Robert Hensing's Blog

Software Security . . . and stuff.

Whoa - Google Online Security team releases pwn3d server stats!

Whoa - Google Online Security team releases pwn3d server stats!

  • Comments 2
  • Likes

Wonder if they read my blog on the topic?

http://googleonlinesecurity.blogspot.com/2007/06/web-server-software-and-malware.html

Well the bad news (for me) is that it definitely looks like I was wrong in my theory that Apache / IIS would have a 75/25 break-out in terms of pwnage.
But at least I now have the data to know that I'm wrong so I'm still happy at the end of the day because now people can *tell* me I was wrong (with authority).

It looks like, from this report, that Google is saying the distribvution of malware servers running IIS vs. Apache is dead even at 49%/49% which makes things slightly worse for IIS when you consider that it only has 23% of the overall web server market (according to GOOG) vs. Apache's 66%.  Gulp.

I was scratching my head trying to figure out what's up with that and then I got to the bottom of the report where it shows the web server software usage by country where it appears that every IIS server in China and S. Korea is pwned. :) 

I find the break-out of server software by country and pwn3d server software by country very interesting indeed . . . Kudos to the Google folks for being less evil and publishing these stats!!!

EDIT:  I caught some flack from some skeptical folks who see this as more evidence of Google being evil and trying to make us look bad. 
It's one of those strange "damned if you do damned if you don't" situations for Google (and I can certainly sympathize with that) I suppose . . . if they DON'T release the data - then I accuse them of trying to cover up for Apache / Linux - if they DO release the data and it paints us bad - we accuse them of trying to make US look bad.  If they release the data and it paints Apache / PHP badly - they get flack from one of their core, most passionate communities - the OSS crowd and the Penguinistas.

It's a no win for Google it would seem . . .been there - done that. :)

So then there are articles like this: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9023859 that try to defend us when I don't really think it's needed or necesary.

Trying to explain how or why the IIS numbers look the way they do - at the end of the day - doesn't change the fact that IIS is more likely to be hosting an Internet Explorer drive-by - and THAT is the information I care about . . .
I know that IIS6 is the most secure web server you can run based on vuln count alone . . . but if it's still the most popular web server amongst Internet drive-by wielding miscreants then we need to figure out what's going on and why and not waste mental energy trying to rationalize and spin things away . . .

This is not a hard mental exercise - There are really only realy two possible explanations for the statistics in a couple of regions of the world (cough China cough):

  1. Legitimate businesses are having their IIS5 / IIS6 servers owned in order to distribute malware in greater numbers than the rest of the world.
    1. This is unlikely to be happening via actual IIS exploits (more likely SQL injection attacks, or OS level vulns or good old fashioned weak passwords and password guessing).
  2. Internet drive-by crews are registering domain names in China / S. Korea (and other places) and pointing them either at IIS based hosting providers or they are using their own IIS based servers to distribute the drive-bys.
    1. Maybe drive-by crews prefer coding in ASP / ASPX  / .NET vs. PHP / Perl. :)

If it's 1. - that's bad for us as it means we still have a way to go in terms of server security for the 'average' Windows admin. 
If it's 2 above - well there's not much we can do about that - if you're popular, you're popular. :) 

I personally believe a fair amount of both are happening and while it is interesting to ponder the why - it should not detract from the value of the underlying raw statistics which I will presume are valid and not made up.

Comments
  • Thanks for posting this.  I, and others, respect you for that.  Many people with a blog would hedge when faced with contraditing information.

  • Thanks chudler - I just updated this blog with some additional information and thoughts on the topic.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment