Hackers whose malicious code is hosted on websites are using increasingly sophisticated techniques to avoid the code being detected.
Once hackers have subverted a website, it is in their interests to minimise the malicious code's window of exposure to help prevent detection and subsequent blocking by security software and browser filters, according to a research paper produced by Finjan, the web security vendor.
Finjan reports an increasing trend for "evasive" web attacks, which keep track of visitors' IP addresses. Attack toolkits restrict access to a single-page view from each unique IP address. The second time an IP address tries to access the malicious page, a benign page is displayed in its place.
Evasive attacks can also identify the IP addresses of crawlers used by URL filtering, reputation services and search engines, and reply to these engines with legitimate content such as news. The malicious code on the host website accesses a database of IP addresses to determine whether to serve up malware or legitimate content.
"URL filtering, reputation services and even search engines might mistakenly classify these sites as legitimate," said Finjan's report. "This minimises the exposure of the malicious code to forensic analysis or security research, as there is just one opportunity for a visitor to actually see the code."