Spotting Web threats in the confusion of short-lived hostnames

Here's what you can do to spot malicious sites among the vast number of legitimate hostnames that exist for less than a day on the Web

Researchers have found that the vast number hostnames constantly changing on the Web for legitimate purposes creates a cover for cybercriminals and weakens the effectiveness of security controls.

Out of the 660 million hostnames analyzed by researchers at security vendor Blue Coat, 71 percent, or 470 million, existed for less than a day.

The hostnames were requested over a 90-day period through companies using Blue Coat products for catching Web threats.

Most of the throwaway hostnames belonged to legitimate businesses, such as Google, Amazon and Yahoo, as well as Web optimization companies, blogging platforms and webhosting services.

"Rapidly changing domain names has been around for years. What I think is interesting about the numbers is the scale," Blue Coat researcher Tim van der Horst said Wednesday. "It's much bigger than one would assume."

The constant shifting is camouflage for cybercriminals, Blue Coat found. Of the top 50 parent domains generating short-lived hostnames, roughly 1 in 5 were malicious.

However, the amount of criminal activity was small when compared to the number of hostnames generated by legitimate businesses. The largest malicious parent domain generated only 0.43 percent of the total number of one-day hostnames examined.

A lot of the malicious hostnames were the result of domain generation algorithms (DGAs) used in various families of malware. DGAs create a large number of fake names to hide the real location of the command-and-control server.

Nevertheless, the relatively small number of actual malicious hostnames is significant when one considers how they are being used.

Criminals use the sites for drive-by downloads and hosting exploit kits that download malware to the computers of victims lured to the location through a phishing attack.

Short-term hostnames are also used to hide communications between compromised computers and command-and-control servers.

“Whatever the bad guys want to do, rapidly changing their domain names or having very short-lived domain names helps them avoid detection and correlation between all the attacks they’re doing," van der Horst said.

To avoid malicious hostnames, companies cannot depend on blacklists. Instead, they need intrusion detection/prevention systems and anti-virus software that is constantly fed updated intelligence on the sites.

In addition, the technology has to let users create detailed policies to automate defenses and prioritize incidents.

In order to create granular policy controls, the technology has to be able to assign a risk value on hostnames, based on site popularity, links to other sites, number of other sites hosted on the same IP address and the ratings of those sites.

In addition, there has to be a baseline of transient hostnames that are known to be safe or malicious.

"Detection of an anomaly from that baseline may constitute a potential compromise leading to alerts and other threat mitigation actions," Blue Coat said.

Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)