.

IIS vs. Apache: Re-Examining the Stats

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Fri Jul 06, 2007 3:44 pm

IIS vs. Apache: Re-Examining the Stats

If I haven't mentioned it before (and I'm sure I have), I'm a big fan of Roger Grimes. Maybe I should try to get him for ChicagoCon 2008?

Can IP addresses ever be used for accurate statistical analysis of malicious Web sites?

As a Microsoft employee, I try to avoid writing on areas that blatantly promote Microsoft. However, I think this question is generic enough to involve Microsoft in the discussion: Can IP addresses ever be used for statistical analysis of malicious Web sites?

I’ve been a malware fighter for more than 20 years. I consider myself fairly up-to-date on the subject of malicious mobile code, malware, hackers, and exploitation vectors in general.

So it was with surprise then that I read another of Google’s recent studies purporting that IIS Web servers were twice as likely to contain malware as Apache Web servers (although Apache and IIS Web servers contained malicious Web sites in equal numbers).

This astounded me for several reasons. First, my personal experience tells me it isn’t so. I run multiple IIS and Apache Web servers on my honeynet, and my Apache Web servers get 89 percent more hacking traffic than my IIS servers.  Most of the traffic is PHP/CGI/MySQL based. This is not unexpected, as the Internet contains at least twice as many Apache Web servers, and popularity draws malicious hacking.

Second, in general and contrary to traditional wisdom, the average Apache Web administrator has less security knowledge than the average IIS administrator. I find Apache Web administrators much more likely to download and use dubious code from the Internet (which a previous Google study revealed often contained malware).

While both types of Web administrators, in general, really don’t care about security, IIS is helped by the fact that it has had only three published vulnerabilities over the last four years, as compared to Apache’s 33.

Even if we include application coding errors, ASP and ASP.Net compare favorably against PHP and CGI. PHP proponents are desperately trying to put more security into PHP, but there's a ton of insecure PHP applications out there — just read one of the many vulnerability lists.

Maybe hackers are breaking in using SQL injection or back-end database vulnerabilities? MS-SQL hasn’t had a severe vulnerability since 2003, while Oracle, MySQL, and other databases have had dozens to more than 100.

IIS 6 comes secure by default. Unless the administrator goes out of their way to make it vulnerable or unless the application adds a vulnerability, it’s very secure. When Apache is installed, its defaults are more permissive and less secure.

But the mental kicker for me is my knowledge of Web site infectors. Most Web sites are not maliciously modified by individual hackers. Like client-side attacks, most Web site infections are automated. The most popular Web site attack tool, Web Attacker Toolkit, is responsible for 30 to 80 percent of all infected Web sites, depending on whose statistics you believe. It is a PHP/CGI infector. The MPack Web site infection tool, which is in the press these days for its large-scale infections, again, infects PHP-based Web sites. I’ve yet to come across a Web site attacking tool on the same scale for IIS.

I like Google and the many fine folks who work there. I’ve written positively about their related research recently. But aside from my own personal experiences and knowledge, another recent post from the Washington Post's security blog made me question Google’s summary conclusions.


For complete story:
http://www.infoworld.com/article/07/06/ ... ise_1.html

Don
CISSP, MCSE, CSTA, Security+ SME
<<

What90

Full Member
Full Member

Posts: 120

Joined: Sat Jun 09, 2007 2:23 am

Location: Syndey, Australia

Post Sun Jul 08, 2007 12:15 am

Re: IIS vs. Apache: Re-Examining the Stats

I found the story fasinating and had a good chuckle at the flame war that kicked off about a couple of comments.

I sure Roger would make a great and entertaining speaker do you think you could con him in to doing an couple of pieces on some of the bad habits or mistakes he's found during his time pen testing?

It would make great reading for either side of the fence on what should be avoid or looked for :-)
<<

jimbob

Post Tue Jul 10, 2007 3:38 am

Re: IIS vs. Apache: Re-Examining the Stats

"It doesn't matter why they're dressed as a tiger, have they got my leg?"

Web servers are just the delivery vehicle for exploits, it hardly seems important what flavour it is. The guys at Google must have a lot of spare time on their hands, perhaps they want to catalog every Internet statistic ever?

Commenting that Apache is only popular because it's free would almost make you think that Roger is on the verge of comprehending the whole point of the free software movement  ;)

Jim
<<

psychorugger

Newbie
Newbie

Posts: 12

Joined: Tue Dec 05, 2006 10:57 am

Location: DC, Maryland

Post Tue Oct 02, 2007 12:44 pm

Re: IIS vs. Apache: Re-Examining the Stats

True or not... that's why there's such a high demand for security professionals. 

Plus apache is free, and I love me some apache, but then I'm a big supporter of open source.  And now that includes OpenSolaris.  Woohoo!

I agree that Microsoft does many things well, but it's just so expensive.
Last edited by psychorugger on Tue Oct 02, 2007 12:50 pm, edited 1 time in total.
IAM, IEM, RWSP, CPTS
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Tue Oct 09, 2007 11:40 pm

Re: IIS vs. Apache: Re-Examining the Stats

Hmm, well I guess its a sad truth that anyone that is from Microsoft makes one a little skeptical, but I have to admit I am.  I have found it is really is up to the Admin and have found Apache as secure if updated and applied correctly.  I do understand how someone can react that is very close to something like IIS and even  more so if they are involved in writing the code. Its your baby and you will defend it to the death, but is that really objective?  It would be interesting to have someone involved with writing Apache to do a counter to this. 

Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software