Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Google: Percentagewise, IIS Serves Up Most Malware



 By: Lisa Vaas
2007-06-07
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
While Microsoft's IIS Server accounts for only 23 percent of the world's servers, it's responsible for almost half of the malware circulating worldwide, Google's Anti-Malware Team reports.

In surveying some 80 million domain names, Google has found that nearly half (49 percent) of the worlds malware is coming from only 23 percent of its servers—those being Microsofts IIS servers.

In Googles security blog on June 5, an Anti-Malware Team member reported that IIS and Apache (also at 49 percent) evenly split up the malware served, even though Apache makes up almost three times the number of Web servers out there. The remaining 2 percent of malware is served up by "other" servers, Google says.

Overall, Google found that 66 percent of all Web servers examined—not just those serving malware—are Apache servers. IIS servers constitute 23 percent of all servers, nginx accounts for 4 percent and "other" accounts for 7 percent.

Netcrafts May 2007 Web server survey pegs Apache at only 56 percent of the Web servers out there, and Windows at 31.5 percent, out of 118,023,363 sites surveyed.

Google acknowledged the discrepancy, saying that its numbers differ from Netcrafts since Google bases its analysis on crawl information and restricts itself to examining root URLs. That means that Google doesnt count hosts that dont present a root URL—/index.htm, for example. "This may have contributed to the disparity with the Netcraft numbers," wrote Nagendra Modadugu, a member of Googles Anti-Malware Team, in the blog posting.

Resource Library:

Google determines a servers operating system by examining the "Server:" HTTP header, which most Web servers report. Modadugu noted that Googles figures may have some margin of error, "as it is not unusual to find hundreds of domains served by a single IP address."

Although Microsofts Internet Information Services Server Version 6.0 has the reputation of having few flaws (particularly when compared with earlier, buggier versions), IIS 6.0 actually accounts for 80 percent of both the IIS servers Google found to be serving up malware and the total amount of IIS versions now online.

IIS 5.0 made up most of the remainder, both of IIS servers putting out malware and of IIS servers online overall. IIS 6.0 is the current shipping version for Windows Server 2003; IIS 7.0 is the current server for Windows Vista, as is IIS 5.1 for Windows XP Professional.

Microsoft is urging customers to upgrade to a later version of Internet Information Server in light of a "feature" that leaves IIS 5.x users vulnerable to data interception. Click here to read more.

Of course, as Google points out in its blog, just because an IIS server is dishing out malware doesnt mean that its been compromised—it could be programmed to do so by an administrator whose intent is to serve up malware. "It is important to note that while many servers serve malware as a result of a server compromise (by remote exploits, password theft via keyloggers, etc.), some servers are configured to serve up exploits by their administrators," Modadugu said.

The Anti-Malware Team examined 70,000 domains that it found to be distributing malware or hosting browser exploits that have lead to drive-by downloads over the past month.

As for which Apache versions are serving malware, this is the breakdown Google found: 1.3.37 (50 percent), 1.3.34 (12 percent) and 1.3.33 (5 percent). Twenty-one percent of the Apache servers did not report any version information. The fact that the latest release in Apaches 1.3 series—1.3.37—is showing up as the top Apache malware server comes as something of a surprise, Modadugu said.

Google also tracked down the originating countries to see what flavor of server they prefer. It found that Apache has the largest share of Web servers in the United States, China, Russia, Germany and South Korea.

When it comes to the favorite Web server from which to send malware, however, China and South Korea strongly favor IIS over Apache. The Anti-Malware Team hypothesized that a few factors might combine to bring this about: First, automatic updates likely have not been enabled due to software piracy.

Google cited piracy statistics from NationMaster, which estimates piracy rate (the number of pirated software units divided by the total number of units put into use) at 92 percent in China in 2004, and from BSA, which put the figure at 55 percent for 2006.

Google also suggests that security patches arent available for such pirated copies of IIS, meaning that a larger percentage of Chinese IIS servers are potentially compromised.

Germany and the United States by far prefer Apache when it comes to malware servers, as can be seen in the bar graphs in Googles blog.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.



  Reader Comments: Google: Percentagewise, IIS Serves Up Most Malware
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Lisa Vaas
 


xv60VQ)^tR/ٖ5-nO眳(S$|gOtKgm BUP(y$3W7-gL]sfS Oo-z$5wv޼yC(pȩIFNv@{iFu;A&|8 \?g3U,Q H5K&O†|kM$F^2F .hvL֓b^P+$ȁ_MM9JDu)tC(DIږY'Q}# B Cw*Nul9 QCRR2/FXDP~FDMc?;gv^/ԡcFՉ4C2]hj:TE$*cO^3j `䅰1FŌuŤ8Gd`jĤI2͑G2K*-a;ӡkux5\ap*)ZHZ6n@w(\'p}j bAaSGIH*!)`ōzS˩V| y>x:t^u ¿ ߀Cݸ1̷w'a-Q,q&"U-wS&>dRr[dQ#ʲnLw3a[Ml7uM-ԋR@)ԝw╻]`[© ;}wc4׿;S*)y2GBu7ںsm9y]׊ yESM3Q Ԙ8a9 uz P%pA頨)Z]+*.f1{Pd!XI#/YTU9@f9괏'򳹥}o_]^uzmo8O}3fPUM~ 3h2ؕgxk4X:OO9;'9^qٝN4p3 Z:'^=:$OmrK,.iT$5ǓqeLBxY$Y.ICu'P[,/r$brJGX*,>Ja͂94-I` ߖI@· - :urv%Hm҄& 9B:%u7>hr Ce)#8?݇IhJq䨉k>ذ 1"%w5/,-|EU>hi"A[8 .+J!bV3tɋ BD4?CzC7=aB+Y,h΋<W-}rY]4'tauAUi?/qOK .Cuv}Bz݋^?{6LqJXx7Y`N-y`\77j 1wRZ/*R=zQnl :2X jXR7HaAwp: 0hv?SϧԴfPwH<: pѦMޡ`1@ Ln0i|+wO ݺ|L^TŞ+LКk0#GE 6 &>vP`2Z9ܹ L&0 `DyKлCi`y1&}զA{ Tgx3=w}  {` ޚꖭ-L<ħ̠{ԁ.q<ʜK) D@F>H@Bt"AђF )4 gs#X"K"'GAwdw$]Ki+\fD4˛nOu$cwڹLX.eQY,p[/)͙J2d0e Q򍜘=b`MfT`"[ụLKak`FX,TjNބhd,a>řhf&i &蝐`3Ґ( s?;\ g!3!q-%`|Ͱ"̴b֜Eu4>D hN-˘ R g?f0-qڛwCV<ۢfa* ,qrׁfX8ȣ=p ԇ&=|YzY۶i /&](S7˕L<+׬ePM fdRUyqtʝ+[Z3n2>}M¿J=$"ǰ@7oZ`N)^HISНj!D9zѧl):[V[J7˪Jb$l }ooaXZ @-ſEY md[|aa2E]Q^BKHD@CR)ҵ sqɰC /0|MȆТAچxTA 5:m ߪ&UY9V0-ZYSj2ej [`B]PeܠQ@п,/lVCax9ZǮAwm<_D\|:;$:`3?磔YTp$480T]2akRhjMMaf(0q |0b=99pJ/]aY38-, {uaWhI37k4ZOӫvp!Da`iNR} Ȳ^z`׽IAʫee&-JJY)jB4i/#Y /9m0ܑkz :lF֝<}Zj[,>9VR>U< đOT׃bEaT(j];(12­qŝa&1 DR)Ö1Swhi&{T'j/TR \TZr>J+"X8:T:4ݦC0f7`q00ߤK&GqӞrFVyQBf[a0K=yԪbVM?N jVUg7 #)' Sfǁ;o⽻2-sg`@)gn-%s㓏S+p c.# ,c`W $̮fG`ã R.)P^Cs2ڝ+h3siwVAO۩{10v?\ w +q 5\`EY;[}n)rdd8+ѡ,XrMTՑnR UtT# vg(0ff{B PCZT9RZkBZ'@ u(D apሙ@FCS؇`m/R=UҞuN"X썿9 CbQD i^;p ';pLjg E+fx+sJbOW2EDyxkC鳨< 3is{OiTϿY`&c1 s*? .}l3pڳ.oU9e6e'A o#eIF:#ݸyɿ,WE8&kPgw(* xg4sDcC6VNMƏvpTm"z'ثD>g[AOį*07JYT`zրDZ9yHG]f.g|]~gLQXGVUe@4yJ1k % =EZrcSLJ ]?/$(RQv+ր%΀LdZT+EzXz,*5R7~ z|IcEi\ixk_(OU?ң:n1RKbU-+)CE5rOk,ش,6"h -z ezrP-,sK"hJgԋ_r[rn)ty4ņ5ѣ(4CFup0 +344َcVqDM?ҁh)033RlȪV;P%봚kEI=NM>=1h+Q.뤵's3ҿ﹮s]`aOn;ܝ90F4HΛ JIJ5jZؑN[ }ĵ)$J^-ç,D$t2JE`WdPeHbx|{W !&c oR9~r"KLCVn&3,`jbU\㯌&p7~1ﵚ߫?BQ`о(&ю pm/ɪO@T #N@spHۧ>^y!1ag 3^^f:Џ ﵲwBiipM\uHu__u?^H6? F&;fB, 8{ub>d4~(!{銿z=;kFk";ry}B|}=^xurֹhKixx\N:uyqȒe4*$Yup|hq\1nmƛ&EL=X>0<;fW쐶CžtNWY0pz.vB3pqXqslP1n'lꏝ%/O= V`!恙1t|PZ:a. ǀzB,2q]>G:KY6P ` bT1 ԟRFMQV=#ijqřπQES):*9Q{Qkѷo%E߈>O1OkwtEh[(+x,VdsJ;t Yc~:)}AgmN9˝^'Y^:g5o ?"HlSO+C2L:1D&5W"v O|BaqA=LP6ƓŨ ݖ:p<59R蔈'='C8 z>RB'T˓4/iY(yqjhdꒈ~~(i&'ءXԛ].6'8 $O kzisq/Ps~%Ζe̗4.נY4V#vh~eta}QZ4ղoeW!= ?<'|x! P*9U۾N+ttO$Zȍڑq eީӊNf|mu+ɅNo=?݁C5VAkv ,x\L|[<,%Mw[v1CN'~.>?&Gm_ |1$?[С['|$A!ݫ[]}/n2'|2JO$ho~AO ƭtG^k6yLf0ߊ_RbqOsn<4rtRTsd;i6ӱ$BTU+h*ۻAXEVe.tѓN|;9qiɤ@7YU (f~\;pO %cc}d}ݸ;}C]`l߫C''y& ~W*]ۧPIݧ뛟{͞6,J鲇\B1d/)$%Βy Lj OK = Fi~?sg[!D:*tcv=קc1~O O=zmGs7sd,d9 AX0!V9g'9><OFeۡ܍)³$`DI@Rig6@|Ր۰/hU1iaj}Z'KIjwl[ʷ'/G'鎿Z7{cE|3\+ꈧ &5;S Mk!/1 %&'̼V&%oFЗqi+BY+%p> r`f[!rtV>v} 1e@΋Ur儖g?zzHZ7oFu%:켄n_Ag(,8sijzPjs+j5/|c4pXD3:1Sv(%TC4V0 ?Oڜ.{bwT847_ Wa=5b>~ܕC,d[}|x00:Jjy4ع,'_|sԙaj JM(PIMN(e`Blr AI}wYׄHiJZkopeGp(,:q%?[ۊN>Nb粨b ?c;nR5,y~TtIt+o%^Arsj,utnVR*$ɝȴb|Y~LӒSd+1R7~y70bed+K/hd10c2u-x8IX,/́87UxеrjXq}@m{F0ELz!Yfc 'P6b:{@xA0R6X w&IQ(|>d1j !I/3JhKJ*Ro5%^FƜG'.aB*Ujn°CZaK3 VHOd&oeO}/ [ڔ}K/ž qפ:%/D 6ۨs1KsuV\`\~Aif; YĔp<ELK{0'N[CVhJ%Q$M leK kA7=:BxNR6eʋ7ҥ o0n=d c;W:1jTP$2>Rwq kD 5hjD |[RԊ\4 5Ϳg1&@5,(5z/|}[ HޭQsmiy͘T3? ?8Q7'wwww˸Tw'=ǟ2oȝ@>+1[g9؃N_v}y I'+*[eP1H7 nL3י+_H}N_ݐ7p :t0dޟ`@ġ@ Tg׺JH$>$M2^ <i''fǽ9WŞGyCߐ/Ċo@#O-lVz"ŕ$AsJLc^@y4i> =WO2IDTIUtk~d=t,"*-Zҥ V\xT.O9зnPE9mtpP<lD-$j-=7µAy}/eCN|1p;^?ݗ`B5( (H:/]v+JףNR'.Lb*ڕ l< FhjGk/|6 ڌ)LvEֺãPkݙW1"A$HZhy#D@L>;KW!܂Ij>U7i3}}}}eIo*eEt=ÄN Fl+?M=[w1'pH} )4~UȰuߛ۾cr0S\>+\|o5tgj:`iA gBx) Dߴ +~mo:RГ"7`QjK]WSߢ|7䆈w'fs=u2kuo&6Y=؋ 'zAm2=}mnZݓ9$PfY ? /םc,~7{/'05W|mO^ܙz;zCIX"5GzݑZxXz a=$:AXFD)h4v `MvR$ěK;ـGtHՌ'0II ,AXTNE^_LD֥ Cwkl~k .~;o р=cwP-kp- m '?ޣ=rUښ ֦8\OZo f dtrO|kflr`ɥ7*s-f y^k3u#}m۫c+@M)6->,O\Ƌr;_<@VE[mYS.[Wٱ>KPsbl*yf0W/%GYIj|!"[JD:`\5SqD3goXx"eO" )x`9k>|JMu-sW&? _ ב/⥽^Fxi#qKă5ȼ ،-۞Vړَ!N`0xX т,#z(cw\:5]ݡ]4-̆xۭqsRO#@q"wo$7}X67- ~Vxr>ͪv#|  ,$tJt[.Oыb* n'٫Yͦ l1aS7 u&MRvRpO~7&*㇝n!5\?ԝNtP)LE|3N&o{zGM!v,xUܮN@ } oo ~F頢rc[a|^vUUkžv0;"cK-V8>tYWS}qCvPrza = ʵm~_FYi.J ke9L 4>(C^P"^fKøW\/mwIßHՖkeK ,b*Y"'"KIH^XB0XhD]bɤ3=^Tlqn/t=9h*b4B-',.8ƘKjtuVU咋xAz)CtNk-b"K.g˘x&VH=Қ0&^ROE*@$zTG7rRM` ~Ÿ\ 6L}^Šx!Vy <m+=m?Etn&;/kxzJ2Ko^㬶ͪNT~`h2} 1ᙟSH!Rs/&, %}y =@kl/3 O)3$[] 0.7lW+V+S׊JYTjuoC5Mj*<syHOxn?K\I':VgyV**u~ -Gp=X2 ƒ0Y>GlAr1!dũ 4r|jI_o6ZqbKA#0Nga ; ^akd̉:u_ai*IwM[.g{5YFQAun-u{ cĞjuYYYqՔlΉ0,%;c±\?ɻa8TJ _[EFzV9Hz6ވ۳j =4-h%%MFV(qqhui*5&{ )W'nJ,w\CP |0.SG )V߫r*X7;m\l$ѦacR{oB`(xspWV#=hp ̋Dt4*Ȑk6ɭ2M!/2zވ<pb XBW7 ElNh$}b c6|'?ы] gЀc@N j`(`>{5\vf+~ZC8 ްn?pV%%A HSqD~wc4׿^]Uԝ5'0 ឩV-3ȘhD MQ ҖHxL~1&IJE< ,iMYC) 2mDRTiaz(@HǼ͈))'GlA`}۹dbWoH$P +wdcF>B|9K=WȿI 0RYEQ\TP*@H>S|R?pk2ꥦLmn$|s ު8CXLi8qXg- .E.ӻqWwܕkP~:&pj,ףnltQQ(b8+M u?؇3,ȏݍKmݜ(8sZ1I)t#K/Hzs p򍕡&, 0(-ŌCZUѓȤ)t!dW` cU-+_?(^k{2Qq9LSz%rEuW0`A#'i92bg4t\K- -C'&a@}lFL r5[giUMzzW~{Agk|i5<ӗ6/*f(H^NQʩ~oSg̵,e5jY^%Lqx&O|?{Rf, qW~4ab ^4)o\{=m=ZAN|vuIc\u6~7Ec2EǤ\js@1@C|k{5#z_m;)]S ʯVS[kʻP]S_]~48i)?@5y_PquNskvN֔~5s^koMg( wVsuk{9_Css52zӚPaM?kϡ|M9ŚX#?0~kƯ w]_k%/׼szޚ5__P>OPi]9Ӛ}}ZCk(^W{5_]\'Ik!(o%.Np֔sͣ5RX~i]9,.Nה@}VQ| J]ïX^sksM+@y>' [{^WKͮ0Tnt-5n+ Ǥjum{}h}/1^ZF9/Rl2@ AQKyE#bhto$.rd&}:i;GLwe<ߔ[nNJ>Z9.~QFxd\$WɴVی S ჴ3#i^rI-̸2xL´kD,=VIOi3E fƠ^jd>ck _EzdkFdy#aq1<̡Pnl@PJmXvg&IB. S@]6wq=m=]wtl#k.Cu;2#_}T.I s:##1Y Mc{Vkͅ*u8w ɰ\,Nd}ס)e48wU߰ v:쭨F|m)۹d,ӧ6&'sIz=>1<]f&}#Km^Ǩz1>Iϐh :"Qfj kma?poȢsL ALH\K:F巧gS9>%^Πo'b_,s7eQ&PLŽci]ⷓu KITr%sDJrE)ߠ(b/<% *`>=.X&">6LN@u;Hx|0j;;1TeK-s(ŬBSd<)O?'[nAG\+<>aiЄ.^p멎TgU|A>cx L].1ue|nHJUƧf2{Lwt8=n0kn>q$L==Ⱦ?J D ϱ.y*ظog`SwDl nmP\jӟH.\Tvbbq Y9gfM>@s@DqLgHvxGml<^:yl.E{Ofu ݎüжRt{]" b CcmR>) ]'[Sܟ~R77mJ73T|m`GYe`ZKv?#q얢e.nDG1G[ 0rczz,˓ i>2#" $$r嵖I;;Q0&iE-ȓl`Cv_ <8- ciĬ;fcXJ XF!&?O80Ux|-h\l}[xtmx0#Ÿrz,ـuࠂ7.k*\Z ^cdX$_֬-LE")0ON W= zBk|F LM萻kÐpai#fSS{3 ;߂ ixj XXC`*F"-tX|_X-fZ4rwBybDϝ7f{/E5(և_D_rTo uG8#`y;(1Ldoμ3x _AJ!Onu^btfp7_cρwPy oa/X/AMpgť wF#O{VqҪFoAhcG A™d $.Qߙ6#Rr_aQjЁj~fx@ KRyP6Ɩ4ٰ,x;v}caI8(~|AsR! RMjae_+Z9TM7nLHv{bF=5;,O}RY";TEHSb\oB}+ԔȲAM]QԨa?`~?Xtf*ތ=ÅytAZx_PŞv?{8H=eaק XC@+Sw V`EQ dIEMzWݳ3wy}qA`(.0طRVO ͠u|5/d ̶Cu_Rnm4.|`J\OM ಋkt a=GToޙM!|:R%_x]oF4!6"&<}J&K  zT:mR-|- l)̂M&,#V<|pyKz7.-41N@\t;God=ebjvlw$n9Q⥛On sxͽ:‹<҂ƍOic;̦ YmЮ; "+[{B>Fǔ0X=v{V(ur7~,a9S\vL$;HCҾ`-onT03 0xJ WP \N?wRShB=2H&D~pٍ_L{T7,kPҏ3CBiO-O x:#ם(|>cizLx_wݲ,}zQ9E !e}5&#%^ R0T C\ yyo_/mV ?9ȥMQe Wlm&RQglBeO8Xcɲ_y֑߬$i ~ƥ&e@:It!Rǝ7宧6=nw ϋJ<`0v/&Ƕ;d* wTnv1u0>N[ 4P9,'sz쨭㦳Cqḓ;rT=~ @'ݴdbHFTTqՊUrޕhX-DёjF̐fp8v4mMja.u)m7%L옡/L#E\<ʮLCV9 ֢-}>k/q YN}u9|(h)r%x^Q^zF[06J-Bl4.'%ݳa x:UʼnUG(nъ:ݫvջlt.ާ+-f 6x4 sy(AUK0RZEFRSfcb@)Պ`e:nmԾ^n6%s|Pr imЧTN&ٻN⇹}Ydkpx2 +lòEϰ7wTbB