Report Shows IIS, Apache Equally Popular Malware Targets

By Andy Patrizio (Send Email)
Posted Jun 8, 2007

Google's security team has published a report indicating Microsoft Internet Information Server (IIS) is as popular a target for delivering malicious payloads as its main, and more widely used, rival, Apache Server.

Apache's installed base is three times that of IIS, but the percentage of servers with malware is evenly split between them.

Discuss this article in the ServerWatch discussion forum

The report from Nagendra Modadugu of Google's Anti-Malware Team found that although Apache has almost three times the installed base as IIS — 66 percent vs. 23 percent — the percentage of servers with malware was evenly split, 49 percent each.

Google's security team checked servers running roughly 80 million domain names, noting that it is not unusual to find hundreds of domains served by a single IP address and hence, a single machine.

They found a total of 70,000 domains that during the past month have been either distributing malware or responsible for hosting browser exploits leading to drive-by downloads.

The breakdown is odd. In Germany, almost all of the malware was hosted on Apache servers, while in the United States, around 75 percent of the malware was on Apache. However, in South Korea, 75 percent of the malware was on IIS, and nearly all of the malware in China was on IIS servers.

Google's security team wrote that it suspects the causes for IIS featuring so prominently, particularly in Asia, is because Microsoft has engineered its software so pirated copies cannot be fully patched. Piracy in Asia has been a problem for years and is a major thorn in Microsoft's side.

"In summary, our analysis demonstrates how important it is to keep Web servers patched to the latest patch level," wrote the Google group.

One option would be for Microsoft to make patches available for all versions of IIS, legitimate or not. Or, Alex Shipp, an "imaginer" with security vendor MessageLabs, has another solution: "These people could buy licenses," he told internetnews.com.

It certainly wouldn't make sense for Microsoft to make patches work on pirated software, he argues. "If someone steals stuff from you, it seems a bit ridiculous to allow them to keep stealing from you," he noted.

Microsoft did not wish to want to discuss the blog at length, but it did issue the following statement to internetnews.com:

Based on the data provided, it is difficult to draw any viable conclusions about the security of the Web servers mentioned or what the intended use of a given Web server was in this particular investigation. As the blog points out, the administrator’s intended use could be to intentionally distribute malware. In addition, the margin of error is extremely large due to that fact that a single web server can host thousands of sites.

Shipp noted that Apache is totally free. The only thing the Apache Foundation sells is support licenses. This means there are no problems getting fixes. But that supposes all of the infected servers are infected without the administrator's knowledge.

With e-mail filtering improving, malicious software writers need new ways to get their Trojans and keystroke loggers onto unsuspecting computers, and MessageLabs has been noticing more and more infected Web servers recently.

"Any vector they can [exploit] is now fair play, especially a popular Web site. If you can get into MySpace like they have done several times, you've got loads of victims waiting," said Shipp. "In the past, it was sites you'd expect to be dangerous that were infected. Now it's perfectly legitimate sites that have been compromised."

This article was originally published on internetnews.com.

Page 1 of 1

Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.



Thanks for your registration, follow us on our social networks to keep up-to-date