There was a very interesting article posted on the Securiteam blog which talks about anonimizing code injection attacks. The approach is quite simple and yet rather ingenious, simply submit to Google the vulnerable application URL with the attack payload passed via the GET parameters. And within a short period of time Googlebot will dutifuly trying to index the URL, effectively executing the attack. Stefan had also explored this issue on his blog with some examples showing how to ensure more rapid indexing, so you wouldn't have to wait weeks for exploit to be triggered.
However, everybody seemed to have focus on Google, which maybe a bit unfair to them since other search engines suffer the same kind of problems. For example if we take MSN (Microsoft's Search) and run the "inurl:cmd.gif" query that SecuriTeam folks used to test Google, we find a fair number of results. Which tells us that hackers believe in equal opportunity and use MSN as much as Google to propagate their attacks.
But there are other ways too. For example an attack could post an anonymous message on a blog or a forum with an image embedded into where the image url is not an image but rather a URL vulnerable site with embed payload. Which means that when other people read their message their browsers in most cases will make requests to the given URL thus triggering the attack. This is hardly new though, this scam has been used for ages to inflate hit counter stats, etc... Another vector of attack could be to use application that retrieve content from a URL automatically, such as the w3c validator, that will instantly make a request to any given URL and more over return you the resulting HTML at the time obscuring the actual attacker's IP address.
It be interesting to know what other sites allow this kind of behavior where a user supplied URL is instantly retrieved hiding the original user's IP.