Nick FitzGerald AVG
We are all, presumably, familiar with once-per-IP exploit serving, where an exploit page is only served once to any given IP address (usually within some period of time, like 24 hours). I have discovered a new tactic in use in the wild that I have dubbed 'distributed once-per-IP' exploit serving. In a nutshell, many compromised servers, modified to run server-side scripts to inject malicious JavaScript to effect a client-side exploit, poll a separate control server with the IP address of the visiting client, and the control server, not the exploit-serving server, maintains the list of 'recently served' IP addresses. The consequence of this is that very large numbers of compromised servers can now coordinate their serving of malicious client-side JavaScript across the whole pool of such servers.
Aside from being a minor nuisance on a case-by-case basis where a malware analyst may be specifically looking into a given exploit script or compromised server (the normal issue with a once-per-IP serving exploit), this scheme may wreak havoc with crawlers and other kinds of automated sample-gathering processes. There are also clearly significant issues with 'live testing' of real malicious URLs, should any of the URLs under test be served via such distributed once-per-IP schemes. A live demo may be included.
