Incident Response, TDR

Study shows how attackers make use of websites existing for less than 24 hours

Researchers with Blue Coat Security Labs analyzed 660 million unique hostnames requested by 75 million worldwide users throughout a 90-day span and learned that 470 million, or 71 percent, only existed within a 24-hour period – something the security company refers to as a “One-Day Wonder” in a new study.

Content delivery networks, web performance optimization and blogging are major drivers of One-Day Wonders, Tim van der Horst, senior threat researcher for Blue Coat Systems, told in a Tuesday email correspondence.

However, One-Day Wonders also serve more malicious purposes.

Looking at the top 50 parent domains that produced One-Day Wonders, researchers observed that 22 percent were malicious, meaning they could have been used in attacks, to manage botnets, or to elude spam and web filters, the report indicates.

The number 12 parent domain, a .info domain, is a command-and-control server for a Trojan dialer that had more than 1.3 million subdomains over the 90-day span. “It's another way of saying that this is communication from bots to their command-and-control infrastructure,” van der Horst said.

One of the primary reasons One-Day Wonders are so popular with attackers is because dynamic domains are more challenging to deter than static domains, according to the report.

“Static domains can be thwarted with a simple blacklist; dynamic domains can rotate so frequently that the update cycle of the blacklist cannot keep up,” van der Horst said. “In the extreme case, domains are one-time use so adding them after the fact to a blacklist is futile.”

Attackers additionally use One-Day Wonders to avoid detection, either by amassing a high number of domains in the hope that some will be missed, or by using encryption and sending incoming malware and outgoing data theft over SSL, the report indicates.

Applying real-time intelligence may be one way to mitigate the threat posed by One-Day Wonders.

“Real-time modules can evaluate potential threats at request-time, rather than waiting for a static database update or after-the-fact report,” van der Horst said. “Since One-Day Wonders are so ephemeral, the latency involved in the non-real-time detections significantly limits their effectiveness.”

Granular policy controls could be another answer.

“Sophisticated proxies and other network-based defenses can apply fine-grained rules (“policy”) to help protect the systems connected to the network,” van der Horst said. “As the security posture of organizations can vary widely, policy allows for tuning based on specific needs rather than relying on a one-sized fits all solution.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.