"Thousands of legitimate Web sites are hosting an infection kit that evades detection by attempting to compromise each visitor only once and using a different file name each time, Web security firm Finjan warned last Monday. The attack, dubbed the "Random JS toolkit" by the security firm, currently uses dozens of hosting servers and more than 10,000 legitimate domains to attempt to exploit the systems of visitors to the sites, the company said in an analysis posted to its Web site.
The compromised sites host the malicious code — foregoing the iframe redirect that has increasingly been used by attackers — and serves up the attack to each visitor only once using a random file name each time. The two techniques, along with more traditional code obfuscation, makes the attack difficult to find, said Yuval Ben-Itzhak, chief technology officer for Finjan. "This attack uses three different methods to go undetected by signature-based or URL-based defenses," Ben-Itzhak said. "If you realize that you’ve been infected, and you go and search sites, you will not be able to find the site that infected you."" – Content courtesy of Legitimate sites serving up stealthy attacks