These so-called "evasive attacks," as labeled by Web security appliance maker and security researcher Finjan in its most recent Web security trends report, are especially sneaky because they infect visitors only once before fading into obscurity.
Here's how evasive attacks work: A malware writer finds a vulnerability in a Web site and infects that site with malware that can deliver a virus or some other malicious payload to unsuspecting site visitors. When someone visits the infected Web site, the malware identifies the visitor by his IP address, browser version, and other data. The infected site does an IP lookup to see if that visitor has already visited the site.
If the visitor is new to the site, the site will deliver its malicious payload. If the visitor has already been to the site -- and has already been infected -- "the site will actually serve the site's real Web pages and traces of the malicious code are hidden," Finjan CTO Yuval Ben-Itzhak told InformationWeek.
The malware restricts access to the malicious code to a single view from each unique IP address. "This can keep security vendors from developing signatures against the malicious code," he added. "It's considered evasive because you see the attack only once."