Study: IIS More Likely To Be Compromised
- By Keith Ward
- June 6, 2007
Apache and Internet Information Services (IIS) Web servers are equally at fault for pumping malware into the wild, according to a new study, but a higher percentage of IIS servers are compromised.
Those results come from a survey by the Google Anti-Malware Team. The results, however, should be taken with a grain of salt, since myriad mitigating factors are at work. Apache is an open source Web server, while IIS is Microsoft's Web server.
The two servers are by far the most popular on the Internet, handling 89 percent of all traffic. Google examined about 70,000 domains in the last month that have been distributing malware, and determined that both Apache and IIS are responsible for pushing out 49 percent of the viruses and exploits. Since Apache is running on almost three times as many servers -- 66 percent to 23 percent -- as IIS, the percentage of IIS servers that are compromised is much higher. Google states in the study that "Compared to our sample of servers across the Internet, Microsoft IIS features twice as often (49% vs. 23%) as a malware distributing server."
The study also broke down the Web server distribution by country and came up with some interesting results. The countries in the survey included the United States, China, Russia, Germany and South Korea. Although the distribution of Web servers is fairly even throughout the five nations, a Web server belching out malware in China and South Korea is much more likely to be an IIS server.
Since both China and South Korea are known to have high concentrations of pirated software, much of which is from Microsoft, those numbers make more sense. For instance, Microsoft makes certain patches available only for validated copies of IIS.
Apache may also have fewer compromised Web servers because its admins are more adept. The study's authors hint at this possibility:
"It is important to note that while many servers serve malware as a result of a server compromise (by remote exploits, password theft via keyloggers, etc.), some servers are configured to serve up exploits by their administrators," the authors stated.
Apache is significantly more difficult to configure and administer, so those who manage them may have greater knowledge and experience than their IIS counterparts. This points more to a failing of admins rather than an inherent insecurity in the Web server.
Whatever the ultimate meaning in the study, its summary quote should be taken to heart by every Web server administrator:
"Our analysis demonstrates how important it is to keep web servers patched to the latest patch level."
The survey can be found here.