A new Google technical report, Trends in Circumventing Web-Malware Detection documents that it has become difficult to identify malicious Web sites as antivirus software is becoming less effective against them. The researchers analyzed four years' worth of data from 160 million Web pages using its Safe Browsing service, which warns users when they attempt to visit a site thought to have malware. Attackers have developed evasion techniques to avoid having their sites flagged as malicious. ACM TechNews notes that
"One of the ways hackers get around virtual machine-based detection is to require the victim to perform a mouse click, which triggers the site to automatically execute an attack. Browser emulators can malfunction when the malicious code is scrambled. A new, more complex JavaScript code is designed to stop emulated browsers and make manual analysis of the code more difficult, according to the Google engineers. Google also has come across IP cloaking, where a malicious Web site will refuse to serve harmful content to specific IP ranges, especially those used by security researchers. In August 2009, Google found that about 200,000 sites were using IP cloaking."
See also an article on NetworkWorld.