Google Says Microsoft Web Servers are Used to Distribute Malware

Microsoft's Internet Information Services (IIS) Web servers are more than twice as likely to deliver malware to unsuspecting users than the open source Apache Web server, according to a recent security survey performed by Internet search giant Google. That's quite an allegation, coming as it does from one of Microsoft's chief competitors.

Google made the revelation from its Online Security Blog. "We investigate[d] the distribution of Web server software to provide insight into how server software is correlated to servers hosting malware binaries or engaging in drive-by-downloads," wrote Nagendra Modadugu, a member of Google's anti-malware team. "We examined about 70,000 domains that over the past month have been either distributing malware or have been responsible for hosting browser exploits leading to drive-by-downloads."

According to the survey, Microsoft IIS pops up twice as often--49 percent vs. 23 percent--as a malware distributing server than does Apache. This comes despite the fact that Apache appears to be in use on far more servers worldwide than does IIS. The majority of that malware appears to originate from China and South Korea, according to Google. (Curiously, most malware coming out of Germany is actually sent via Apache, not IIS.)

Google reports that IIS is likely used to distribute malware more often than Apache because many IIS installs are on pirated Windows versions which aren't configured to automatically download patches. (Even pirated Windows versions can automatically received security fixes, however.) "Our analysis demonstrates how important it is to keep web servers patched to the latest patch level," Google notes.

While I can't quibble with the data per se, I find it interesting that Google used this survey to promote Apache over an Internet product made by its chief competitor. Google notes that, in its research, there was "a slightly larger fraction of Apache servers compared to the Netcraft web server survey," suggesting that Apache actually has higher market share than reported. Coincidentally, perhaps, Netcraft recently reported a drop in Apache market share, due largely to Google's Web servers being removed from under the Apache banner.

Microsoft, incidentally, says that the Google survey doesn't provide enough data to draw any conclusions. "It is difficult to draw any viable conclusions about the security of the Web servers mentioned or what the intended use of a given Web server was in this particular investigation," a Microsoft spokesperson said. "As the blog points out, the administrator's intended use could be to intentionally distribute malware."