Microsoft IIS a Popular Target For Malware

Google’s security team has published a report that indicates Microsoft Internet Information Server (IIS) is as popular a target for delivering malicious payloads as its main, and more widely-used, rival, Apache Server.

The report from Nagendra Modadugu of Google’s  Anti-Malware Team found that while Apache has almost three times the installed base – 66 percent to 23 percent – of IIS, the percentage of servers with malware  was evenly split, 49 percent each.

Google’s security team checked servers running roughly 80 million domain names, noting that it is not unusual to find hundreds of domains served by a single IP address and hence, a single machine.

They found a total of 70,000 domains that over the past month have been either distributing malware or have been responsible for hosting browser exploits leading to drive-by-downloads.

The breakdown is odd. In Germany, almost all of the malware was hosted on Apache servers, while in the U.S., around 75 percent of the malware was on Apache. But in South Korea, 75 percent of the malware was on IIS and nearly all of the malware in China was on IIS servers.

Google’s security team wrote that it suspects that the causes for IIS featuring so prominently, particularly in Asia, is because Microsoft  has engineered its software so pirated copies cannot be fully patched. Piracy in Asia has been a problem for years and is a major thorn in Microsoft’s side.

“In summary, our analysis demonstrates how important it is to keep Web servers patched to the latest patch level,” wrote the Google group.

One option would be for Microsoft to make patches available for all versions of IIS, legitimate or not. Or, Alex Shipp, an “imaginer” with security vendor MessageLabs, has another solution: “These people could buy licenses,” he told

It certainly wouldn’t make sense for Microsoft to make patches work on pirated software, he argues. “If someone steals stuff from you, it seems a bit ridiculous to allow them to keep stealing from you,” he noted.

Microsoft did not with to want to discuss the blog at length, but it did issue the following statement to

“Based on the data provided, it is difficult to draw any viable conclusions about the security of the Web servers mentioned or what the intended use of a given Web server was in this particular investigation. As the blog points out, the administrator’s intended use could be to intentionally distribute malware. In addition, the margin of error is extremely large due to that fact that a single web server can host thousands of sites.”

Shipp noted that Apache is totally free. The only thing the Apache Foundation sells is support licenses. This means there are no problems getting fixes. But that supposes all of the infected servers are infected without the administrator’s knowledge.

With e-mail filtering improving, malicious software writers need new ways to get their Trojans and keystroke loggers onto unsuspecting computers, and MessageLabs has been noticing more and more infected Web servers recently.

“Any vector they can [exploit] is now fair play, especially a popular Web site. If you can get into MySpace like they have done several times, you’ve got loads of victims waiting,” said Shipp. “In the past, it was sites you’d expect to be dangerous that were infected. Now it’s perfectly legitimate sites that have been compromised.”

News Around the Web