Hackers use evasive manuevering to escape detection

Security firm Finjan has released a report warning of malicious Web sites that restrict user access to avoid detection.
Written by Tom Espiner, Contributor
Hackers trying to host malicious code on otherwise innocent websites are using increasingly sophisticated techniques to avoid detection.

Once hackers have subverted a Web site, it is in their interests to minimize the malicious code's window of exposure to help prevent detection and subsequent blocking by security software, according to a research paper produced by Finjan, the web security vendor.

Finjan reports an increasing trend for "evasive" web attacks, which keep track of visitors' IP addresses. Attack toolkits restrict access to a single-page view from each unique IP address. The second time an IP address tries to access the malicious page, a benign page is displayed in its place.

Evasive attacks can also identify the IP addresses of crawlers used by URL filtering, reputation services and search engines, and reply to these engines with legitimate content such as news. The malicious code on the host website accesses a database of IP addresses to determine whether to serve up malware or legitimate content.

"URL filtering, reputation services and even search engines might mistakenly classify these sites as legitimate," said Finjan's report. "This minimizes the exposure of the malicious code to forensic analysis or security research, as there is just one opportunity for a visitor to actually see the code."

Editorial standards