look at packets as mere zeroes and ones t hat it can match a signat ure against,
`it und e rstands t he co ntext by inspecting the sequence of HTTP requests and responses betwee n
`a particular source and a destination. Each of th ese se quences is cal led a chain. Cha in Heuristics
`checks for suspicio us indicators in t he headers and body of each HTTP req uest and respo nse and
`also overall in each chain.
`
`The suspicious indicators get constantly updated depe nding on what exploits are out there. Cyphert
`Labs researc hers study new expl o its in the wild and come up wi th these indicators. The indicators
`by t hemselves may not d raw attentio n, but when all t he indicators are ad d ed up alo ng with enoug h
`context, t hi ngs wil l start to look suspicious. For example, consider an en d point in an enterprise
`that fetches a few we b pages from an outs ide web server hosted o n port 8000. That doesn't seem
`suspicious at all. A lot of web servers run on non-standard ports fo r enhanced security, but if the same
`endpoint also downloa d s an encrypted executable file and its browser run s a vulne rable ve rsio n of
`a browser pl ugi n, the n t hings begin to fa ll into perspective. Th e strength of Chain Heuristics lies in
`the context that is extracted from th e t raffic. Wit h threa t intelligence data from Cyp he rt's Malwa re
`Researchers com bined wit h Heurist ics, this solution offers a unique angle to the prob lem.
`
`Depending on the verdict obtained from Chain Heurist ics, Cypho rt decides if t he suspicio us chai n
`needs to be looked at by the Browser Behavior Analysis Engine. It recreates the attack by executing
`
`6
`
`http://www.cypho•t.com/•esources/l.teratu•e-downloads/
`
`FINJAN-JN 045344
`
`
`
`Case 3:17-cv-05659-WHA Document 470-11 Filed 05/13/19 Page 8 of 8
`
`White Paper: Com batting Dri ve-By Downloads
`
`www.cyphort.com
`
`the suspicious HTTP session in a browser environment present on Cyphert's sandbox. As the browser
`requests for the session web pages, the exact responses captured as part of the session are served.
`Using this method, Cyphert can replicate the exploit as it happened on the in fected endpoint.
`
`Cyphert looks for suspicious activity by examin ing the properties and function cal ls made by scripts
`executed on the browser. For example, if Cyphert notices a particular script making a function ca ll to
`check for device drivers and al l the user was browsing at that time was news, it raises a flag. Cyphert
`also inspects the source code of Javascripts that were used as pa rt of the exploit. This is a valuable
`source of information as it can provide clues to the actual intentions of the malware. Browser Behavior
`Analysis Engine offers the abil ity to zoom in on the exploit attack and observe how it happened step
`by step. A rmed w ith information about where the attack originated, how it took place and what it left
`behind, security administ rators can make informed decisions.
`
`Cyphert performs detailed analysis on malware payloads dropped on the endpoint. Th e executab le
`is detonated in Cyphert's array of sandboxes and its behavior is observed. Cyphert uses machine
`learning analytics engine to render a verdict. Cyphert also allows customers to con figure custo m
`behavior analysis sandbox environments mimicking their actual endpoints. This ability helps custo mers
`assess the impact of malwa re in the ir environment. In addition , Cyphert ca n detect ca llbacks made to
`external Command and Control Servers. By using a multidimensional approach, Cyphert can provide
`detai ls about the severity of an attack and how far it has progressed.
`
`Conclusion
`The global threat landscape has transformed tre mendously over the last few years. Hackers used
`to take pride in bringing down as many machines as they could. They were smart, tech-savvy and
`wanted to show the world that anything could be broken. Al l this has changed. Hacking is no longer an
`art, but more like a commercial business. Sophisticated malware is availab le for purchase in the dark
`nets. Spea r-phish ing attacks target speci fic individuals in an enterprise, lay low for months together
`and don't stop unt il they reach the main vault. Social security numbers, home addresses and personal
`ema ils now have price tags on them.
`
`Enterprises were content with firewa lls that defended the ir network and antivirus so lutions that
`protected their endpoints, but these solutions have become archaic and fail to effectively protect the
`compan ies against soph isticated malware. The need fo r an Advanced Persistent Threats solution has
`become crucial to protect t he intellectual prope rty of Enterprises and t he privacy of its employees.
`
`for enterprise
`Cyphort is t he next generatio n APT defense so lut ion
`organ izations. Cyphort provides a sin g le pane of g lass across perimeter
`and late rally moving threats, co rrelates t hreat signa ls before and after an
`in cident, w hil e elimin at in g noise from false ale rts and red herrings. Cyphort
`has leveraged t he power of machine learn in g and data science to build a next
`gene ration th reat detection eng in e that evolves ahead of t he th reats. A virtua lized dep loyment model combin ed
`w ith open API based integ ration all ows customers to add ress APT secu rity gaps across global locations w hil e
`leverag in g their ex istin g investments in perimeter and endpo int security for threat defense. Cyp hort is a privately
`held company headqua rtered in Santa Clara, Californ ia. For more information, please visit www.cyp hort .com and
`follow us ·.~ Cypho rt.
`
`tt'tPHORT.
`
`CYPHORT, Inc.
`5451 Great America Pkwy
`Su ite 225
`Santa Clara, CA 95054
`P: (40 8) 841-4665
`F: (40 8) 540-1299
`www.cyphort.com
`
`•>7016 Cyphort. Inc All Ri g hts Rese rve d
`
`FINJAN-JN 045345
`
`