Study shows how attackers make use of websites existing for less than 24 hours

Share this article:
Systems admin for Navy nuclear department faces hacking charge
"One-Day Wonders," or websites that exist for less than 24 hours, are used by attackers to avoid detection.

Researchers with Blue Coat Security Labs analyzed 660 million unique hostnames requested by 75 million worldwide users throughout a 90-day span and learned that 470 million, or 71 percent, only existed within a 24-hour period – something the security company refers to as a “One-Day Wonder” in a new study.

Content delivery networks, web performance optimization and blogging are major drivers of One-Day Wonders, Tim van der Horst, senior threat researcher for Blue Coat Systems, told in a Tuesday email correspondence.

However, One-Day Wonders also serve more malicious purposes.

Looking at the top 50 parent domains that produced One-Day Wonders, researchers observed that 22 percent were malicious, meaning they could have been used in attacks, to manage botnets, or to elude spam and web filters, the report indicates.

The number 12 parent domain, a .info domain, is a command-and-control server for a Trojan dialer that had more than 1.3 million subdomains over the 90-day span. “It's another way of saying that this is communication from bots to their command-and-control infrastructure,” van der Horst said.

One of the primary reasons One-Day Wonders are so popular with attackers is because dynamic domains are more challenging to deter than static domains, according to the report.

“Static domains can be thwarted with a simple blacklist; dynamic domains can rotate so frequently that the update cycle of the blacklist cannot keep up,” van der Horst said. “In the extreme case, domains are one-time use so adding them after the fact to a blacklist is futile.”

Attackers additionally use One-Day Wonders to avoid detection, either by amassing a high number of domains in the hope that some will be missed, or by using encryption and sending incoming malware and outgoing data theft over SSL, the report indicates.

Applying real-time intelligence may be one way to mitigate the threat posed by One-Day Wonders.

“Real-time modules can evaluate potential threats at request-time, rather than waiting for a static database update or after-the-fact report,” van der Horst said. “Since One-Day Wonders are so ephemeral, the latency involved in the non-real-time detections significantly limits their effectiveness.”

Granular policy controls could be another answer.

“Sophisticated proxies and other network-based defenses can apply fine-grained rules (“policy”) to help protect the systems connected to the network,” van der Horst said. “As the security posture of organizations can vary widely, policy allows for tuning based on specific needs rather than relying on a one-sized fits all solution.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.