Study shows “one-day” websites used to facilitate cyber-attacks

-A +A

KUALA LUMPUR (Sept 03): A new study has found that over 70% of Web-based hostnames appeared for just 24 hours, and a majority of these ‘one-day wonders’ were the backbone used as cover for malicious activity.

In a statement Wednesday, business assurance technology provider Blue Coat Systems Inc said the 24-hour websites were used, including for  communication to infect IT and computer systems.

In a new report entitled “One-day wonders: how malware hides among the Internet’s short-lived websites”, Blue Coat Security Labs detailed the  nature and activities of these rapidly appearing and vanishing destinations on the Web, to better understand the security implications of websites that exist for less than 24 hours.

It said the largest generators of One-Day Wonders included organizations that had a substantial Internet presence, such as Google, Amazon and Yahoo, as well as Web optimisation companies that help accelerate the delivery of content.

Blue Coat said it also found that in one case, one of the Top 10 most prolific creators of One-Day Wonders is the most popular pornography website on the Internet.

“Of the top 50 parent domains that most frequently used One-Day Wonders, 22% were malicious.

“These domains use short-lived sites to facilitate attacks and manage botnets (botnet is a network of private computers infected with malicious software), taking advantage of the site being “new and unknown” to evade security solutions,” it said.

Blue Coat said that for example, One-Day Wonders could be used to build dynamic command and control architectures that are scalable, difficult to track and easy to implement.

Alternatively, they could be used to create a unique subdomain for each spam email, to avoid detection by spam or web filters, it said.

Blue Coat’s country manager for Malaysia Ivan Wen highlighted that the research findings provide insights that may help Malaysian businesses better protect their information and privacy against Web threats.

“While most One-Day Wonders are essential to legitimate Internet practices, the sheer volume of them creates the perfect environment for malicious activity.

“The rapid building up and tearing down of new and unknown sites destabilizes many existing security controls. Understanding what these sites are and how they are used, is a key to building a better security posture,” said Wen.  

Blue Coat said One-Day Wonders were particularly popular with cyber criminals because they:

1.    Keep security solutions guessing: Dynamic domains are harder to thwart than static domains.

2.    Overwhelm security solutions: Generating a high volume of domains increases the chances that some percentage will be missed by security controls.

3.    Hide from security solutions: By simply combining One-Day Wonders with encryption and running incoming malware and/or outgoing data theft over SSL, organizations are typically blind to the attack, impacting their ability to prevent, detect and respond.

Wen said that at present, botnet infections were becoming a common move that leads to more potent threats on networks.

“With a large number of subdomains generated on single domain, these transient sites allow cyber criminals to manage their botnets for a longer period of time, to increase the damage that can be possibly caused their attacks.”

“It is crucial for local companies to adopt new Web security approaches that can see all the way through the short-lived links and nodes of the malware delivery network, to protect users from continuously evolving cyber-attacks,” said Wen.

Wen added that Blue Coat researchers analysed more than 660 million unique hostnames, requested by 75 million global users, over a 90-day period.

They found that 71% of the hostnames or 470 million, were “One Day Wonders,” sites that appeared only for a single day,” said Wen.