After analyzing hundreds of millions of hostnames, researchers have determined that many of them are live only for a 24-hour period, timeframe in which they can be used for malicious activities.
Over a 90-day period, Blue Coat monitored 660 million unique hostnames requested by 75 million users from all over the world. Of these hostnames, 71% (470 million) only appeared for a single day, which is why they’ve been dubbed by the company as “one-day wonders.”
Most of these “one-day wonders” are legitimate and they’re associated with content delivery networks (CDNs), which use them to provide enhanced user experience, and blogging platforms (Tumblr, Blogspot, WordPress). The list of companies that create such websites includes Google, Yahoo and Amazon. Roughly 36% of them are assigned United States IP addresses, while 8% of them have Chinese IPs, Blue Coat said.
While most of these short-lived websites are used for legitimate activities, researchers found that 22% of the top 50 parent domains that most frequently used “one-day wonders” were malicious. For example, one .info domain used as a command and control (C&C) server for a Trojan dialer had more than 1.3 million subdomains during the 90-day period in which it was observed by Blue Coat.
“Blue Coat security researchers have long observed that malnet operators love to generate large numbers of subdomains on a smaller set of evil domains. These transient sites are a critical component of mass attack support infrastructures. They both ensure additional bots can easily be added to an existing army and give cyber criminals the ability to manage their botnets for a longer period of time, increasing the return on investment for any given attack,” the company noted in its report.
According to experts, short-lived websites can be used to develop dynamic command and control (C&C) architectures that are easy to implement, but difficult to track. In the case of spam campaigns, “one-day wonders” can be used to create unique subdomains for each email to bypass spam and Web filters.
In general, cybercriminals rely on such domains because they’re more difficult to thwart compared to static domains. Furthermore, security solutions can be overwhelmed and chances are that they’ll miss at least some of the many domains.
“By simply combining One-Day Wonders with encryption and running incoming malware and/or outgoing data theft over SSL, organizations are typically blind to the attack, impacting their ability to prevent, detect and respond,” Blue Coat said.
While the use of “one-day wonders” might help cybercriminals, there are certain measures that organizations can take to ensure they’re protected. The recommendations include the use of real-time intelligence for blocking access to malicious short-lived domains, solutions that automate defenses and prioritize incidents, creating a baseline of transient hostnames that can later be used to detect anomalies, and granular policy controls.
The complete report, titled “One-Day Wonders: How Malware Hides Among the Internet’s Short-Lived Websites,” is available online.