LAST-MINUTE PAPER: How do I know thee? Let me count the ways...

Nick FitzGerald AVG

We are all, presumably, familiar with once-per-IP exploit serving, where an exploit page is only served once to any given IP address (usually within some period of time, like 24 hours). I have discovered a new tactic in use in the wild that I have dubbed 'distributed once-per-IP' exploit serving. In a nutshell, many compromised servers, modified to run server-side scripts to inject malicious JavaScript to effect a client-side exploit, poll a separate control server with the IP address of the visiting client, and the control server, not the exploit-serving server, maintains the list of 'recently served' IP addresses. The consequence of this is that very large numbers of compromised servers can now coordinate their serving of malicious client-side JavaScript across the whole pool of such servers.

Aside from being a minor nuisance on a case-by-case basis where a malware analyst may be specifically looking into a given exploit script or compromised server (the normal issue with a once-per-IP serving exploit), this scheme may wreak havoc with crawlers and other kinds of automated sample-gathering processes. There are also clearly significant issues with 'live testing' of real malicious URLs, should any of the URLs under test be served via such distributed once-per-IP schemes. A live demo may be included.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.