Doc Code: TR.PROV
`Document Description: Provisional Cover Sheet (SB16)
`
`PTO/SB/16 (11-08)
`Approved for use through 09/30/2010 OMB 0651-0032
`U.S. Patent and Trademark Office: U.S. DEPARTMENT OF COMMERCE
`Under the Paperwork Reduction Act of 1995, no persons are required to respond to a collection cf information unlessit displays a valid OMB control number
`
`Provisional Application for Patent Cover Sheet
`This is a requestforfiling a PROVISIONAL APPLICATION FOR PATENTunder 37 CFR 1.53(c)
`
`Inventor(s)
`
`Inventor 1
`
`Given Name
`Middle Name
`Family Name
`City
`
`Neilkumar
`Mutrli
`Daswani
`San Jose
`US
`
`Inventor 2
`
`a I
`
`nventor 3
`
`Family Name
`Middle Name
`Given Name
`
`Shariq
`Rizvi
`Mountain View
`|CA
`
`
`
`[Add|generated within this form by selecting the Add button.All Inventors Must Be Listed — Additional Inventor Information blocks may be [__Aad
`
`©) Firm or Individual Name
`
`
`
`
`Title of Invention
`BEHAVIORAL SCANNING OF MOBILE APPLICATIONS
`
`Attorney Docket Number (if applicable)
`
`DASIP006+
`
`Correspondence Address
`
`Direct all correspondenceto (select one):
`
`
`(*) The address corresponding to Customer Number
`
`21912
`Customer Number
`
`
`
`The invention was made by an agencyof the United States Government or under a contract with an agency of the United
`States Government.
`
`@) No.
`
`
`©) Yes, the name of the U.S. Government agency and the Government contract numberare:
`
`EFS - Web 1.0.1
`
`IPR2023-01465
`CrowdStrike EX1009 Page 1
`
`IPR2023-01465
`CrowdStrike EX1009 Page 1
`
`

`

`Doc Code: TR.PROV
`Document Description: Provisional Cover Sheet (SB16)
`
`PTO/SB/16 (11-08)
`Approved for use through 09/30/2010 OMB 0651-0032
`U.S. Patent and Trademark Office: U.S. DEPARTMENT OF COMMERCE
`Under the Paperwork Reduction Act of 1995, no persons are required to respond to a collection cf information unlessit displays a valid OMB control number
`
`Entity Status
`Applicant claims small entity status under 37 CFR 1.27
`
`C) Yes, applicant qualifies for small entity status under 37 CFR 1.27
`@ No
`
`
`
`Petitioner/applicant is cautioned to avoid submitting personal information in documentsfiled in a patent application that may
`contribute to identity theft. Personal information such as social security numbers, bank account numbers, or credit card
`numbers (other than a check or credit card authorization form PTO-2038 submitted for payment purposes) is never required
`by the USPTOto support a petition or an application.
`If this type of personal information is included in documents submitted
`to the USPTO, petitioners/applicants should consider redacting such personal information from the documents before
`submitting them to USPTO. Petitioner/applicant is advised that the record of a patent application is available to the public
`after publication of the application (unless a non-publication request in compliance with 37 CFR 1.213(a) is madein the
`application) or issuance of a patent. Furthermore, the record from an abandoned application may also be available to the
`public if the application is referenced in a published application or an issued patent (see 37 CFR1.14). Checks and credit
`card authorization forms PTO-2038 submitted for payment purposes are not retained in the application file and therefore are
`not publicly available.
`
`Signature
`
`Please see 37 CFR 1.4(d} for the form of the signature.
`
`{Robyn Wagner/
`
`Date (YYYY-MM-DD}
`
`2011-04-27
`
`First Name
`
`Robyn
`
`Last Name
`
`Wagner
`
`Registration Number
`(lf appropriate}
`
`50575
`
`This collection of information is required by 37 CFR 1.51. The information is required to obtain or retain a benefit by the public whichis to
`file (and by the USPTOto process) an application. Confidentiality is governed by 35 U.S.C. 122 and 37 CFR 1.11 and 1.14. This collection
`is estimated to take 8 hours to complete, including gathering, preparing, and submitting the completed application form to the USPTO.
`Time will vary depending uponthe individual case. Any comments on the amount of time you require to complete this form and/or
`suggestions for reducing this burden, should be sent to the Chief Information Officer, U.S. Patent and Trademark Office, U.S. Department
`of Commerce, P.O. Box 1450, Alexandria, VA 22313-1450. DO NOT SEND FEES OR COMPLETED FORMS TO THIS ADDRESS. This
`form can only be used when in conjunction with EFS-Web. If this form is mailed to the USPTO,it may cause delays in handling
`the provisional application.
`
`
`
`EFS - Web 1.0.1
`
`IPR2023-01465
`CrowdStrike EX1009 Page 2
`
`IPR2023-01465
`CrowdStrike EX1009 Page 2
`
`

`

`Privacy Act Statement
`
`The Privacy Act of 1974 (P.L. 93-579) requires that you be given certain information in connection with your submission of
`the attached form related to a patent application or paten. Accordingly, pursuant to the requirements of the Act, please be
`advised that:
`(1) the general authority for the collection of this information is 35 U.S.C. 2(b)(2); (2) furnishing of the
`information solicited is voluntary; and (3) the principal purpose for which the information is used by the U.S. Patent and
`Trademark Office is to process and/or examine your submission related to a patent application or patent.
`If you do not
`furnish the requested information, the U.S. Patent and Trademark Office may not be able to process and/or examine your
`submission, which may result in termination of proceedings or abandonment of the application or expiration of the patent.
`
`The information provided by you in this form will be subject to the following routine uses:
`
`1.
`
`The information on this form will be treated confidentially to the extent allowed under the Freedom of Information
`Act (5 U.S.C, 552) and the Privacy Act (5 U.S.C 552a). Records from this system of records may be disclosed to the
`Departmentof Justice to determine whether disclosure of these records is required by the Freedom of Information
`Act.
`
`A record from this system of records may be disclosed, as a routine use, in the course of presenting evidence to
`a court, magistrate, or administrative tribunal, including disclosures to opposing counsel in the course of settlement
`negotiations.
`A record in this system of records may be disclosed, as a routine use, to a Member of Congress submitting a
`requestinvolving an individual, to whom the record pertains, when the individual has requested assistance from the
`Member with respect to the subject matter of the record.
`A record in this system of records may be disclosed, as a routine use, to a contractor of the Agency having need
`for the information in order to perform a contract. Recipients of information shall be required to comply with the
`requirements of the Privacy Act of 1974, as amended, pursuant to 5 U.S.C. 552a(m).
`A record related to an International Application filed under the Patent Cooperation Treaty in this system of
`records may be disclosed, as a routine use, to the International Bureau of the World Intellectual Property
`Organization, pursuant to the Patent Cocperation Treaty.
`A record in this system of records may be disclosed, as a routine use, to a n other federal agency for purposes
`of National Security review (35 U.S.C. 181) and for review pursuant to the Atomic Energy Act (42 U.S.C. 218(c)).
`A record from this system of records may be disclosed, as a routine use, to the Administrator, General Services,
`or his/her designee, during an inspection of records conducted by GSA aspart of that agency's respensibility to
`recommend improvements in records managementpractices and programs, under authority of 44 U.S.C. 2904 and
`2906. Such disclosure shall be made in accordance with the GSA regulations governing inspection of records for this
`purpose, and any other relevant(i.e., GSA or Commerce) directive. Such disclosure shall not be used to make
`determinations about individuals.
`
`A record from this system of records may be disclosed, as a routine use, to the public after either publication of
`the application pursuant to 35 U.S.C. 122(b) or issuance of a patent pursuant to 35 U.S.C. 151. Further, a record
`may be disclosed, subject to the limitations of 37 CFR 1.14, as a routine use, to the public if the record wasfiled in an
`application which became abandonedor in which the proceedings were terminated and which applicationis
`referenced by either a published application, an application open to public inspection or an
`issued patent.
`A record from this system of records may be disclosed, as a routine use, to a Federal, State, or local law
`enforcement agency, if the USPTO becomes awareof a violation or potential violation of law or regulation.
`
`IPR2023-01465
`CrowdStrike EX1009 Page 3
`
`IPR2023-01465
`CrowdStrike EX1009 Page 3
`
`

`

`PROVISIONAL APPLICATION FOR UNITED STATES PATENT
`
`Attorney Docket No. DASIP006+
`
`BEHAVIORAL SCANNING OF MOBILE APPLICATIONS
`By Inventor(s):
`
`Neilkumar Murli Daswani
`San Jose, CA
`A Citizen of the United States of America
`
`Ameet Ranadive
`San Francisco, CA
`A Citizen of the United States of America
`
`Sharig Rizvi
`Mountain View, CA
`A Citizen of India
`
`Assignee:
`
`Dasient, Inc.
`
`VAN PELT, YI & JAMES LLP
`10050 N. Foothill Blvd., Suite 200
`Cupertino, CA 95014
`Telephone (408) 973-2585
`
`IPR2023-01465
`CrowdStrike EX1009 Page 4
`
`IPR2023-01465
`CrowdStrike EX1009 Page 4
`
`

`

`BEHAVIORAL SCANNING OF MOBILE
`
`APPLICATIONS
`
`Mosttraditional antivirus providers will look for malware by looking for signatures within
`
`binaries. To the extent that such providers have mobile antivirus products, they work in the same
`
`way — using signatures within binaries. Unfortunately, such solutions can be thwarted by an
`
`adversary because the adversary can generate many variants of their malware(e.g., in an
`
`automated way), run it through the existing antivirus engines, make sure they have generated
`
`variants that no one detects, and then release those out into the wild.
`
`Behavioral detection can solve these problems. Instead of (or in addition to) scanning the code of
`
`a mobile application, the behavior of the application (and the phone on whichit is running)is
`
`examined. Also, by using an emulator, on-device resources suchas battery life are preserved.
`
`Mobile applications may be examinedaspart of their submission to an application marketplace,
`
`prior to the application being made available to marketplace end users. This may be doneat the
`
`request of the marketplace owner(e.g., Apple, Google, or Amazon) and also may be doneat the
`
`request of a carrier (e.g., AT&T or T-Mobile). The application is examined to determine
`
`whetherit exhibits any traits that indicate that the application is malicious. Applications
`
`admitted to the marketplace can also be periodically re-evaluated to detect malicious behavior
`
`that activates at some future point (e.g., where the application is configured to wait 5 uses before
`
`engaging malicious behavioror is configured to wait a certain amountoftime (e.g. 10 days) or
`
`until a specific date (e.g., April 1). Scans can also be performed more regularly on applications
`
`that are popular, recently popular, recently uploaded, uploaded by individuals (instead of
`
`established companies), or other appropriate criteria. Different depths of scanning can also be
`
`performed. For example, the scan can last two minutes, or last several hours(e.g., to detect
`
`maliciousactivities that are configured to occur only after the application has been placed in the
`
`background, and/or when the user is presumedto be asleep (e.g., after locking the screen for a
`
`certain amount of time or at 4am)) .
`
`Attorney Docket No. DASIPO06+
`
`0
`
`IPR2023-01465
`CrowdStrike EX1009 Page 5
`
`IPR2023-01465
`CrowdStrike EX1009 Page 5
`
`

`

`In some embodiments the detection is performed using one or more mobile device emulators,
`
`such as may be running on(or underthe control of) the platform described below.
`
`An emulator can be built from a stock mobile device emulator, and then augmented to form a
`
`mobile sandbox in whichall of the key APIs that a mobile application mightcall are hooked.
`
`Examples include APIs that are used to accessthe file system, the contacts in address book, the
`
`SMStext subsystem, the WIFI system, and the telephony system. Another example is detecting
`
`when the camera (or microphone) is enabled and disabled.
`
`The sandbox also makesuse of a behavior generator that generates actions such as button
`
`presses, microphone and speaker volumelevels, ringer volume/vibrate settings, and so on. The
`
`behavior generator looks at the bytecode for an application and looks at what event handlersit
`
`processes, such as keypresses, touches, and swipes.
`
`The mobile analysis tools are used to determine what the application does, and what kinds of
`
`events it accepts from a user. That information is used as a guide to generate system events.
`
`ASone example, if a username and passwordare solicited in a dialog box, the behavior generator
`
`provides a username and passwordto the dialog box and hits submit. The behavior generator
`
`also generates random actionsto see how the application responds. Examples include turning
`
`the cellular radio on and off, turning the GPS on andoff, simulating a change of location ofthe
`
`device.
`
`Asis described in more detail below,a “hard” signal is an indicator that malwareis present. A
`
`“soft” signal indicates that malwareis potentially present and that additional analysis should be
`
`performed. Examples of soft signals include that the application is accessing another server by
`
`IP address instead of by domain name. An example ofa hard signal is whether or not it attempts
`
`to gain root access on the device. Another example behavioris the device turning on the camera
`
`(or microphone) without turning on a red “recording” indicator light.
`
`Manydifferent processing paths in the application are tried to see what behavior the application
`
`exhibits. An example processis as follows: The emulator is loaded, a target application (e.g., an
`
`APK)is installed into the emulator and the list of which permissionsthe application declaresit
`
`will be using are examined. As one example, the application may declare that it requires access
`
`Attorney Docket No. DASIPO06+
`
`1
`
`IPR2023-01465
`CrowdStrike EX1009 Page 6
`
`IPR2023-01465
`CrowdStrike EX1009 Page 6
`
`

`

`to the Internet, to the GPS, and to the addressbook. As onepart of the analysis performed using
`
`the techniques described herein, a determination is made as to whether the application attempts
`
`to perform actions that are outside the permissionlist.
`
`Asanother example, supposethe application is described (e.g., upon submission to a
`
`marketplace) as being a game. The game may legitimately need access to admob to show
`
`advertisements and need access to the Akami content distribution network to show images
`
`quickly. A legitimate game should not attempt to access a botmaster IP address. It shouldn’t
`
`start iterating throughall of the device’s contacts.
`
`After the application is installed and its declared permission uses are logged, the target
`
`application is invoked, the action generator starts generating actions and the behaviors are
`
`logged. The logged behavior can be compared to pre-declared behavior that the developer
`
`stated. The logged behavior can also be comparedto the behavior of other applications(e.g.,
`
`already present in the marketplace) and we can look for anomalies. As one example,if 95% of
`
`games do not access the device’s address book,the fact that the target application does may be
`
`used as a signal (either soft or hard) as applicable.
`
`Asanother example, the target application may make a network access to upload high scores
`
`(something many other game applications do). If the target application turns on the microphone
`
`or tries to construct random IP addresses and contact them,that is highly suspicious behavior.
`
`The following is an example process:
`
`1. An emulatoris started.
`
`2. An application is installed.
`
`3. The application is run.
`
`4.
`
`Initially, the application obtains advertisements from admob and images from Akami.
`
`5. Later, the application begins accessing a botmaster IP address.
`
`6. Later, the application attempts to gain root access on the device.
`
`Attorney Docket No. DASIPO06+
`
`2
`
`IPR2023-01465
`CrowdStrike EX1009 Page 7
`
`IPR2023-01465
`CrowdStrike EX1009 Page 7
`
`

`

`In various embodiments, components included in performing the above processare an emulator,
`
`a log of the activities that are happening in the emulator, a log of all the network activity thatis
`
`happening, and an automatic action generator that generates behaviorsfor the application.
`
`Actions such as accessing the botmaster IP address and attempting to gain root access
`
`(surreptitiously) are both examples of hard signals.
`
`In some embodiments, seeded information is included in the emulator, such as a seeded contact
`
`book and a seeded GPSlocation. Part of the behavior that can be evaluated by the platform
`
`described herein is attempts to communicate personal information to a remotesite (and, in
`
`particular to a hardcoded IP address). Additional examples include attempts to transmit the
`
`device ID or IMEI — particularly without presenting a dialog box to the user or otherwise getting
`
`the user’s consentprior to transmission.
`
`As is described more detail below, various thresholds can be used to determine whether
`
`something is malicious or not based on factors such as how manysoft/hard signals are detected
`
`and howthey are weighted. If only soft signals are detected (e.g., indicating that whether or not
`
`the application is malicious is inconclusive), actions can be taken such as by contacting the
`
`author of the application and asking that changes be madeor that explanations be given asto
`
`certain behavior which can be subsequently audited by another developer.
`
`Applications that are determinedto be safe can be signed (e.g., by the marketplace owner), to
`
`help ensure that an end user obtains the correct, safe copy of the application. Instead, or in
`
`addition, signatures of applications determined to be malicious can also be made (and,e.g.,
`
`pushedto the carrier, pushed to devices as a warning(e.g., to third party antivirus applications),
`
`etc.).
`
`One example of a signal is whether the application attempts to dial a 900 number. Information
`
`such as the fraudulent 900 number that was accessed, or any SMStext made,or any IP addresses
`
`that were accessed can be providedto a carrier (or to another entity such as law enforcement).
`
`Suppose an end user’s device hasinstalled on it an application that is determined to be malicious
`
`at some point in time after the user has installed the application. One action that could be taken
`
`to help mitigate the compromiseis to remote wipe the device. A less severe (from an end user
`
`Attorney Docket No. DASIPO06+
`
`3
`
`IPR2023-01465
`CrowdStrike EX1009 Page 8
`
`IPR2023-01465
`CrowdStrike EX1009 Page 8
`
`

`

`perspective) responseis for the carrier to quarantine the device off the network. The quarantine
`
`action can be taken based on detection on the device of the malicious application (e.g., by
`
`comparing the signature of the application) and can also be taken based on externally observed
`
`actions of the end user’s device, such as the carrier noticing that the end user’s phone accessed a
`
`particular 900 number and should be quarantined off from the network. The quarantine may be
`
`complete, or may involve a reduction in services, such as by preventing the device from having
`
`access to the 3G network,but allowing for basic phonecalls (or emergency calls) until such time
`
`as a representative of the carrier can follow up with the end user.
`
`In some embodimentsthe platform uses techniquesto frustrate anti-emulation techniquesthat
`
`may be employed by the malicious application to evade behaviorprofiling. As one example, the
`
`mobile device emulator can be hardenedto use device drivers that correspond to the appropriate
`
`devices drivers for the phone being emulated.
`
`In somecases, a legitimate developer may ask for all permissions to be made available,
`
`irrespective of whetherthey are actually needed by the application or not. The platform
`
`described herein can also be used to study the behavior of the application and recommendto the
`
`developer whichset of permissions the application should be constrained to and/orrestrict the
`
`application to those permissions automatically.
`
`DETECTION APPROACH FOR MOBILE THREATS
`
`e Behavioral: Signature-based approaches will not be able to keep up
`
`e Multi-Threat:
`
`o User compromise,e.g.
`
`* Mobile Phishing / Trojans
`
`" Mobile Drive-by-downloads
`
`" Unpermissioned Over-The-Air (OTA) Downloads
`
`= Unexpected Application Behavior (data theft)
`
`Attorney Docket No. DASIPO06+
`
`4
`
`IPR2023-01465
`CrowdStrike EX1009 Page 9
`
`IPR2023-01465
`CrowdStrike EX1009 Page 9
`
`

`

`o Network compromise, e.g.
`
`Wormsthat send SMS or make unperm
`
`1SS1One
`
`d voice ca
`
`Ils (e.g.,
`
`premium
`
`1-900 numbers)
`
`Monitoring for “owned” phones
`
`Cross Platform
`
`:Wit,
`
`Yt,
`
`on=of=oo2oa=N-Oo°o:he=goami
`
`oom:!~oyuri,2nin,
`oO/
`
`
`
` woe2‘lltle,ty5ra
`
`4myn,AG
`
`4g2Om5van,3‘illite,
`
`Nn
`
`5Yili,
`
`8‘patina,
`
`Attorney Docket No. DASIPO06+
`
`IPR2023
`~01465
`CrowdStrike EX1009 Page 10
`
`IPR2023-01465
`CrowdStrike EX1009 Page 10
`
`
`
`

`

`thfBAty%emaChWtyfeWatyCote0biSsApe
`
`tnLyedbCneatbeefetpl!veretoeYefeneeoew%:‘Whos‘:LDtA|;Pegttio%udwo@
`jinCeee2vey,“hem,Coyte£4geoyMeee
`4win
`
`yoaey,TSbes
`
`a,vinEYHythshnievaCaeEeNebh,
`Aylor,oyynUEWGyhteaUyvestOllippadvne“Pe4%,“SDAntonaegonfpODbhtesye“yeywtepeathd
`
`
`oftbetonasEGeppeypeeyn,¥y,me,OeHLweMbos“CREEZoLeWwit,ShBh,ULWyvtnOC
`thsianheoSOWeyweeLeaaGitb,one
`ihiy4otYaBo&onft,4eet“earl”
`
`pote,oF4thegee““ht
`4%Psee“basteeweoothBSaersvd$43aoewabenAuyehws
`ge4veyotery1%WS
`aeteoewie0,itiBe
`“chreegaeowoa
`‘wetigfh44aoey«tnieweenohaGth&tepore“awysMenaopyOfn yw,@74,ofteaeBeas.aaeaOSngtetehE94aostoGeaeeo8Ywna6wasWoheOS%yBG“rr,t’apfges“36iLchetBhwnLibya3fenn"Geren44oo)wyea@tp4oeekGtLYmeooeaotelyel“et£44*4ree‘agCg“ees
`ws“aOspee,WYthasedLt,oe,iyteOE’Bs)BywhBoe
`4Sbee4‘Mey,teopza‘etnbeegyPewoe5‘gS
`44apnoften,wbeeewea7)tesWiOytenen
`reeeaanbeWw
`
`
`
`
`,feap,ZpeeoeGhAOeymSEbetGyi)we%>oe“oeyete“3weoeYoBegsjfYE.As7aeWyOLetmeen“y34,Gefefsthemnwstyuethetetenfethe
`&at,th
`ieseeareFoyeoewo42eeoyeweGeawrte,"saaVSL,eeg4%
`
`Oh&jate&mshe“3sthvsusoesonaytf
`toeeCweests«3
`adedGaWe48eea3"4irotCoe
`
`GApnhebenanEL,
`
`ft,feaapeswet
`SBee4taf
`nee
`
`eed%afee
`
`henfad
`
`oeheuy
`
`tigoD"4Siwy
`ann‘wena
`
`Attorney Docket No. DASIPO06+
`
`IPR2023
`~01465
`CrowdStrike EX1009 Page 11
`
`IPR2023-01465
`CrowdStrike EX1009 Page 11
`
`
`
`
`

`

`
`
`
`
`
`
`eHWwSA
`
`
`
`MOBILE APP SCANNING: APPROACH
`
`°
`
`e
`
`°
`
`°
`
`Threat: Mobile Phishing Detection or Unexpected / Trojan Behavior
`
`Dynamic Action Generator + Mobile Sandbox
`
`Wrap key APIs: File system, Contacts, SMS, WiFi, Telephony
`
`Automated application behavior + detect attempts to break out of sandbox
`
`MOBILE APP SCANNING: PROCESS
`
`e Emulator starts up
`
`Attorney Docket No. DASIPO06+
`
`7
`
`IPR2023-01465
`CrowdStrike EX1009 Page 12
`
`IPR2023-01465
`CrowdStrike EX1009 Page 12
`
`

`

`e Target APKinstalled and declared permissions(e.g. from marketplace and
`
`AndroidManifest.xml) logged
`
`e Target application invoked
`
`e Action-generator starts running
`
`e Application behaviors are logged
`
`e Logged behavior is compared to pre-declared behavior
`
`e
`
`Signals fire when logged behavioris outside the scope of declared behavior
`
`o Soft signals result in additional analysis — longer and deeperrunsof action-
`
`generator
`
`o Alerts generated for APKs for which hard signals fire
`
`MOBILE APP SCANNING: EXAMPLE
`
`Declare network access necessary for ads & images, BUT:
`
`10.0.2.15.43380 > 184.105.245.117. http-alt:
`
`S$ 3118450923:3118450923 (0)
`
`win 5840 <mss 1460,sackOK,timestamp 102394 0,nop,wscale 1>
`
`10.0.2.15.43380 > 184.105.245.117. http-alt:
`
`S$ 3118450923:3118450923 (0)
`
`win 5840 <mss 1460,sackOK,timestamp 102694 0,nop,wscale 1>
`
`
`
`
`
`10.0.2.15.43380 > 184.105.245.17.http-alt:
`
`S 3118450923:3118450923 (0)
`
`win 5840 <mss 1460,sackOK, timestamp 103294 0,nop,wscale 1>
`
`10.0.2.15.51788 > a96-17-109-112.deploy.akamaitechnologies.com.http: F
`
`531:531(0) ack 3660 win 14600
`
`a96-17-109-112.deploy.akamaitechnologies.com.http > 10.0.2.15.51788:
`
`ack 532 win 8760
`
`10.0.2.15.43596 > apil.vip.sc9.admob.com.http: F 512:512(0) ack 274 win
`
`6432
`
`Attorney Docket No. DASIPO06+
`
`8
`
`IPR2023-01465
`CrowdStrike EX1009 Page 13
`
`IPR2023-01465
`CrowdStrike EX1009 Page 13
`
`

`

`Undeclared IP 184.105.245.17 is connection to botmaster
`
`MONITORING FOR INFECTED MOBILES
`
`e Threat: Monitoring for Infected Mobiles, e.g. Zitmo (Zeus for Mobiles)
`
`e Monitor URLs accessed by devices
`
`e
`
`Flag requests to botnet C & C control, fraudulent 1-900 numbers, and/or SMS
`
`texts sent to/from devices
`
`e Remediation:
`
`o
`
`Inform user
`
`© Quarantine networktraffic to device / only allow for clean-up
`
`o
`
`Inform network administrators
`
`o Auto-correlate to determine affected software versions
`
`Attorney Docket No. DASIPO06+
`
`9
`
`IPR2023-01465
`CrowdStrike EX1009 Page 14
`
`IPR2023-01465
`CrowdStrike EX1009 Page 14
`
`

`

`DETECTING MALWAREIN MOBILE SITES
`
`In various embodiments, the platform described in more detail below is used to detect malicious
`
`behavior in websites or other resources accessed by mobile devices such as smartphones, PDAs,
`
`and tablet computers. Once example of such a malicious behaviorthat is detectable using the
`
`techniques described herein is the initiation of a driveby download.
`
`One waythat a driveby download can target a mobile device is as follows. A web page is
`
`configured to include an exploit that, when loaded by browser of a mobile device will crash the
`
`browser and take advantage of a vulnerability in how floating point variables are processed.
`
`As a result of the exploit, shell code can be sent to the mobile device that will result in the
`
`browser crashing and an adversary obtaining shell access to the mobile device. Onceshell
`
`access is obtained, the adversary can issue arbitrary command suchas“ls,” can get the device
`
`ID, and can run wgetto obtain a maliciousfile and runit.
`
`In some embodiments, detection engine 206 is configured to use mobile device emulators and to
`
`run instrumented mobile browsers and observe the results of actions such as the mobile browser
`
`loading the malicious page described above. One example of a soft signal in this scenario is the
`
`mobile browser crashing. An example of a hard signal in this scenario would be an observation
`
`that after the browser is crashed, the mobile device begins making (or attempting to make)
`
`outbound connectionsto static IP addresses or other destinations that are suspicious.
`
`In various embodiments,all pages are analyzed using mobile virtual machines and instrumented
`
`browser emulators. In other embodiments, only selected pages are evaluated using those
`
`modules. As one example, mobile-related scanning can be reserved for customersthat pay a
`
`premium. As another example, a customer can indicate (without paying an additional fee) that
`
`certain pages served by the customerare either specifically designed to be accessed by a mobile
`
`device (e.g., http://example.com/mobile or http://mobile.example.com), or likely may be
`
`accessed by a mobile device (e.g., the front page of a bank customer’s website). As yet another
`
`example, if, as part of the analysis of a website (described in more detail below), a page ofthe
`
`website is determined to be hosting mobile applications (e.g., APK files) or other mobile-
`
`Attorney Docket No. DASIPO06+
`
`10
`
`IPR2023-01465
`CrowdStrike EX1009 Page 15
`
`IPR2023-01465
`CrowdStrike EX1009 Page 15
`
`

`

`oriented content, the website (or the page) can be flagged for evaluation using the mobile device
`
`emulator/browser.
`
`Attorney Docket No. DASIPO06+
`
`11
`
`IPR2023-01465
`CrowdStrike EX1009 Page 16
`
`IPR2023-01465
`CrowdStrike EX1009 Page 16
`
`

`

`4%ahs
`
`“aforbs,
`
`ners
`
`yn
`
`Lsa1%,Bad
`
`aH
`
`bashes,
`
`ceYY“wert
`
`iAasadeh
`
`taeds
`
`ty“a&44%WA
`
`onTS.
`
`goWEE.aA
`
`nae
`Celt
`
`ies
`oa
`
`ae
`
`UyaGS
`
`we
`
`Mjyun
`
`oae
`
`Sor
`
`“be
`
`7%be
`
`
`
` LAitmdaeBe
`
`meeBB
`
` -r4
`eretf
`
`tyesfyGo,tbe0Dneahe
`
`Attorney Docket No. DASIPO06+
`
`12
`
`~01465IPR2023
`
`CrowdStrike EX1009 Page 17
`
`IPR2023-01465
`CrowdStrike EX1009 Page 17
`
`
`
`
`
`
`
`
`

`

`MOBILE USER COMPROMISE
`
`¢
`
`*
`
`Threat: Mobile user compromise and undesirable behavior can occur simply via browsing
`
`Example: WebKit Exploit to get shell access on Android phone. Can then do:
`
`— Mobile drive-by-downloads
`
`— Keylogging / data theft of all credentials
`
`— Join a botnet
`
`— Send email spam
`
`Click fraud
`
`MOBILE URL SCANNING
`
`*
`
`In some embodiments, the emulators and browsers described below in moredetail
`
`include the following:
`
`Run VMsfor mobile emulators (Android, iOS, Symbian,etc)
`
`— Run WebKit (e.g., instead of IE)
`
`— Runplug-ins that correspond to typical hardware deployments
`
`— Hook“sensitive” API calls (GPS access, contact access, telephony access,etc.)
`
`— Aggressive detection for pop-ups
`
`*
`
`Example Deployment Options
`
`— On-demand: Via HTTP proxy on devices
`
`— Pre-scanned: Via crawls done by mobile emulators
`
`EXAMPLE: WEBKIT EXPLOIT ON ANDROID
`
`Attorney Docket No. DASIPO06+
`
`13
`
`IPR2023-01465
`CrowdStrike EX1009 Page 18
`
`IPR2023-01465
`CrowdStrike EX1009 Page 18
`
`

`

`* CVE-2010-1807: Arbitrary remote code execution via impropervalidation of floating-
`
`point data
`
`* Affects Android before v2.2, and iOS before 4.0.2
`
`* Description: An input validation issue exists in WebKit's handling of floating point data
`
`types. Visiting a maliciously crafted website may lead to an unexpected application
`
`termination or arbitrary code execution. This issue is addressed through improved
`
`handling of floating point values.
`
`[0001]
`
`Figure 1 illustrates an embodimentof an environmentin which problematic
`
`content such as malwareis detected and remediated. In the example shown,clients such as
`
`clients 104-108 access content served by sites 114-118 via one or more networks represented
`
`herein as a single network cloud 126. For example, a userof client 104 (hereinafter “Alice’’)
`
`regularly accesses site 114, owned by a national newspaper company, to read newsarticles. Site
`
`114 is supported in part by advertising, which is served by a syndicated network of ad servers
`
`120-124. As will be described in more detail below, site 114 has contracted with the operator of
`
`detection and remediation system 102 to detect whethersite 114 is serving problematic content
`
`to clients, to alert an administrator of site 114 if problematic content is found, and also to prevent
`
`any detected problematic content from being propagatedto visitors. Site 116 is owned by a
`
`small retailer and has contracted with the operator of system 102 to detect/report the presence of
`
`problematic content on site 116, but does not use the remediation services provided by system
`
`102. Site 118 is a photograph repository that allows users to share uploaded images with one
`
`another. Site 118 has not contracted with the operator of system 102 to provide any detection or
`
`remediation services.
`
`[0002]
`
`System 102, site 114, and site 118 respectively comprise standard commercially
`
`available server hardware (e.g., having multi-core processors, 4+ Gigabytes of RAM, and
`
`Gigabit network interface adapters), run typical server-class operating systems (e.g., Linux), and
`
`also run Apache HTTPServersoftware. In various embodiments, system 102 is implemented
`
`across a scalable infrastructure comprising multiple such servers, solid state drives, and other
`
`applicable high-performance hardware. Site 116 is a commodity desktop computer and runs
`
`Microsoft Internet Information Services (IIS) software.
`
`Attorney Docket No. DASIPO06+
`
`14
`
`IPR2023-01465
`CrowdStrike EX1009 Page 19
`
`IPR2023-01465
`CrowdStrike EX1009 Page 19
`
`

`

`[0003]
`
`In the example shownin Figure 1, client 106 is a web-enabled cellular phone and
`
`clients 104 and 108 are personal computers. Other examplesof clients that can be used in
`
`conjunction with the techniques described herein include personaldigital assistants, networked
`
`entertainment devices(e.g., televisions, portable video players, and game consoles) and virtually
`
`any other networkable device.
`
`[0004]
`
`Aswill be described in more detail below, system 102 is configured to perform a
`
`variety of analyses on the content served by sites such as site 114, detect suspicious elements
`
`present in that content (or loaded from third party sources when the content is accessed), and
`
`make available instructions that can be used to mitigate such elements, if applicable. As used
`
`herein, “malicious” elements(e.g., ones intentionally includedin site 114 by a nefarious
`
`individual/program) represent a subset of “suspicious” elements. Examples of content that can
`
`be used in conjunction with the techniques described herein include HTMLpages(including
`
`JavaScript), PDF documents, and executables.
`
`[0005]
`
`Whenever system 102 is described as performing a task (such as determining
`
`whether a website includes malicious content), either a singl