Google: Microsoft IIS Serves Up More Malware

In a Tuesday blog item, Google posted results of an internal study that examines the types of Web servers that are most commonly being used to host malware and dish up browser exploits and drive-by downloads.

In looking at around 70,000 domains that have in the past month been hosting or distributing malware, Google found that Microsoft's Internet Information Server (IIS) and Apache server each account for 49 percent of the malware.

However, after examining Web servers running about 80 million domain names across the Internet, Google found that 66 percent were Apache and 23 percent were IIS, which means IIS is twice as likely to be hosting malware, according to Nagendra Modadugu of Google's Anti-Malware Team.

"Compared to our sample of servers across the Internet, Microsoft IIS features twice as often (49% vs. 23%) as a malware distributing server," Modadugu wrote.

Google's blog post could be another example of what some security experts believe is an emerging type of gamesmanship on the part of some vendors, which involves poking holes in other vendors' products under the guise of security research.

"To me it seems like kind of a jab, but I can't say whether Google intended it to be a jab," said Marc Maiffret, co-founder and CTO at eEye Digital Security, Aliso Viejo, Calif.

"They're saying that more Microsoft servers are hosting malware, but they don't really say that it's not negative," said Maiffret. "Google has a lots of data, but one of the things they need to be really good about is having an opinion about what it all means."

While Apache has by far the dominant share of Web servers in the U.S., China, Russia, Germany and Korea, Google found that IIS was the source of around 75 percent of malware distribution in South Korea and nearly 100 percent in China.

Modadugu did note that the results could be skewed by the fact that some Web servers could be configured by administrators to distribute malware.

Software piracy in China and South Korea could mean that the IIS servers distributing the malware weren't eligible for automatic updates, wrote Modadugu, who also noted that some security patches aren't available for pirated copies of Windows.

In an e-mail, a Microsoft spokesperson said it's difficult to draw any viable conclusions about the security of IIS or Apache.

"As the blog points out, the administrator's intended use could be to intentionally distribute malware. In addition, the margin of error is extremely large due to that fact that a single Web server can host thousands of sites," according to the Microsoft spokesperson.

Andrew Plato, president of Anitian Enterprise Security, a Beaverton, Ore.-based solution provider, said comparing the securtity of different vendor's products is difficult because of all the factors involved in an infection.

"Microsoft software in general has more exploits. Why? There are a myriad of reasons, from poor engineering, to the obsessive nature of the hacking community in making Microsoft look bad," Plato said.