LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Highlights from the PostgreSQL 9.2 beta

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Google: Web Server Software and Malware

[Posted June 6, 2007 by corbet]

Google has published the results of some research on web servers and malware. "It is very interesting to see that in China and South Korea, a malicious server is much more likely to be running IIS than Apache. We suspect that the causes for IIS featuring more prominently in these countries could be due to a combination of factors: first, automatic updates have not been enabled due to software piracy, and second, some security patches are not available for pirated copies of Microsoft operating systems. For instance the patch for a commonly seen ADODB.Stream exploit is not available to pirated copies of Windows operating systems." So the problem may not be that the software is inherently less secure, but that its proprietary licensing cuts off many deployments from security updates.
(Log in to post comments)

Google: Web Server Software and Malware

Posted Jun 6, 2007 20:28 UTC (Wed) by landley (guest, #6789) [Link]

The graph of malware servers shows Apache and IIS both at 49%, but the
text underneath says "Microsoft IIS features twice as often (49% vs.
23%)"... Which is right, the graph or the text?

I'd comment on the blog to ask, but they want me to create yet another an
account, and have no feedback email.

Google: Web Server Software and Malware

Posted Jun 6, 2007 20:36 UTC (Wed) by freggy (guest, #37477) [Link]

I think you have to view numbers in comparison to the total number of web
servers using Apache and IIS. As you can see in the graph which can be
found a bit higher, a lot more web servers are using Apache than IIS. If
actually the absolute number of malware distributing IIS servers is
equals to the number of Apache, the relative numbers are much worse for
IIS.

Google: Web Server Software and Malware

Posted Jun 7, 2007 11:07 UTC (Thu) by ekj (subscriber, #1524) [Link]

They mean that in their study, 23% of all webservers run IIS, but 49% of all *maliscous* web-servers run IIS.

Since 49% is roughly twice 23%, they conclude that a IIS-server is twice as likely to be carrying maliscous content as an apache-server.

Google: Web Server Software and Malware

Posted Jun 9, 2007 0:21 UTC (Sat) by klbrun (subscriber, #45083) [Link]

They also subsequently said that the (presumably) pirated (and thus unpatched) copies of Windows in China and South Korea put IIS up to the 49% level.

Google: Web Server Software and Malware

Posted Jun 6, 2007 22:28 UTC (Wed) by i3839 (subscriber, #31386) [Link]

It would be interesting to split up the Apache numbers into which OS it is run on, and also into which versions (or at least the age of the version installed).

Google: Web Server Software and Malware

Posted Jun 7, 2007 0:05 UTC (Thu) by CyberDog (guest, #29668) [Link]

From the article:
"Amongst Apache servers, about 35% did not report any version information. Presumably the lack of version information is considered to be a defense against version specific attacks and worms. We observed a long tail of Apache server versions; the top three detected were 1.3.37 (15%), 1.3.33 (7.91%), and 2.0.54 (6.25%)."

Google: Web Server Software and Malware

Posted Jun 8, 2007 18:13 UTC (Fri) by jengelh (subscriber, #33263) [Link]

Everyone runs 1.3.37 just for the number of it.

Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds