Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Google: Percentagewise, IIS Serves Up Most Malware



 By: Lisa Vaas
2007-06-07
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
While Microsoft's IIS Server accounts for only 23 percent of the world's servers, it's responsible for almost half of the malware circulating worldwide, Google's Anti-Malware Team reports.

In surveying some 80 million domain names, Google has found that nearly half (49 percent) of the worlds malware is coming from only 23 percent of its servers—those being Microsofts IIS servers.

In Googles security blog on June 5, an Anti-Malware Team member reported that IIS and Apache (also at 49 percent) evenly split up the malware served, even though Apache makes up almost three times the number of Web servers out there. The remaining 2 percent of malware is served up by "other" servers, Google says.

Overall, Google found that 66 percent of all Web servers examined—not just those serving malware—are Apache servers. IIS servers constitute 23 percent of all servers, nginx accounts for 4 percent and "other" accounts for 7 percent.

Netcrafts May 2007 Web server survey pegs Apache at only 56 percent of the Web servers out there, and Windows at 31.5 percent, out of 118,023,363 sites surveyed.

Google acknowledged the discrepancy, saying that its numbers differ from Netcrafts since Google bases its analysis on crawl information and restricts itself to examining root URLs. That means that Google doesnt count hosts that dont present a root URL—/index.htm, for example. "This may have contributed to the disparity with the Netcraft numbers," wrote Nagendra Modadugu, a member of Googles Anti-Malware Team, in the blog posting.

Resource Library:

Google determines a servers operating system by examining the "Server:" HTTP header, which most Web servers report. Modadugu noted that Googles figures may have some margin of error, "as it is not unusual to find hundreds of domains served by a single IP address."

Although Microsofts Internet Information Services Server Version 6.0 has the reputation of having few flaws (particularly when compared with earlier, buggier versions), IIS 6.0 actually accounts for 80 percent of both the IIS servers Google found to be serving up malware and the total amount of IIS versions now online.

IIS 5.0 made up most of the remainder, both of IIS servers putting out malware and of IIS servers online overall. IIS 6.0 is the current shipping version for Windows Server 2003; IIS 7.0 is the current server for Windows Vista, as is IIS 5.1 for Windows XP Professional.

Microsoft is urging customers to upgrade to a later version of Internet Information Server in light of a "feature" that leaves IIS 5.x users vulnerable to data interception. Click here to read more.

Of course, as Google points out in its blog, just because an IIS server is dishing out malware doesnt mean that its been compromised—it could be programmed to do so by an administrator whose intent is to serve up malware. "It is important to note that while many servers serve malware as a result of a server compromise (by remote exploits, password theft via keyloggers, etc.), some servers are configured to serve up exploits by their administrators," Modadugu said.

The Anti-Malware Team examined 70,000 domains that it found to be distributing malware or hosting browser exploits that have lead to drive-by downloads over the past month.

As for which Apache versions are serving malware, this is the breakdown Google found: 1.3.37 (50 percent), 1.3.34 (12 percent) and 1.3.33 (5 percent). Twenty-one percent of the Apache servers did not report any version information. The fact that the latest release in Apaches 1.3 series—1.3.37—is showing up as the top Apache malware server comes as something of a surprise, Modadugu said.

Google also tracked down the originating countries to see what flavor of server they prefer. It found that Apache has the largest share of Web servers in the United States, China, Russia, Germany and South Korea.

When it comes to the favorite Web server from which to send malware, however, China and South Korea strongly favor IIS over Apache. The Anti-Malware Team hypothesized that a few factors might combine to bring this about: First, automatic updates likely have not been enabled due to software piracy.

Google cited piracy statistics from NationMaster, which estimates piracy rate (the number of pirated software units divided by the total number of units put into use) at 92 percent in China in 2004, and from BSA, which put the figure at 55 percent for 2006.

Google also suggests that security patches arent available for such pirated copies of IIS, meaning that a larger percentage of Chinese IIS servers are potentially compromised.

Germany and the United States by far prefer Apache when it comes to malware servers, as can be seen in the bar graphs in Googles blog.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.



  Reader Comments: Google: Percentagewise, IIS Serves Up Most Malware
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Lisa Vaas
 


x}r㶲s\@♵M=Ҕlc-/K3ΤN"!1Ej/~b:?qtMJe3NƖht7F?;;~$rȹklJv'[D;;?.P|gSo92p=z#m)>M3ȩ 5;#|6%?w *sR;€wɘZqPɈQߕ>Q/? Lbh9&q٤XA# : rWӺ%~`zN<>Qu)pgEQ6'k[ tVN W*Unp{#a_ʞz5"p8$j;^7Ӄw23w:bq:!Oma l׸ڮU ؓ ۭ@5l"s9ȹ׳0Tݑ}:1iBsdbLJNtf?D9zu v=r Pc,Bs.oVs+ZV@+(.#-bzOa`% pfQUrn'sK׺jw[::=jN}3fP+M~(#3hؕgxk_:O9ǝ.9\QŝyN4p'3 Z_Zv\݃ /xR&:aZ+U#3t9}lqo]~:_O{g;Beu#7{W=ReQ o̱n>@|ˤd6M2Tch^ԩ#5ǯ/iVj5Vi?z[SĿ G/<@'LYp3Z&9T23=MHk 3!RBʼĿIK _VPJB-)\D7h+ԌTwIQQ#{̌_"ʥec^IcFs^ 4l.k\Btʢ9QY + \M흚޼G=-*<5NZާ1^v.tvZ0*>c]g9",QqsuTSt*Zl:׾RA^Tjr{hc2ud8԰:AG:ڴ;\Vc4!D&hap{4ڭl= KpI}xXO9&ztmP``#eg! uK ΝdrkoMC?Ft zt t,/G`\@8)Hpy E]ub3B[>ȁ=woMou &QsfPBԁ.q<ɜK) X@H@t"AђF *4 gsCX"K"'Aw;.VKŤ\*y"JM':ܑWKRx&,S,BV-KᗄPf%i2mlƲń(VFNl(0Vn)L>hQoĸG6ˀ)4ٌi8A0>A̞P,j\r n9Y>~pI$зs_n2MS/n^ßf1d_w\ճ&AB glCC2{ڡ[Z3R;= =Mrʳ$#]_7oX>ťHN(mt'й+>q^t.iԚ'eiV[JͪRu%zց$l J=°εZ*![p5|a׼2F]RZBKHDlPc/΅%2=CM"&7 }ZMXUM.R?xz#kjISʁbY;7l ʸ5MVRQy9:zGȃ`=r=6O68yy4!%6$;~Lc cѭ,hZU%S=#kQbꁊ7_E30kŠ%lDaȁUra; ¢{Z\Sv;~l2\Z!0\{?|T30`-e?"O;R^-!/0kMtg׳aT5C#lq-Z ;tm۽˦ sq,bj[,~ɯ‰5r1|*j0&B$V0l^x|hF`+\qW["LJ}N܁e Vl*I b]Pr)RLZ06Aae呯^t@FM@X 2$6/Pk ΁a@C)& cZ`\FLk ZCbP$܄h@.&i?aE"'t1ڥs!a*/w+g Z|;jZ(T+19ʪZJs3??2:EƟR:wC~y90?O_ogRkJo֯>^R`w%eXY81f-1"yd ėaE*㕴~>V6ʼnG q?@*:2 XX 0(E{h⢉!h;+4+hý235RZS2ݝ'(R~-hoZYSYf0`l* ?ŤD LkQ3Gť5 {éCfuMa&FžJV-=kyE0s-fdaD4@wbC-YM ~gӭHy3V9y]%fZ+a1yZUztyhFIdM3iqS<ܪ+_|ˀGeyM/ܛZJc="JL7OW<s[B, r?_ǞuK vq?n216<^uUJ3LdT~#\zRfl|g]b+wU9Se6a'ßjTSc\/ e<@n̦"SԵйtNsl s ܒ; +@X'V-(7O40p2Z>+lYVj嬙fwrģ: ߀&?\@qccn#2v"9zB*>|/I0VRRXU V_A3Fˁ; _g.7&aHx}GRUO4ịV1C e 4v=.EY i&!lئOlDoԁh 03RlȪ+> 2*ijAROsGF:Lpz]zߍ uRԣ{{+7}óA"wS[Uu:Mg\Դ"hw ĶRs?'}D-ӄ>zAbzQ=Y rvjT rF2R@BZB$d1~'߾b[D ‚'T.n\'+cI` |Jce"nxB* gF Dccb^f.`}UݷK( -$P) WAhxa{I12@W?v~nNIAc'tn48T6MFz֖5C2ܝa3 vH[!Bb_:Wǭ+,S=VXKr! Vj,49Aϐa6(n4lCꏝ%/A֭ Bf3bB!|J'eax!w mn?8D@ISL'SQ(I[`deanKl?a9RL锐'.ϓ|Nh+'I^VR6T$4%!44QLNbC]B+C7g ҽl^lNpVHpo6_xvImK$Ζ&!̗4.נzY8V#vp~tװ>XkI-jշʫ؉|@s`*#=SL aʕ}rWkb~]4ZU$=ݙ8F`푶cɹ``'#9ʼS3`Z GW ./}ĿW}1kyT̵jПdYx2M#}:Jfzki^x̠t8s 7{~!.u?.sT7?_eҰKw= =zs.+-R!ykEwWUKsOWgʼE:'%mK`#iv.R;K !bi4V;Tf{ds̷kH:>dO>^jDC|9~2O> AY؞qnbL2F'` ƔI 3q#ĠHZsMs _563Z;as*|\"Zyda%$\}1 ߈;6bE QMi|o(o&򽡎xk5) KN+g7BcJKѴg=.0Qa_Ͻx2.mE.zQv%F}7^c˗IO'4ۺ YCQ\Q+VɻM'ϖ7gs}$ݙwK00(!e!tmtȝLuǢ<tA¡n }sV i9X 6CE]g.wxE/ "< {"oNZ~5vȹn0Fw ufC&數Sm< ^`'KGk89\zt.݃EFAss \U&r<~v\ltgwdΝN Hb0mvHe d8=zg[Q6T?Z'IElYT _p'</5Y{9Ƚ,Ilv}+1WnN%Ό`r3'm=KҦ{p5r 7 ͛/1GDyjSe+`@-LA_~tJIlx:F@UCCY= ^.,9a:3N: jbFvxRwf҉If[оR3_d!b\ zV@' .qOx ]ϟňywRR)RZh驤i< ŸwoP%U4m_jŧ⴯%.uQ tpS;3V>K!]cc׺*\U3x5jc' 3y+[! [_VBV^þBz= mʾbȧrA&`?CO3~K6\8X] W$g }̆,"=wBK{&,vKZU6P$l@$ @l)n2y&r-RT/9]mc@ ~ep@^{],a{,VE$阗o1erF(3*um}l6E`0 !K E@^ 3F <,!=3Teђ< :lQXR Wd> IrSbz&E֧Ѥ7^>[^rjo$$UӭeR_d=ǜ,,)){ԥ. pxQTU+ ِxD4Jx$&^!a5JFR"FtƐ/LӈMsCܐKϽ) owH]O9nPtЇNK׶TՊNna $lO'a $jm^ ׾9Idj< 9\ȭh5'"_nVZCB2PatA}It0`j+I083Y٭(.aѹH:]|it{:O!cV^1r|z6p5Z0}w ;ؽ-٫ DA$M"!c%̋knA( 5*wI4e~idxhqSI-I, &ZmݩV} ڵq5v,k U7^(oO [/PY,sLzu5e R- ϏW ELjY?$.h=_l\;iV>߄)[jSt brijcߍ.!]n w_^xJmc͋.pT o|{ȸX1s^lyߣnoƦ5_c\+ȾHU.\՝Àze ?qxðs+{XU{Qg:%k;*HC5zݑx%Xz `uǁD1 i4ҷEibaMv(K;ـd@Ռź0qI,A}},D*E1(OJIkY;_B+k#;rҽV«{r]$̵ş 3{Xq֢Swrk")^m{Ba/wWoͣ#ŷaؽ24B(5=6[7oWvj}e~-kk3"{A-[o&36௶aulay0^q/yt Ȫhֲƞ=:qoB&Y,eeXcg3'Vc~uP2oH3@84+I/3$V$V [IHgc;w6pƊ8a[Z@Yo ,M >'`9kҽ9>u]Lg[2`?a_ӷ/= ^FxᙟCqs˼ M۞NړM!N`;qX т,#Ћ'g$HdSJ!*D7i|c`6Kg;&`cٿcgĽ^S`܀*ZWqis4s/| );^[?1aN#ڿ`iݰ ΰ6xD)& y|י`'㷈u9DCঀ_;~T*UH ZNvxrٽ=? X++F=݀wNUpo?mLRH+&^qIuYW ]}qCvO rN{{3kq'9#j\ΒjsȜؕĠAIB4RwĸWn"wIPVk~K ,Fk"Y"'"KIH^XBQpD]bɤ1^Pl&qn/t=L9h*b4 B-'-8&ƘKjxVQjrE<=G!:{uZxeL<_AFwc+S}*5fL+:P;qU6'a<::BMğEwTBhfxOkp)Xۜ>3-iM13bmCym+=kzZC>u` K.қ`(l&ˇtxX~-HP*$7ZzYX B}Ba>9>()[oW-F]M5v X:]y K`48 ^Rc"WVc -8}29)rL' vl"m]%IwKTwf|G# :{WZ-1F/|T1/b=3-ᰐ#C a<$z4mԓG)׀Ϣx\W7 ElNh$~b 12S~&`b,ywJ7`C'[EY|ob{LgA~\b@Ԑ0(V$Ѕ:y,@#!9ω1늼 -×Y"&AaPZ  +z+U'I]Ui_)9CȮ KƪZJW5#S]we2Vq9Lz%ruW0`A='i92dg4t\K- ,C#&O=lFL0kD 9\&9jHa}kw.as'%_QBss}Ѻj_r˃Sdg&E`9Y22 'Sfrqm.4 "G}ɂwᝥ%}VXm_(ڽ5U6e9DM@*8 ǼQ!~jԊkm8ޗ5g5^L˒7kJ\3C >9mf/ [tI 'M&7bQ:kH碕k&5+<v<(32ʯjuQ8QށNF9rzou1ตQ~GO>''(kWsqF93틌rnQʿ.?gZ9gggsAsyFρ?3eg(Uѿ@r 3ڿ\'I73y S*ÌRq/2苬+ OY射8(Ay>++P/nt2 : ?3_u3 NF&oˣqr]!,.5PUZk3/Y[ݲWq - {}h}/1^ZF9/RlR? AQA. 3l?V\[[,Oнۺ{' Jݓs+z`~Jc.1پWߕ\*ܼ}:S\ȜHWɴFVی 듩iz|,y |f2 'գ,O;H L2f~<ĎrnOAr t[ep's%| SG0V=*{P[4LԸGpoQV"#<5 LlXV_p3lcm}jW;uu<_6?Cg6'[*8uߚLYu8% ~xY&@Y8'R?+j L=C9}54]NWn8ڜ؉wF:n :Mg\ԴZjRs?'WHd6##"2tx 5ɪ"+Uw9 ط]V++R0X\^9Q(Fuo*K0njy=q̐ga1VJ!7rO 0 7oJ/ӡx}KQ,V+ 5t0=_2nu–'*F'BNkeErlyOؼ!H0BkNY״0o? 8[]^L:χ~& ܹޕop1Q6`=ifF`+iqf|98𰙄i׌̯X›;f@L s⣍A;|1|:v3Fdy#aq1e@(e6Lm (~%6,wd3o%. c@] 6w1o6Nώ{;Y:5 wh޼/KuoA0D00Y~l+>BՋp`HzFciЄΧ^p멎TgU|A>cx GL} JC2z lx$_Oxª~Saxr=& fh u-IS`ނgܨN~yVb0%yMvSF} ?dtE#bSp!@>pM'"QTD sQ)ۉYbd圙F9~gsu@EqD'Py566s֨N`^|ۺKAѮYml`[x)K^F:=Ou`H؂{Xi[e1bdKq=3ӲG(q<,@cq1ݦt3NE7/k,^zXٽd1qS`-hup#b w}uKe!.0:W.XޫlہP#jȹ-`j+7EmEtA<;=+={+s`:igNb+:*φŀp̖sW=?5jlvja<>Y:}/#s!YX&7ę /O CWѰ0 L;,lqEG%RRNmfK#fE[Rj2 19,G xI1%h3l䓈mAb ?åk[),#wL_ xjepFdzUN]Z ^cdX$֬-LE")ԝb:(G=zk|FXKzLM萻kÐ{y0ѕDM1F(&,1S,@< փ W1`#hxl <nh1)d'kIG '60MÄr"5roq=yeәJ pK8 g!0X^Zʩȩ(v}_|JѬd;j +3Og |>"<Ǹ0X+n:' wޗX;yB(O:=y>C*gꙺU7Za}BeFBl4*׭Y*?[7nxa㇫Χc)h,=P$Dq+ AHc.ɊxYοa(m\}!l4{n_!ﭩeUUA$摭7y@ƦI:1q0)jaKmw9n~;1{l~r)Us̥D5^JB\rbh6