Print - Google Says Microsoft Web Servers are Used to Distribute Malware

Microsoft's Internet Information Services (IIS) Web servers are more than twice as likely to deliver malware to unsuspecting users than the open source Apache Web server, according to a recent security survey performed by Internet search giant Google. That's quite an allegation, coming as it does from one of Microsoft's chief competitors.

Google made the revelation from its Online Security Blog. "We investigate[d] the distribution of Web server software to provide insight into how server software is correlated to servers hosting malware binaries or engaging in drive-by-downloads," wrote Nagendra Modadugu, a member of Google's anti-malware team. "We examined about 70,000 domains that over the past month have been either distributing malware or have been responsible for hosting browser exploits leading to drive-by-downloads."

According to the survey, Microsoft IIS pops up twice as often--49 percent vs. 23 percent--as a malware distributing server than does Apache. This comes despite the fact that Apache appears to be in use on far more servers worldwide than does IIS. The majority of that malware appears to originate from China and South Korea, according to Google. (Curiously, most malware coming out of Germany is actually sent via Apache, not IIS.)

Google reports that IIS is likely used to distribute malware more often than Apache because many IIS installs are on pirated Windows versions which aren't configured to automatically download patches. (Even pirated Windows versions can automatically received security fixes, however.) "Our analysis demonstrates how important it is to keep web servers patched to the latest patch level," Google notes.

While I can't quibble with the data per se, I find it interesting that Google used this survey to promote Apache over an Internet product made by its chief competitor. Google notes that, in its research, there was "a slightly larger fraction of Apache servers compared to the Netcraft web server survey," suggesting that Apache actually has higher market share than reported. Coincidentally, perhaps, Netcraft recently reported a drop in Apache market share, due largely to Google's Web servers being removed from under the Apache banner.

Microsoft, incidentally, says that the Google survey doesn't provide enough data to draw any conclusions. "It is difficult to draw any viable conclusions about the security of the Web servers mentioned or what the intended use of a given Web server was in this particular investigation," a Microsoft spokesperson said. "As the blog points out, the administrator's intended use could be to intentionally distribute malware."

Sooo... Google claims Apache is more secure than IIS, but they are basing it off of pirated versions of IIS that are used in China and South Korea? Of *course* they would be less secure - they're *pirated* versions of IIS! Duh! What's Microsoft supposed to do? Make an easily pirated, completely-secure-for-all-time OS? Sounds a bit biased to me...

I really don't get what point Google is trying to make here. The "fact" that IIS is the most commonly used web server to distribute malware doesn't say much of anything about IIS or its security. We don't know anything about the administrators running the sites, if they've bothered patching IIS or Windows, or if they're intentionally distributing malware. What this really sounds like is Google just trying to get articles written that involved the words Microsoft and malware in the same sentence.

"What this really sounds like is Google just trying to get articles written that involved the words Microsoft and malware in the same sentence." i'm sure more fake anti-spyware writers will snatch up more of those AdWords, rocketing another bajillion centabos towards Google's position. XP

In other news: * Sun still rises in east, sets in west * Still cold in Antarctica • Ocean water is salty

Not too many decent articles. You'd think a certain OS released 5 months ago would be so full of viruses by now that there'd be loads of security posts. Alas...

OT - just for the sake of throwing a post up here Props to Apple for putting out a commercial that simply focuses on the features of their product. The ads for the iPhone have me looking at my Cingular 8525 wondering if maybe I didn't make a mistake buying it a couple months ago. (Very different than the Mac/PC commercials which are simply annoying.)

Jersey: Agreed. It made me think of all the Verizon commercials I see for phones like the Razr or Chocolate that carry a tiny little asterik at the bottom that says: Screen images simulated. I think everyone can agree on one thing about the iPhone: we hope it pulls the UIs of other phones out of the mud they've fallen into.

@bdk: I agree completely on the UI and the technology in general. Both HTC and Prada are putting out their iPhone competitors. I'm interested to see how they all pan out. Competition is good for technology.

This is all hemming and hawing by Google as we all know it's really ignorant users that make Malware the problem that it is. I'm so glad our company doesn't have to worry about these issues as we primarily only resell the hardware and not the OS or software solutions (we sell used servers)