IIS versus Apache: Re-examining the statistics

But the mental kicker for me is my knowledge of Web site infectors. Most Web sites are not maliciously modified by individual hackers. Like client-side attacks, most Web site infections are automated. The most popular Web site attack tool, Web Attacker Toolkit, is responsible for 30 to 80 percent of all infected Web sites, depending on whose statistics you believe. It is a PHP/CGI infector. The MPack Web site infection tool, which is in the press these days for its large-scale infections, again, infects PHP-based Web sites. I've yet to come across a Web site attacking tool on the same scale for IIS.

I like Google and the many fine folks who work there. I've written positively about their related research recently. But aside from my own personal experiences and knowledge, another recent post from the Washington Post's security blog made me question Google's summary conclusions.

The article discusses how one Web hosting company, IPOWER, is potentially responsible for more than 250,000 malicious Web sites. I doubt the figure is anywhere accurate, but it's based on the fact that nine of IPOWER's Web servers contained 2,650 malicious Web sites (33 percent of the 8,192 virtual Web servers).

What are those servers running? No surprise: Apache and PHP.

Whether or not you believe the larger number or just the 33 percent figure, it reveals that IPOWER appears to average about 910 virtual Web sites per server.

The study in which Google purports that IIS is twice as likely to contain malware includes the following disclaimer: "Note that these figures may have some margin of error as it is not unusual to find hundreds of domains served by a single IP address." Essentially, any Web server containing multiple virtual Web sites will cause the Google study to have sampling error.

In the IPOWER case alone, the sampling error appears to be 30,000 percent (9 servers serving up 2,650 malicious Web servers). I think any reader would generally agree that Apache Internet Web servers are significantly more likely to host multiple Internet Web sites on a single server than IIS.

How many Web servers used in the Google study contained multiple malicious Web sites? According to my research, it is not an insignificant amount. And when I find them, the servers often contain dozens to hundreds, if not thousands, of malicious Web sites. This is because the Web hosting firm has not patched the Apache software or uses a management add-on that's long known to be vulnerable. One compromise leads to hundreds.

If this is the case, is it ever possible to accurately relay IIS vs. Apache malicious statistics based upon IP addresses alone? I contend that the potential sampling error is just too large for this to be successful. How large is it? I contacted Google and members of the research team directly to ask for more clarification on their findings. I was just pointed back to the same published report. I then told them that if I could have the IP addresses used in the study, I would do my own analysis, even if it required a nondisclosure agreement. I want to find the truth, because the truth is important than whether the outcome supports IIS or Apache.

So far, they've not responded to my requests for the data.