Malware authors are increasingly using a technique known as IP cloaking to trick security programmes into allowing users to be infected by their malicious software.
This is one of the findings of a new report, Trends in Circumventing Web-Malware Detection, from search engine giant Google.
Google defines IP cloaking as being able to "...serve benign content to detection systems, but serve malicious content to normal web page visitors".
Like many security companies, Google monitors compromised web sites. In 2008 it discovered that those sites had stopped returning malicious results to its monitoring systems, but still served malware to other site visitors.
The malware authors had learned the IP addresses hosting the monitoring software, and so excluded them from their malware dissemination practice, thereby making their sites appear clean.
The report's authors explained:
"In our operational practice, we continuously monitor compromised web sites and the malicious resources they include.
"In 2008, we discovered that some malware domains no longer returned malicious payloads to our system but still did so to users.
"As a result, we developed detection for cloaking. At the time of writing, IP cloaking contributes significantly to the overall number of malicious web sites found by our system."
The research also found that cyber criminals generally spend little time on any individual exploit, quickly switching focus to new vulnerabilities in order to stay ahead of detection by law enforcement and security specialists.
"Our analysis of which vulnerabilities are actively being exploited over time shows that adversaries quickly switch to new and more reliable exploits to help avoid detection," wrote Lucas Ballard and Niels Provos, of Google's Security Team in a blog.
The report was written by Google security experts Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos and Ludwig Schmidt.