Circumventing Web Malware Detection Through IP Cloaking

When you surf the Internet through search engines, you must have noted that Google labels certain sites as dangerous as they are infected with Malware. This has alerted many users and they refrain from clicking upon such sites.

Now Malware writers have developed a new technique where they are feeding security systems of intermediaries like Google with clean pages and targeting the users with pages that are Malware infected.

Since Google is seeing and analysing clean pages, there is no question of labeling such Malware ridden sites as dangerous and users are not cautioned by any warning by Google or other security vendors.

This technique and modus operendi is known as Internet protocol cloaking (IP cloaking) that has been successful so far. This fact came to the knowledge of Google and it released a report in this regard titled Trends in Circumventing Web-Malware Detection (PDF).

Google defines IP cloaking as being able to serve benign content to detection systems, but serve malicious content to normal web page visitors. Like many security companies, Google monitors compromised web sites. In 2008 it discovered that those sites had stopped returning malicious results to its monitoring systems, but still served Malware to other site visitors.

The Malware authors had learned the IP addresses hosting the monitoring software, and so excluded them from their Malware dissemination practice, thereby making their sites appear clean. IP cloaking contributes significantly to the overall number of malicious web sites found by security systems.

The research also found that cyber criminals generally spend little time on any individual exploit, quickly switching focus to new vulnerabilities in order to stay ahead of detection by law enforcement and security specialists.