Increased security threat from ‘one-day wonder’ websites

By Digital News Asia September 11, 2014

Blue Coat study reveals 470mil websites that exist for less than 24hrs
22% of these ‘one-day wonders’ are used to facilitate cyber-attacks

OVER 70% of Web-based hostnames appear for just 24 hours, according to Blue Coat Systems Inc, which specialises in what it calls ‘business assurance’ technology.

While the majority of these ‘one-day wonders’ are the backbone for how Internet content is shared and delivered, an alarming percentage of these 24-hour websites is used as cover for malicious activity, including communication to infected IT and computer systems, the company said in a statement.

‘Hostnames’ refer to the appended names of a Domain Name System (DNS) domain, separated from the host-specific label by a period (dot). In the latter form, a hostname is also called a domain name, Blue Coat noted.

The new report from the Blue Coat Security Labs, One-Day Wonders: How Malware Hides among the Internet’s Short-Lived Websites, details the nature and activities of these rapidly appearing, and vanishing, destinations on the Web to better understand the security implications of websites that exist for less than 24 hours.

The largest generators of one-day wonders include organisations that have a substantial Internet presence, such as Google, Amazon and Yahoo, as well as Web optimisation companies that help accelerate the delivery of content.

Blue Coat also found that in one case, one of the top 10 most prolific creators of one-day wonders is the most popular pornography website on the Internet.

Of the top 50 parent domains that most frequently used one-day wonders, 22% were malicious. These domains use short-lived sites to facilitate attacks and manage botnets, taking advantage of the site being ‘new and unknown’ to evade security solutions.

A botnet is a network of private computers infected with malicious software, Blue Coat said.

One-day wonders can be used to build dynamic command and control architectures that are scalable, difficult to track and easy to implement. Alternatively, they can be used to create a unique subdomain for each spam email to avoid detection by spam or web filters, the company said.

Mitigating such threats

Increased security threat from ‘one-day wonder’ websites Blue Coat’s country manager for Malaysia Ivan Wen (pic) said that the research findings provide insights that may help Malaysian businesses better protect their information and privacy against Web threats.

“While most one-day wonders are essential to legitimate Internet practices, the sheer volume of them creates the perfect environment for malicious activity.

“The rapid building up and tearing down of new and unknown sites destabilises many existing security controls. Understanding what these sites are and how they are used is key to building a better security posture,” he said.

One-day wonders are particularly popular with cybercriminals because they:

Keep security solutions guessing: Dynamic domains are harder to thwart than static domains.

Overwhelm security solutions: Generating a high volume of domains increases the chances that some percentage will be missed by security controls.

Hide from security solutions: By simply combining one-day wonders with encryption and running incoming malware and/ or outgoing data theft over SSL (Secure Socket Layer), organisations are typically blind to the attack, impacting their ability to prevent, detect and respond.

As organisations continue to fight ongoing battles against cyber-attacks, they can fortify their security posture:

Security controls must be informed by automated, real-time intelligence that can identify and assign risk levels to these one-day wonders. Static or slow-moving defenses do not suffice to protect users and corporate data.

Policy-based security controls must be able to act on real-time intelligence to block malicious attacks.

“Today, botnet infections are becoming a common move that leads to more potent threats on networks,” said Wen.

“With a large number of subdomains generated on single domain, these transient sites allow cybercriminals to manage their botnets for a longer period of time to increase the damage that can be possibly caused their attacks.

“It is crucial for local companies to adopt new Web security approaches that can see all the way through the short-lived links and nodes of the malware delivery network to protect users from continuously evolving cyber-attacks,” he added.

Blue Coat researchers analysed more than 660 million unique hostnames requested by 75 million global users over a 90-day period. They found that 71% of the hostnames, or 470 million, were ‘one day wonders.’