Tuesday, June 5, 2007 9:30 AM
Posted by Nagendra Modadugu, Anti-Malware TeamIn this post, we investigate the distribution of web server software to provide insight into how server software is correlated to servers hosting malware binaries or engaging in drive-by-downloads.
We determine server operating system by examining the 'Server:' HTTP header reported by most web servers. A survey of servers running roughly 80 million domain names reveals the web server software distribution shown below. Note that these figures may have some margin of error as it is not unusual to find hundreds of domains served by a single IP address.
Web server software across the Internet.
Web server software distribution across the Internet.
Our numbers report a slightly larger fraction of Apache servers compared to the Netcraft web server survey. Our analysis is based on crawl information and only root URLs were examined, therefore hosts that did not present a root URL (e.g. /index.htm) were not included in the statistics. This may have contributed to the disparity with the Netcraft numbers.
Amongst Apache servers, about 35% did not report any version information. Presumably the lack of version information is considered to be a defense against version specific attacks and worms. We observed a long tail of Apache server versions; the top three detected were 1.3.37 (15%), 1.3.33 (7.91%), and 2.0.54 (6.25%).
Amongst Microsoft servers, IIS 6.0 is by far the most popular version, making up about 80% of all IIS servers. IIS 5.0 made up most of the remainder.
Web server software across servers distributing malware.
We examined about 70,000 domains that over the past month have been either distributing malware or have been responsible for hosting browser exploits leading to drive-by-downloads. The breakdown by server software is depicted below. It is important to note that while many servers serve malware as a result of a server compromise (by remote exploits, password theft via keyloggers, etc.), some servers are configured to serve up exploits by their administrators.
Web server software distribution across malicious servers.
Compared to our sample of servers across the Internet, Microsoft IIS features twice as often (49% vs. 23%) as a malware distributing server. Amongst Microsoft IIS servers, the share of IIS 6.0 and IIS 5.0 remained the same at 80% and 20% respectively.
The distribution of top featured Apache server versions was different this time: 1.3.37 (50%), 1.3.34 (12%) and 1.3.33 (5%). 21% of the Apache servers did not report any version information. Incidentally, version 1.3.37 is the latest Apache server release in the 1.3 series, and it is hence somewhat of a surprise that this version features so prominently. One other factor we observe is a vast collection of Apache modules in use.
Distribution of web server software by country.
 Web server distribution by country |  Malicious web server distribution by country |  |
The figure on the left shows the distribution of all Apache, IIS, and nginx webservers by country. Apache has the largest share, even though there is noticeable variation between countries. The figure on the right shows the distribution, by country, of webserver software of servers either distributing malware or hosting browser exploits. It is very interesting to see that in China and South Korea, a malicious server is much more likely to be running IIS than Apache.
We suspect that the causes for IIS featuring more prominently in these countries could be due to a combination of factors: first, automatic updates have not been enabled due to software piracy (piracy statistics from NationMaster, and BSA), and second, some security patches are not available for pirated copies of Microsoft operating systems. For instance the patch for a commonly seen ADODB.Stream exploit is not available to pirated copies of Windows operating systems.
Overall, we see a mix of results. In Germany, for instance, Apache is more likely to be serving malware than Microsoft IIS, compared to the overall distributions of these servers. In Asia, we see the reverse, which is part of the cause of Microsoft IIS having a disproportionately high representation at 49% of malware servers. In summary, our analysis demonstrates how important it is to keep web servers patched to the latest patch level.
14 comments:
The study should include the distribution of the 70000 domains in the total number. This would show if the conclusion is fair enough with the web server investigation.
This only true if it follows a normal distribution and a representative subset.
I think the point of patch is totally wrong.
First, by my knowledge, pirated Windows still can get Automatic Update automatically download patch, they just can't go to Windows Update/Microsoft Update/Microsoft Download Center site for manual update. So almost all Windows can get all the required security patch.
Second, I don't think that all malicious is caused by hacking into an unpatched Windows. Maybe the user accidently open an attachment and install some trojans. So the user's computer become a malicious web server through the control of trojan from hacker, not through break into an unpatched security hole. So I think some IIS rate of China and S. Korea is contributed from the many hackers from those country, sending trojan mails with their familiar language to their people. So the count of China and S. Korea just reflect the fact that the hackers from these country is more then other country.
Third, I think that the count is by IP/domain name. I think hackers also host the malicious web server by themself. They get many IPs and domain names to point to a single web server to avoid detection/blocking. So the count of web server cannot see as so much individual web server. Maybe the hackers from China and S. Korea/Russia is familiar with IIS/Apache, so they contribute many many counts by physically single IIS/Apache.
The last, most people who install Apache because he/she want to populate a web site. He/she should open their site often. If there are any problem they will know at first time and try to clear them. But many people who install IIS just because Windows install and enable it by default. (I have forget which Windows version will do that) They never open the site on localhost, they even don't know they have a web site on their computer. So they don't know their IIS is used for distributing malware. The malicious IISs live for a long time, so the statistics show that the rate of malicious IIS is more then the rate of all IIS.
Ermm I'm kinda new to blog but anyway what the heck.. In my own opinion Apache is much safer compared to IIS, and why am i saying so?? Because it's M$ own fault for causing so. M$ detected in IIS 5.0 there's a loophole that allow hacker to exploited it and it provides the technical details to all to view on where and how to actually exploit the loophole (which in my own term is pretty idiotic). And at the same time no patch or solution was provided (ain't that is similar to blowing off your own whistles).. And the solution provided is nothing much just as usual,: Please upgrade to a updated version of M$ products IIS 5.0 to IIS 6.0 (hey!! IIS 6.0 wasn't optimized for WinXP/2000 initially, only Win2003 Servers), WinXP to Vista blablabla (why can't I remain wih my legacy systems which I pretty comfortable with, and where the heck is my patch?? M$, YOU found it then give me the solutions or workaround to the loophole not just telling me Yeap!! OUR product is faulty so live with it; in which I can't, sorry).. That's why Apache is better position, at least if there a loophole detected, though no patch is provided, some tweakers might have some ideas on setting the pace right unlike M$, huh!! 1 billion dollars on research, what a waste.. I started to doubts the IQs of M$ software engineers.. Sigh, geniuses Yeah MY @SS
I too agree some of these malware spreading IIS servers may have been infected via another means (like a trojan) and the malware turned on the IIS service to infect others/do other evils.
It's a lot like spam botnets.
It is worthy to note that the reason for the disparity of IIS in South Korea is likey due to the tiein that S Korea has into Microsoft OPerating Systems. More details here:
http://www.kanai.net/weblog/archive/2007/01/26/00h53m55s#003095
Makes intresting reading. Tied into the fact that S Korea has a large propensity for Bots which is not just due to their runnig MS products but also due to the large amounts of available bandwidth. It would be intresting to know how many of the compromised servers were home based machines or hosted.
IP and Data Security - Companies considering outsourcing their software development need to know and protect themselves against the risks related to the Intellectual property violations as well as Data Security. In order to mitigate this risk, clients need to check with the vendors on steps that they will take to protect their IP and the sensitive data such as customer information, employee information, financial data and market research data. This should be done during the Vendor Selection process.Clients should ensure that selected vendor has the well documented Information Security Management (ISM) Policy. Vendors need to provide a dedicated project and data server to their clients with audit control access on all the servers. Client should check that the Vendor’s facility is secured with smart card control access and vendor’s development team members have signed the Confidentiality agreements. In addition, the development contract should include clauses for Non-compete, Non-disclosure and non-solicitation.
Software Development Company
Given the stats in this article though not a complete survey, but the figures certainly hints to the growing concern i.e the objective of the world wide web is getting contaminated from every parts of the world.
Software Development Company The study is a remarkable step in highlighting one of the core issues that the web is facing today
I knew that Apache was leading the way in the web server community but I did not realize the extent to which IIS and other windows web servers were trailing the hosting industry.
This is Some few SEO interview Questions? I like to Answers On this,Let us Discuss On this question. web design company, web designer, web design india
Give me a description of your general SEO(search engine optimization) experience.
Do you currently do SEO on your own sites and give me some examples. Do you operate any blogs?
Do you currently do any freelance work and do you plan on continuing it?
Where do you think the SEO industry is headed?
What industry sites, blogs, and forums do you regularly read?
Have you attended any search related conferences?
What SEO tools do you regularly use?
What SEO areas are you weak and strong in, and give examples of both.
What areas do you think are currently the most important in organically ranking a site?
Do you have experience in copywriting and can you provide some writing samples?
I'm very thankful to the author for posting such an amazing web development post. Continuing to the post, I want to add some interesting updates, UK's leading web development entity Rupizmedia has introduced some exciting web applications like live TV applications, CMS for Dynamic Shopping Website, Video Conferencing applications, Community softwares and more than hundreds of much awaited web products & softwares to boost any e-business in a more user-friendly way. If you want to know more about these ultimate products, which give a strong interactive approach to your online business, send a quick query through http://www.rupizmedia.com/enquiry , Thanks
Post a Comment