REVIEW IT
在 Google 所作的這篇報告中,期望能洞察網頁伺服器軟體與惡意網站之間的關聯性。這項調查透過發送 'Server:' HTTP header 的請求,針對大約 8000萬個網域進行分析。
網頁伺服器平台分佈
可能是為了避免遭探測、攻擊等因素,在使用 Apache 的伺服器樣本中,約有 35% 沒有提供版本資訊,最常見的三個版本為 1.3.37 (15%)、1.3.33 (7.91%)及 2.0.54 (6.25%)。
而使用 IIS 的部份則大多為 6.0 版,約佔了 80%,其次則為 IIS 5.0。
由於是透過機器人程式自動爬行網站根目錄以取得樣本,因此未納入無法取得首頁之網站,也可能因為如此,所得結果與 NetScrft 的最新報告有所差異。
網頁伺服器平台/惡意網站分佈
在過去一個月中,我們檢驗了約七萬個散佈惡意程式或含有惡意連結之網站,而它們所使用的網頁伺服器平台分佈如下圖,不過請注意,其中有不少是因為作業系統本身之漏洞所導致。
相較於之前的網頁伺服器平台佔有率,含有惡意程式之 Microsoft IIS 呈兩倍分佈 (49% vs. 23%),而版本分佈則大致相同,IIS 6.0 與 IIS 5.0 約為 8:2。
含有惡意程式之 Apache 網站的版本分佈則不盡相同,分別為 1.3.37 (50%)、1.3.34 (12%)及 1.3.33 (5%),未提供版本資訊者則佔了 21%,順帶一提,1.3.37 是 Apache 1.3 系列中的最新一個版本,在此佔有這麼高的分佈讓人有些訝異。
網頁伺服器平台/區域分佈
在左邊的圖表中顯示了不同國家的 Apache、IIS 及 nginx 網頁伺服器使用率分佈,雖然各國之間有所差異,不過整體而言 Apache 仍佔大多數;在右邊的圖表中,則為散佈惡意程式或含有惡意連結之平台分佈。
有趣的是,雖然中國及南韓使用 Apache 的網站總數同樣居高,但惡意網站卻明顯多為 IIS 平台,我們猜測這可能是因為這兩個國家的盜版率較高 (參考 NationMaster 及 BSA 的統計資料),因此部份主機無法順利取得微軟的安全性更新服務 (由於 WGA 等因素)。
整體而言,我們可以觀察到幾種不同的情況,像在德國,Apache 平台的惡意網站遠高於 IIS,而亞洲地區則相反 (也因此造成了高達 49% 的比率)。總結來說,我們的分析顯示了確保網站伺服器軟體更新的重要性。
Web Server Software and Malware
Tuesday, June 5, 2007 9:30 AM
Posted by Nagendra Modadugu, Anti-Malware Team
In this post, we investigate the distribution of web server software to provide insight into how server software is correlated to servers hosting malware binaries or engaging in drive-by-downloads.
We determine server operating system by examining the 'Server:' HTTP header reported by most web servers. A survey of servers running roughly 80 million domain names reveals the web server software distribution shown below. Note that these figures may have some margin of error as it is not unusual to find hundreds of domains served by a single IP address.
Web server software across the Internet.
Web server software distribution across the Internet.
Our numbers report a slightly larger fraction of Apache servers compared to the Netcraft web server survey. Our analysis is based on crawl information and only root URLs were examined, therefore hosts that did not present a root URL (e.g. /index.htm) were not included in the statistics. This may have contributed to the disparity with the Netcraft numbers.
Amongst Apache servers, about 35% did not report any version information. Presumably the lack of version information is considered to be a defense against version specific attacks and worms. We observed a long tail of Apache server versions; the top three detected were 1.3.37 (15%), 1.3.33 (7.91%), and 2.0.54 (6.25%).
Amongst Microsoft servers, IIS 6.0 is by far the most popular version, making up about 80% of all IIS servers. IIS 5.0 made up most of the remainder.
Web server software across servers distributing malware.
We examined about 70,000 domains that over the past month have been either distributing malware or have been responsible for hosting browser exploits leading to drive-by-downloads. The breakdown by server software is depicted below. It is important to note that while many servers serve malware as a result of a server compromise (by remote exploits, password theft via keyloggers, etc.), some servers are configured to serve up exploits by their administrators.
Web server software distribution across malicious servers.
Compared to our sample of servers across the Internet, Microsoft IIS features twice as often (49% vs. 23%) as a malware distributing server. Amongst Microsoft IIS servers, the share of IIS 6.0 and IIS 5.0 remained the same at 80% and 20% respectively.
The distribution of top featured Apache server versions was different this time: 1.3.37 (50%), 1.3.34 (12%) and 1.3.33 (5%). 21% of the Apache servers did not report any version information. Incidentally, version 1.3.37 is the latest Apache server release in the 1.3 series, and it is hence somewhat of a surprise that this version features so prominently. One other factor we observe is a vast collection of Apache modules in use.
Distribution of web server software by country.
The figure on the left shows the distribution of all Apache, IIS, and nginx webservers by country. Apache has the largest share, even though there is noticeable variation between countries. The figure on the right shows the distribution, by country, of webserver software of servers either distributing malware or hosting browser exploits. It is very interesting to see that in China and South Korea, a malicious server is much more likely to be running IIS than Apache.
We suspect that the causes for IIS featuring more prominently in these countries could be due to a combination of factors: first, automatic updates have not been enabled due to software piracy (piracy statistics from NationMaster, and BSA), and second, some security patches are not available for pirated copies of Microsoft operating systems. For instance the patch for a commonly seen ADODB.Stream exploit is not available to pirated copies of Windows operating systems.
Overall, we see a mix of results. In Germany, for instance, Apache is more likely to be serving malware than Microsoft IIS, compared to the overall distributions of these servers. In Asia, we see the reverse, which is part of the cause of Microsoft IIS having a disproportionately high representation at 49% of malware servers. In summary, our analysis demonstrates how important it is to keep web servers patched to the latest patch level.
留言列表
