The report from Nagendra Modadugu of Google's (Quote) Anti-Malware Team found that while Apache has almost three times the installed base 66 percent to 23 percent of IIS, the percentage of servers with malware (define) was evenly split, 49 percent each.
Google's security team checked servers running roughly 80 million domain names, noting that it is not unusual to find hundreds of domains served by a single IP address and hence, a single machine.
They found a total of 70,000 domains that over the past month have been either distributing malware or have been responsible for hosting browser exploits leading to drive-by-downloads.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=iThe breakdown is odd. In Germany, almost all of the malware was hosted on Apache servers, while in the U.S., around 75 percent of the malware was on Apache. But in South Korea, 75 percent of the malware was on IIS and nearly all of the malware in China was on IIS servers.
Google's security team wrote that it suspects that the causes for IIS featuring so prominently, particularly in Asia, is because Microsoft (Quote) has engineered its software so pirated copies cannot be fully patched. Piracy in Asia has been a problem for years and is a major thorn in Microsoft's side.
"In summary, our analysis demonstrates how important it is to keep Web servers patched to the latest patch level," wrote the Google group.
One option would be for Microsoft to make patches available for all versions of IIS, legitimate or not. Or, Alex Shipp, an "imaginer" with security vendor MessageLabs, has another solution: "These people could buy licenses," he told internetnews.com.
It certainly wouldn't make sense for Microsoft to make patches work on pirated software, he argues. "If someone steals stuff from you, it seems a bit ridiculous to allow them to keep stealing from you," he noted.
Microsoft did not with to want to discuss the blog at length, but it did issue the following statement to internetnews.com:
"Based on the data provided, it is difficult to draw any viable conclusions about the security of the Web servers mentioned or what the intended use of a given Web server was in this particular investigation. As the blog points out, the administrators intended use could be to intentionally distribute malware. In addition, the margin of error is extremely large due to that fact that a single web server can host thousands of sites."