Google: Microsoft IIS 'twice as often' serving malware

Researchers in Google's new anti-malware team found that Microsoft's IIS (Internet Information Services) server software was being used to launch drive-by malware downloads more than any other server type.

The statistics come from a Google examination of 70,000 domains that have been either distributing malware or have been responsible for hosting browser exploits.

"Compared to our sample of servers across the Internet, Microsoft IIS features twice as often (49% vs. 23%) as a malware distributing server," says Google malware researcher Nagendra Modadugu.

Web server software distribution across malicious servers.

Microsoft IIS and the open-source Apache server account for about 90 percent of all server software distribution across the Internet but the Google numbers show these are the two servers serving up almost all (98%) of all malware.Modadugu makes it clear that not all of these dirty servers were hijacked by attackers, stressing that it is very likely that some servers are configured to serve up exploits by malware authors.

Modadugu also offers a glimpse into the geographic location of these malicious servers, highlighting the fact that a lot of dirty IIS servers are in places that are known to be hotbeds for software piracy (China and South Korea). Because Microsoft does not offer security patches for some pirated software, these servers are more likely to be vulnerable to a remote compromise/takeover.

See Modadugu's blog entry for a deeper look at the numbers. Techmeme discussion.