One-time infector web pages thwart anti-virus
Anti-malware vendor Finjan analyses a serious new development in attacks using malicious web pages in their second quarter 2007 Web Security Trends Report. Termed by Finjan "evasive attacks", these keep track of the IP addresses of visiting hosts and present the attack code only once to each victim. Subsequent requests return visually identical pages that do not include the malware. In general this means that after infecting the victim's machine little if any trace of the vector will remain.
This is a significant evolutionary step that can thwart conventional signature-based anti-virus protection by making it extremely difficult to identify and analyse the malicious code, and therefore to create a signature.
Infector sites may often be legitimate and trusted web sites which have been compromised by injection of malicious links or by hosting banner ads that point to malicious code. Finjan comment: "Malicious code distribution is evolving into a financially rewarding operation, and as such has introduced new attack vectors. ... Strong financial incentives, based on pay per infection models, are fueling the fire." As a result the concept of trust is eroded, making it difficult to know what is safe. Users are recommended to browse all but their most frequently visited and trusted web sites with active scripting turned off.