Sergey Nivens - Fotolia
What are "one-day wonder" websites and why do they cause such a security concern? Is there anything that can be done at the enterprise level to protect against them?
The term "one-day wonders" was recently used by Blue Coat Systems Inc. to describe a phenomenon its researchers discovered in a recent study of the Internet. Over a 90-day period, Blue Coat looked at more than 660 million unique hostnames requested by 75 million global users. What came as a surprise was that 71% -- about 470 million hostnames -- persisted for less than 24 hours. Dubbed by Blue Coat, these sites came and went within a day. This presents antimalware services with a huge challenge of trying to determine whether these new, unknown and transient sites are benign, or should be blocked as dangerous.
Most one-day wonders are legitimate and are a byproduct of processes used to help accelerate the delivery of content. A large percentage is created by the likes of Google, Amazon and Yahoo, as well as companies that make use of Content Delivery Networks (CDNs). It appears these CDNs use several levels of unique subdomains to keep track of content in the CDN. This could be to identify a particular user, session or request, but once that user/session/request is finished, the subdomain isn't used again. Blogging sites such as Blogspot, Tumblr and Wordpress also add to the proliferation of one-day wonders.
Although these sites don't pose any security threat, their sheer volume provides ideal cover for malicious activity -- 22% of the top 50 parent domains most frequently creating one-day wonders were malicious. Not only can hackers take advantage of the site being new and unknown to evade spam and Web filters, but transient sites are a critical component of attack support infrastructures. One .info domain, for example, was a command-and-control server for a Trojan dialer that over the 90-day analysis period spawned more than 1.3 million sub-domains. Another 10 similar parent domains were identified as being part of command-and-control infrastructures.
Given the dynamic nature of malicious one-day wonders, a static or infrequently updated blacklist of known malicious sites will not be sufficient to protect a network's users. Automated, real-time intelligence updates that identify and assign risk levels to one-day wonders should be used to update the filters on policy-based security controls, blocking access to sites that are rated dangerous. Enterprises will probably need a feed from a third-party threat intelligence provider as they have the ability to collate and analyze vast amounts of traffic from across the Internet and put these transient hostnames into context and identify how they are being used.
Ask the Expert:
Have a question about application security? Send it via email today. (All questions are anonymous.)
Get help defending against Web-based malware
Dig Deeper on Web browser security
Related Q&A from Michael Cobb
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
Shellcode is a set of instructions that executes a command in software to take control of or exploit a compromised machine. Read up on the malware ... Continue Reading
The popular port scan is a hacking tool that enables attackers to gather information about how corporate networks operate. Learn how to detect and ... Continue Reading