Websites running Microsoft’s web server software are twice as likely to be hosting malicious code as other sites, Google has claimed in new research.
Last month, Google looked at 70,000 domains that were either distributing malware or hosting attack code. Nagendra Modadugu, at the company’s anti malware group, wrote in a blog: “Compared to our sample of servers across the internet, Microsoft IIS features twice as often as a malware distributing server.”
Together, IIS (Internet Information Services) and Apache servers host about 89% of all websites, but collectively they are responsible for 98% of all web-based malware.
Google found an equal number of Apache and IIS web sites hosted malicious software, but malicious sites make up a much larger percentage of all IIS servers because 66% of sites are hosted by Apache servers as opposed to 23% by Microsoft.
Modadugu did not draw any conclusions about whether this means that Microsoft servers are more likely to be hacked, writing only: "It is important to note that while many servers serve malware as a result of a server compromise ... some servers are configured to serve up exploits by their administrators."
The malware server of choice varied from region to region. In China and South Korea, the majority of malicious websites are running IIS. In the US, Russia and Germany, Apache is the predominant malware server.
Modadugu speculated that the servers in China and South Korea may be running pirated software and unable to receive Microsoft's latest security updates.
The fact that IIS is so easy to use may account for the problem. Cesar Cerrudo, chief executive at security research firm Argeniss, claims it is easier to operate an IIS web server than an Apache web server: "People who are not too skilled will install Windows and set up a web server with weak configuration."
But Cerrudo was not convinced that solid conclusions could be drawn: "The report says that 70,000 domains were examined but what about if 5,000 domains are in the same web server in China? It's pretty easy playing with numbers and concluding. A lot more data is needed."
Microsoft and Apache did not immediately respond to messages seeking comment.