Researchers: Maybe IIS issues not Microsoft's fault

Google found IIS servers more likely to spew malware than those running Apache

Independent security researchers agreed that Google was on the right track Tuesday when it claimed sites running Microsoft's Web server are twice as likely to host hacker code than sites that rely on servers operating open-source software.

But they caution against jumping to conclusions.

"The vulnerability of the Web server [software] isn't the whole picture," said Zulfikar Ramzan, a senior principal researcher in Symantec's security response group. "The administrator might not have configured it properly, or a third-party package on the server could have been compromised."

According to Google's survey of 70,000 domains actively distributing malware or hosting browser exploits aiming for drive-by attacks, servers using Microsoft's Internet Information Service (IIS) 5.0 or IIS 6.0 software were more than twice as likely to spew malicious code than servers running open-source Apache. Within the IIS results, 80 percent of the malware-hosting servers were running the most current version of the software IIS 6.0.

But because IIS 6.0's security reputation is actually very good -- Danish bug tracker Secunia ApS lists just three vulnerabilities since the software's 2003 release, all of which have been patched -- researchers have reached for causes to explain Google's data.

"There are all kinds of different things that could skew the results toward IIS," said Ramzan, who then ticked off everything from administrator error and administrator maliciousness to geographic location and the operating system atop which the software runs. Ramzan also mentioned, as did Google's researcher Nagendra Modadugu, that the IIS looked to be the server software of choice for attackers based in Asia, especially China. "One speculation is that some of these [IIS] licenses are not legitimate, and so the server's unpatched."

Microsoft blocks pirated copies of Windows Server 2003 -- atop which IIS runs -- from receiving some security updates and patches, which could leave them vulnerable to attack.

Even more likely: servers are being compromised, and thus malicious code added to the system and the Web sites it operates, through other applications -- including apps from vendors other than Microsoft, Ramzan said. "I don't think it's due to the specific vulnerabilities in IIS."

Another researcher offered different answers for IIS' malicious code problem. "It may simply be that the overall platform exploitability on Windows is still higher than platforms that are typically being used to run Apache," said Minoo Hamilton, senior security researcher with nCircle Network Security. Most servers running the Apache HTTP Server rely on Unix as their operating system. "If you can get a remote exploit in some other service on the Web server platform, you can install or host your malware," Hamilton said.

Another possibility, he added, is that there may be some correlation between the natively-supported server-side technologies and the distribution of related browser exploit code. "The frequency of Active Server Page- or ActiveX-related vulnerabilities could affect the distribution of related malware from IIS," Hamilton said. Active Server Page is Microsoft's server-side script engine for cranking out dynamically-generated Web pages.

No matter what's behind the dominance of IIS among servers hosting sites disbursing attack code, Google's first foray into this kind of data mining can't be expected to answer every question. "This gives us an indication of what [weakness] we should look for in the future," said Ramzan. "Now we can dig into servers further."

Microsoft officials did not reply to an offer to discuss its take on Google's data.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Father’s Day Gift Guide

Brand Post

PC World Evaluation Team Review - MSI GT75 TITAN

"I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it."

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?