Web Server Software and Malware

Tuesday, June 5, 2007 9:30 AM

Posted by Nagendra Modadugu, Anti-Malware Team

In this post, we investigate the distribution of web server software to provide insight into how server software is correlated to servers hosting malware binaries or engaging in drive-by-downloads.

We determine server operating system by examining the 'Server:' HTTP header reported by most web servers. A survey of servers running roughly 80 million domain names reveals the web server software distribution shown below. Note that these figures may have some margin of error as it is not unusual to find hundreds of domains served by a single IP address.

Web server software across the Internet.



Web server software distribution across the Internet.



Our numbers report a slightly larger fraction of Apache servers compared to the Netcraft web server survey. Our analysis is based on crawl information and only root URLs were examined, therefore hosts that did not present a root URL (e.g. /index.htm) were not included in the statistics. This may have contributed to the disparity with the Netcraft numbers.

Amongst Apache servers, about 35% did not report any version information. Presumably the lack of version information is considered to be a defense against version specific attacks and worms. We observed a long tail of Apache server versions; the top three detected were 1.3.37 (15%), 1.3.33 (7.91%), and 2.0.54 (6.25%).

Amongst Microsoft servers, IIS 6.0 is by far the most popular version, making up about 80% of all IIS servers. IIS 5.0 made up most of the remainder.

Web server software across servers distributing malware.

We examined about 70,000 domains that over the past month have been either distributing malware or have been responsible for hosting browser exploits leading to drive-by-downloads. The breakdown by server software is depicted below. It is important to note that while many servers serve malware as a result of a server compromise (by remote exploits, password theft via keyloggers, etc.), some servers are configured to serve up exploits by their administrators.



Web server software distribution across malicious servers.


Compared to our sample of servers across the Internet, Microsoft IIS features twice as often (49% vs. 23%) as a malware distributing server. Amongst Microsoft IIS servers, the share of IIS 6.0 and IIS 5.0 remained the same at 80% and 20% respectively.

The distribution of top featured Apache server versions was different this time: 1.3.37 (50%), 1.3.34 (12%) and 1.3.33 (5%). 21% of the Apache servers did not report any version information. Incidentally, version 1.3.37 is the latest Apache server release in the 1.3 series, and it is hence somewhat of a surprise that this version features so prominently. One other factor we observe is a vast collection of Apache modules in use.

Distribution of web server software by country.





Web server distribution by country



Malicious web server distribution by country




The figure on the left shows the distribution of all Apache, IIS, and nginx webservers by country. Apache has the largest share, even though there is noticeable variation between countries. The figure on the right shows the distribution, by country, of webserver software of servers either distributing malware or hosting browser exploits. It is very interesting to see that in China and South Korea, a malicious server is much more likely to be running IIS than Apache.

We suspect that the causes for IIS featuring more prominently in these countries could be due to a combination of factors: first, automatic updates have not been enabled due to software piracy (piracy statistics from NationMaster, and BSA), and second, some security patches are not available for pirated copies of Microsoft operating systems. For instance the patch for a commonly seen ADODB.Stream exploit is not available to pirated copies of Windows operating systems.

Overall, we see a mix of results. In Germany, for instance, Apache is more likely to be serving malware than Microsoft IIS, compared to the overall distributions of these servers. In Asia, we see the reverse, which is part of the cause of Microsoft IIS having a disproportionately high representation at 49% of malware servers. In summary, our analysis demonstrates how important it is to keep web servers patched to the latest patch level.

The comments you read here belong only to the person who posted them. We do, however, reserve the right to remove off-topic comments.

38 comments:

solrac said...

The study should include the distribution of the 70000 domains in the total number. This would show if the conclusion is fair enough with the web server investigation.
This only true if it follows a normal distribution and a representative subset.

ChrisTorng said...

I think the point of patch is totally wrong.

First, by my knowledge, pirated Windows still can get Automatic Update automatically download patch, they just can't go to Windows Update/Microsoft Update/Microsoft Download Center site for manual update. So almost all Windows can get all the required security patch.

Second, I don't think that all malicious is caused by hacking into an unpatched Windows. Maybe the user accidently open an attachment and install some trojans. So the user's computer become a malicious web server through the control of trojan from hacker, not through break into an unpatched security hole. So I think some IIS rate of China and S. Korea is contributed from the many hackers from those country, sending trojan mails with their familiar language to their people. So the count of China and S. Korea just reflect the fact that the hackers from these country is more then other country.

Third, I think that the count is by IP/domain name. I think hackers also host the malicious web server by themself. They get many IPs and domain names to point to a single web server to avoid detection/blocking. So the count of web server cannot see as so much individual web server. Maybe the hackers from China and S. Korea/Russia is familiar with IIS/Apache, so they contribute many many counts by physically single IIS/Apache.

The last, most people who install Apache because he/she want to populate a web site. He/she should open their site often. If there are any problem they will know at first time and try to clear them. But many people who install IIS just because Windows install and enable it by default. (I have forget which Windows version will do that) They never open the site on localhost, they even don't know they have a web site on their computer. So they don't know their IIS is used for distributing malware. The malicious IISs live for a long time, so the statistics show that the rate of malicious IIS is more then the rate of all IIS.

benny said...

Ermm I'm kinda new to blog but anyway what the heck.. In my own opinion Apache is much safer compared to IIS, and why am i saying so?? Because it's M$ own fault for causing so. M$ detected in IIS 5.0 there's a loophole that allow hacker to exploited it and it provides the technical details to all to view on where and how to actually exploit the loophole (which in my own term is pretty idiotic). And at the same time no patch or solution was provided (ain't that is similar to blowing off your own whistles).. And the solution provided is nothing much just as usual,: Please upgrade to a updated version of M$ products IIS 5.0 to IIS 6.0 (hey!! IIS 6.0 wasn't optimized for WinXP/2000 initially, only Win2003 Servers), WinXP to Vista blablabla (why can't I remain wih my legacy systems which I pretty comfortable with, and where the heck is my patch?? M$, YOU found it then give me the solutions or workaround to the loophole not just telling me Yeap!! OUR product is faulty so live with it; in which I can't, sorry).. That's why Apache is better position, at least if there a loophole detected, though no patch is provided, some tweakers might have some ideas on setting the pace right unlike M$, huh!! 1 billion dollars on research, what a waste.. I started to doubts the IQs of M$ software engineers.. Sigh, geniuses Yeah MY @SS

Rosyna said...

I too agree some of these malware spreading IIS servers may have been infected via another means (like a trojan) and the malware turned on the IIS service to infect others/do other evils.

It's a lot like spam botnets.

Bob said...

It is worthy to note that the reason for the disparity of IIS in South Korea is likey due to the tiein that S Korea has into Microsoft OPerating Systems. More details here:

http://www.kanai.net/weblog/archive/2007/01/26/00h53m55s#003095

Makes intresting reading. Tied into the fact that S Korea has a large propensity for Bots which is not just due to their runnig MS products but also due to the large amounts of available bandwidth. It would be intresting to know how many of the compromised servers were home based machines or hosted.

Offshore Software Development said...

IP and Data Security - Companies considering outsourcing their software development need to know and protect themselves against the risks related to the Intellectual property violations as well as Data Security. In order to mitigate this risk, clients need to check with the vendors on steps that they will take to protect their IP and the sensitive data such as customer information, employee information, financial data and market research data. This should be done during the Vendor Selection process.Clients should ensure that selected vendor has the well documented Information Security Management (ISM) Policy. Vendors need to provide a dedicated project and data server to their clients with audit control access on all the servers. Client should check that the Vendor’s facility is secured with smart card control access and vendor’s development team members have signed the Confidentiality agreements. In addition, the development contract should include clauses for Non-compete, Non-disclosure and non-solicitation.

Software Development Company

Offshore Software Development said...
This comment has been removed by the author.
Offshore Software Development said...
This comment has been removed by the author.
SEO Expert said...
This comment has been removed by a blog administrator.
krish said...

Given the stats in this article though not a complete survey, but the figures certainly hints to the growing concern i.e the objective of the world wide web is getting contaminated from every parts of the world.

root123 said...

Software Development Company The study is a remarkable step in highlighting one of the core issues that the web is facing today

Jeremy said...

I knew that Apache was leading the way in the web server community but I did not realize the extent to which IIS and other windows web servers were trailing the hosting industry.

muthu said...

This is Some few SEO interview Questions? I like to Answers On this,Let us Discuss On this question. web design company, web designer, web design india

Give me a description of your general SEO(search engine optimization) experience.
Do you currently do SEO on your own sites and give me some examples. Do you operate any blogs?
Do you currently do any freelance work and do you plan on continuing it?
Where do you think the SEO industry is headed?
What industry sites, blogs, and forums do you regularly read?
Have you attended any search related conferences?
What SEO tools do you regularly use?
What SEO areas are you weak and strong in, and give examples of both.
What areas do you think are currently the most important in organically ranking a site?
Do you have experience in copywriting and can you provide some writing samples?

sunny said...

I'm very thankful to the author for posting such an amazing web development post. Continuing to the post, I want to add some interesting updates, UK's leading web development entity Rupizmedia has introduced some exciting web applications like live TV applications, CMS for Dynamic Shopping Website, Video Conferencing applications, Community softwares and more than hundreds of much awaited web products & softwares to boost any e-business in a more user-friendly way. If you want to know more about these ultimate products, which give a strong interactive approach to your online business, send a quick query through http://www.rupizmedia.com/enquiry , Thanks

http://www.binarysemantics.com/ said...

thank you for nice post

sanane said...

For nice post :)

http://www.bencehersey.net

sanane said...

Yout post thanx dostum

http://bencehersey.net/heh/windows-security-alert-virusu-temizleme-yontemi

Admin said...

Thanks for the information. How can I protect visitors on my site? I am providing plain text content through html pages. But still are there any ways through which I can curb misuse.

Express your feelings

alastairc said...

It would be useful for any followup if you could distinguish between those who are victims of hacked servers compared to those who are intentionally distributing malware.

This could of course be impossible to detect reliably, but I'd still love to know...

Wilbur said...

• The mushrooming of the software development companies have been instrumental in raising the bar for the quality of the software services. The increase of the concerns providing software services have made it possible for the clients to choose the best software development company from among the lot. In the cut throat competition only the best can survive and hence the companies give their best in order to thrive amidst this competition.

Sweety said...

Hi Nagendra,
Your study on web server software & malware is quite impressive. It would be more helpful if you suggest any good solution to this problem..

offshore software development

Business Process Outsourcing said...

Hi
Your blog is really contains lots of knowledge . I learn lots of think for this blog . I hope you will continue for such amaging knowledge with us .
Thanks...



Ravi kesarwani

http://www.ekamsoftwares.com

amco said...

Hi to all i am really impressed by this blog because i got a lot of information about new technologies like web development, web designing ,SEO. i want to introduce you to our company (AMCO IT SYSTEMS)
we are E commerce, E business and B2B and data entry company, we specialized in web developing, web designing,Seo.
if you have any inquiry please contact us.
Thanks

kapanpun said...

Once a bank has been alerted to the fact that it is the subject of a phishing attack, the race is on to close the target phishing site as quickly as possible. However, professional fraudsters will take steps to ensure that the process is as difficult and time consuming as possible: your time is their money.

Fraudsters will often host their sites in developing countries with limited law enforcement resources and incentivize the hosting company to keep the site running as long as it possibly can. Indeed, some unscrupulous hosting companies actually promote fraud hosting as a service.

Netcraft’s countermeasures service helps banks and other financial organizations to combat these techniques. Once a phishing site has been detected, Netcraft responds with a set of actions which will significantly limit access to the site immediately, and will ultimately cause the fraudulent content to be eliminated.

Netcraft’s approach is distinguished from other providers of takedown services through its ability to block access to the site for users of a wide range of technology immediately, and to provide information back to the bank that will identify compromised accounts.

Integrated Business Software said...

Very interesting article. Good research, and I like the graphs.

Amrit Ray said...

Yes, it is quite interesting to see the distribution of server software across different countries and the percentage of these servers software hosting malware. It is true that across Asia most people are inclined towards IIS rather than other operation systems. The amount of piracy that goes on here is tremendous and due to this auto update of the server does not happen and they become a target for hosting Malware, especially in a shared hosting environment. Original software can lower the percentage substantially. Web Designer.

Aparna said...

Thanks for this interesting post.

suparna said...

thank you for sharing such an informative post, good research.

Mazhar Hussain Shah said...

Hi,

It is very interested topic about to the distribution of the web server software.I think in this way the people can get a a lot of useful information about to the web server,For example,How many domain are attached to th web server,So it approximately 80 million.
Thanks again for this useful information.
Regards,
Shopping Cart.

Mainul said...

Thats a great statistics about different HTTP servers and their comparative performance. Realy uncommon resource. Web Design UK

PierreG said...

Nobody mentioned the fact that IIS 6/7 is nested into the Window kernel (to run faster than others).

When a vulnerability is exploited in the kernel, attackers have full access to the highest privileges.

This is not the case with user-mode web servers.

More details on this issue here:

http://trustleap.ch/en_iis.html

By the way, IIS 7.0 is no longer the fastest web server under Windows (despite the kernel), see:

http://gwan.ch/

Rohit Tripathi said...

I think you have to view numbers in comparison to the total number of web
servers using Apache and IIS. As you can see in the graph which can be
found a bit higher, a lot more web servers are using Apache than IIS. If
actually the absolute number of malware distributing IIS servers is
equals to the number of Apache, the relative numbers are much worse for
IIS.

Thanks
Rohit from Outsourced Software Development company

LeadZoomer said...

Thanks for posting very useful post. Now days there are numbers of Pirated Windows Software available and most of them doesn't have automatic update option to download patch.

Cloud Computing Services

Zaibunnisa Faisal said...

I am getting this "Sorry" message more and more often now. I do not believe that there is any "worm" in my system and it is a real nuisance. It is forcing me to switch to Yahoo or Ask. I do all my searche by hand and they are very innocent searches too. The sorry message does not even end with a CAPTCHA thingy to put my verification code to prove I am human. This is seriously getting on my nerves! I never had this problem before. Its only started recently, but I have no idea what triggered it.

fundoo said...

Thanks for the information, we will add this story to our blog, as we have a audience in this sector that loves reading like this” web development

fundoo said...

Thanks for the information, we will add this story to our blog, as we have a audience in this sector that loves reading like this” web development

Offshore software development India said...

Thanks for this awesome post. Nicely explained the topic and very helpful for beginners.
Please continue writing.

Regards:-Offshore software development company

Goa Ad said...

it seems thats there is a lot to be done for protecting users from various exploits. Many antiviruses do not recognize or provide protection against web malwares.