Web Server Software Breakdown: Malware Distribution

A great write-up on the Google Online Security Blog about the percentage of each web server platform that is distributing malware or hosting browser exploits that lead to drive-by-downloads.

We examined about 70,000 domains that over the past month have been either distributing malware or have been responsible for hosting browser exploits leading to drive-by-downloads. The breakdown by server software is depicted below. It is important to note that while many servers serve malware as a result of a server compromise (by remote exploits, password theft via keyloggers, etc.), some servers are configured to serve up exploits by their administrators.

Compared to our sample of servers across the Internet, Microsoft IIS features twice as often (49% vs. 23%) as a malware distributing server. Amongst Microsoft IIS servers, the share of IIS 6.0 and IIS 5.0 remained the same at 80% and 20% respectively. Source: Web Server Software and Malware

Now, I can already here the Linux and Mac crowd going, of course they are number one, their security sucks, etc, etc. What is interesting about this post, is the breakdown by country of origin.

Web server distribution by countryMalicious web server distribution by country

See that? Almost all of the IIS web servers in China and about 75% of them in South Korea are distributing malware or hosting browser exploits. They attribute that in the article to software piracy, mostly because you can’t update it if it is pirated, of course, but I am sure part of it is that it makes it easier to host the browser exploits and malware, etc. Although, in Germany, Apache is the most likely web server to get you infected, in contrast to most other areas. Always try to keep your web server software as patched as you can, and only host with companies that are proactive about doing such things, if there are any out there.

There are several tools out that can help you check your website to see if it is ditributing malware, one such tool is Spybye, and on their site they list a couple others.

During HotBots last month, I presented a paper on a systematic approach for detecting malware on the web called “The Ghost In The Browser”. The paper enumerates all the different ways in which a web page can become malicious and contains some measurements on the prevalance of drive-by-downloads; an in depth analysis of 4.5 million URLs detected 450,000 that were surreptitiously installing malware. All the more reason for tools such as SpyBye. Fortunately, I am not the only one working on such tools. Christian Seifert from the New Zealand Honeypot Alliance recently announced a web interface to their Capture honey client which runs a browser against URLs specified by you. In a similar vein, Shelia is a tool that scans your mail folder and follows URLs contained in it for malware and exploits. Source: SpyBye: Finding Malware

I believe the author was one of the writers of the Ghost in the Browser paper, I first mentioned here.