Google: Percentagewise, IIS Serves Up Most Malware

While Microsoft's IIS Server accounts for only 23 percent of the world's servers, it's responsible for almost half of the malware circulating worldwide, Google's Anti-Malware Team reports.

In surveying some 80 million domain names, Google has found that nearly half (49 percent) of the worlds malware is coming from only 23 percent of its servers—those being Microsofts IIS servers.

In Googles security blog on June 5, an Anti-Malware Team member reported that IIS and Apache (also at 49 percent) evenly split up the malware served, even though Apache makes up almost three times the number of Web servers out there. The remaining 2 percent of malware is served up by "other" servers, Google says.

Overall, Google found that 66 percent of all Web servers examined—not just those serving malware—are Apache servers. IIS servers constitute 23 percent of all servers, nginx accounts for 4 percent and "other" accounts for 7 percent.

Netcrafts May 2007 Web server survey pegs Apache at only 56 percent of the Web servers out there, and Windows at 31.5 percent, out of 118,023,363 sites surveyed.

Google acknowledged the discrepancy, saying that its numbers differ from Netcrafts since Google bases its analysis on crawl information and restricts itself to examining root URLs. That means that Google doesnt count hosts that dont present a root URL—/index.htm, for example. "This may have contributed to the disparity with the Netcraft numbers," wrote Nagendra Modadugu, a member of Googles Anti-Malware Team, in the blog posting.

Google determines a servers operating system by examining the "Server:" HTTP header, which most Web servers report. Modadugu noted that Googles figures may have some margin of error, "as it is not unusual to find hundreds of domains served by a single IP address."

Although Microsofts Internet Information Services Server Version 6.0 has the reputation of having few flaws (particularly when compared with earlier, buggier versions), IIS 6.0 actually accounts for 80 percent of both the IIS servers Google found to be serving up malware and the total amount of IIS versions now online.

IIS 5.0 made up most of the remainder, both of IIS servers putting out malware and of IIS servers online overall. IIS 6.0 is the current shipping version for Windows Server 2003; IIS 7.0 is the current server for Windows Vista, as is IIS 5.1 for Windows XP Professional.

/zimages/4/28571.gifMicrosoft is urging customers to upgrade to a later version of Internet Information Server in light of a "feature" that leaves IIS 5.x users vulnerable to data interception. Click here to read more.

Of course, as Google points out in its blog, just because an IIS server is dishing out malware doesnt mean that its been compromised—it could be programmed to do so by an administrator whose intent is to serve up malware. "It is important to note that while many servers serve malware as a result of a server compromise (by remote exploits, password theft via keyloggers, etc.), some servers are configured to serve up exploits by their administrators," Modadugu said.

The Anti-Malware Team examined 70,000 domains that it found to be distributing malware or hosting browser exploits that have lead to drive-by downloads over the past month.

As for which Apache versions are serving malware, this is the breakdown Google found: 1.3.37 (50 percent), 1.3.34 (12 percent) and 1.3.33 (5 percent). Twenty-one percent of the Apache servers did not report any version information. The fact that the latest release in Apaches 1.3 series—1.3.37—is showing up as the top Apache malware server comes as something of a surprise, Modadugu said.

Google also tracked down the originating countries to see what flavor of server they prefer. It found that Apache has the largest share of Web servers in the United States, China, Russia, Germany and South Korea.

When it comes to the favorite Web server from which to send malware, however, China and South Korea strongly favor IIS over Apache. The Anti-Malware Team hypothesized that a few factors might combine to bring this about: First, automatic updates likely have not been enabled due to software piracy.

Google cited piracy statistics from NationMaster, which estimates piracy rate (the number of pirated software units divided by the total number of units put into use) at 92 percent in China in 2004, and from BSA, which put the figure at 55 percent for 2006.

Google also suggests that security patches arent available for such pirated copies of IIS, meaning that a larger percentage of Chinese IIS servers are potentially compromised.

Germany and the United States by far prefer Apache when it comes to malware servers, as can be seen in the bar graphs in Googles blog.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.