Topic: Servers

Google: Microsoft IIS 'twice as often' serving malware

Summary: Research from Google's new anti-malware team suggests that Microsoft's IIS server features "twice as often" as a server firing drive-by malware downloads.

By Ryan Naraine for Zero Day | June 5, 2007 -- 21:40 GMT (14:40 PDT)

Follow @ryanaraine

Researchers in Google's new anti-malware team found that Microsoft's IIS (Internet Information Services) server software was being used to launch drive-by malware downloads more than any other server type.

The statistics come from a Google examination of 70,000 domains that have been either distributing malware or have been responsible for hosting browser exploits.

"Compared to our sample of servers across the Internet, Microsoft IIS features twice as often (49% vs. 23%) as a malware distributing server," says Google malware researcher Nagendra Modadugu.

Web server software distribution across malicious servers.

Microsoft IIS and the open-source Apache server account for about 90 percent of all server software distribution across the Internet but the Google numbers show these are the two servers serving up almost all (98%) of all malware.Modadugu makes it clear that not all of these dirty servers were hijacked by attackers, stressing that it is very likely that some servers are configured to serve up exploits by malware authors.

Modadugu also offers a glimpse into the geographic location of these malicious servers, highlighting the fact that a lot of dirty IIS servers are in places that are known to be hotbeds for software piracy (China and South Korea). Because Microsoft does not offer security patches for some pirated software, these servers are more likely to be vulnerable to a remote compromise/takeover.

See Modadugu's blog entry for a deeper look at the numbers. Techmeme discussion.

Topics: Servers, Google, Malware, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

76 comments

Log in or register to join the discussion

Why would this be a surprise?

The vast majority of malware on the internet is targeting the porous security model of Microsoft Windows products. So why wouldn't it follow that the majority of servers dishing up the dirt would also be running IIS?

Chad_z
6 June, 2007 05:28

Reply Vote
- Learning to understand data.
  
  Here is a free lesson for you. Only in China and South Korea does the number of IIS servers serving up malware exceed the number of Apache servers serving up malware. In the U.S., Russia and German Apache servers are the leaders in serving up malware.
  
  One possible conclusion is that in S. Korea and China where piracy runs rampant the IIS servers are not fully patched and there for more likely targets for malware. In countries where piracy is less prevelent and IIS is more likely to be patched then the servers are less likely to host malware.
  
  That being said a patched IIS server is safer then Apache. There is your suprise oh logicless one!
  
  ShadeTree
  6 June, 2007 06:25
  
  Reply Vote
  - Twice as many Apache Servers in the US
    
    Perhaps there are more Apache servers serving up malware in the US but that is most likley because there are many more Apache servers out there than IIS servers. So what does this all tell us? Nothing much.
    
    mwiley_z
    6 June, 2007 06:58
    
    Reply Vote
    - It would reveal that both Apache and IIS
      
      servers can serve malware if not managed correctlly.
      
      GuidingLight
      6 June, 2007 09:23
      
      Reply Vote
    - It tells us that you cannot conclude ...
      
      ... that Apache is any more secure.
      
      ShadeTree
      6 June, 2007 10:48
      
      Reply Vote
    - Definitely not much
      
      is made clear by this. For one thing, there is no way of knowing whether the server is compromised - or set up to serve malware in the first place. Nothing about the security of EITHER system is shown by these numbers.
      
      Speculation is possible - and sometimes fun - but it is still just speculation....
      
      Hmm - maybe the US numbers on Apache are because it's free, and malware people are trying to maximise profits? And maybe it's harder to pirate IIS here (undetected/reacted to) ?? Who can tell - the people doing it aren't here informing us :)
      
      Freebird54
      6 June, 2007 14:15
      
      Reply Vote
  - Apache is more secure
    
    Get your facts straight. It's also safer. Same with most other non-MS software.
    
    Get the facts- MS solutions are chosen for their lower initial cost to acquire. The TCO of them often is among the highest out there. Same as buying a Yugo. Cheap to buy but nickel and dimes you to death. Same with MS.
    
    ITGuy04
    6 June, 2007 06:59
    
    Reply Vote
    - By what metric?
      
      "Apache is more secure"
      
      Can you provide something other than "because I say so"?
      
      ye
      6 June, 2007 08:04
      
      Reply Vote
    - Facts please
      
      Find some measure of evidence to "Apache is more secure".
      
      In 4 years that IIS 6 has been out, there have only been 3 critial security flaws. Apache has had over 20 in the last 3 years.
      
      That may not say one is better than the other but at least it's evidence.
      
      FatherJ
      6 June, 2007 09:07
      
      Reply Vote
      - We chucked Apache....
        
        We use IIS, Apache was too risky.
        
        fr0thy2.
        6 June, 2007 09:38
        
        Reply Vote
      - More likely...
        
        you chucked Apache because nobody in your organization was qualified to secure it. Of course, they're not qualified to secure IIS either, but IIS makes stupid people think they're brilliant because IIS makes them think it's easy to secure a webserver. After all, it's Windows, the operating system preferred in trailer parks around the globe. Why choose something that makes you think every once in a while...
        
        jasonp@...
        6 June, 2007 11:40
        
        Reply Vote
    - What?
      
      I think you contradicted yourself there, m$ cost dosh Apache is free with any magazine so using your logic m$ must be safer
      
      monkeynuts
      6 June, 2007 15:01
      
      Reply Vote
    - What does the "IT " in your name stand for?
      
      [b]I[/b]diot [b]T[/b]alking?
      
      GuidingLight
      6 June, 2007 17:15
      
      Reply Vote
- Read the source.
  
  It basically says that a vast majority of the servers are in countries that are notorious for pirated software. Pirated software means no patches. No patches means no security.
  
  It also says in the underlying article that Apache also serves up 49% of the maleware. I'm not sure what this guy was reading when he wrote the article.
  
  FatherJ
  6 June, 2007 09:27
  
  Reply Vote
- It should be surprising....
  
  I am surprised because you lie nux users had brainwashed me into thinking only M$ could be useless & faulty but it says that M$ & apache responsible for 98% so it seems that these lie nux users are to blame for 1/2 the problem. If you were to look closer it would appear that,with more m$ but only 49% of the grief then if less apache but till 49% of the total grief then I think I will try to avoid apache and only use m$ where possible because we get regular updates and patches to protect us
  
  monkeynuts
  6 June, 2007 14:54
  
  Reply Vote
  - Statistics and spelling.
    
    What else are you really good at?
    
    Jambalaya Breath
    7 June, 2007 10:29
    
    Reply Vote
Missing numbers

So when we actually get to the linked page, the first thing we see is a pie-chart which shows that 66% of ALL web servers are running Apache, with just 23% of ALL web servers running IIS. Despite the fact that Apache web servers outnumber IIS by 3:1, 50% of the IIS servers are serving up malware! In summary, IIS is 3 times less popular than Apache but still manages to serve up 50% of all the malware.

Go Windows! Virus for the people!

whisperycat
6 June, 2007 05:49

Reply Vote
- The wrath of Ou will be visited on you...
  
  ... for daring to make such comments!
  
  What I find more interesting is the assertion that many servers are set up delibrately for drive-by insertion and that a lot of these are IIS servers. Wouldn't Apache be a lot cheaper or does the malware depend on IIS/Windows interaction that Apache cannot provide?
  
  bportlock
  6 June, 2007 05:59
  
  Reply Vote
- Which version of apache out numbers IIS 3:1?
  
  Is that the x86/Linux/Apache 1.2 version? Or the Sparc/Solaris/Apache 2.0 version? Perhaps the MIPS/IRIX/Apache 2.2 version? Or perhaps the Itanium/HP-UX/Version 1.2 version. Or the x86/Windows/Apache 2.2 version? Or perhaps the Sparc/RHEL 3.0/Apache 1.2 verion.
  
  My point is that "Apache" is fairly generic compared to "IIS". It runs on a multitude of hardware/software platforms. There are three majory code bases (1.x,2.0,2.2). Contrast this with IIS which primarily runs on x86/Windows and is limited to 5.0/6.0
  
  ye
  6 June, 2007 08:08
  
  Reply Vote
  - Which just goes to show...
    
    monoculture is bad.
    
    :o)
    
    Jack-Booted EULA
    6 June, 2007 09:49
    
    Reply Vote