A new study by Google's Anti-Malware Team seems to confirm what many people have believed for years: Web sites running Microsoft's IIS are twice as likely to host malware than those running Apache.

Last month, Google studied about 70,000 malware-distributing domains. IIS servers accounted for 49 percent of the malware market—the same percentage as Apache. ("Other" servers accounted for the remaining 2 percent.) But Google's survey of 80 million domain names found that IIS runs on 23 percent of web sites compared to 66 percent for Apache. "Compared to our sample of servers across the Internet, Microsoft IIS features twice as often (49 percent vs. 23 percent) as a malware distributing server," writes Nagendra Modadugu of the Google Anti-Malware team.

A much smaller market share and a similar number of exploits means IIS has some explaining to do, and Google offered some. Modadugu notes that in countries where software piracy is rampant—think China and other Asian countries—automatic updates may not be enabled, and patches may not be available, making those servers easier to compromise. Of course Modadugu also says that "while many servers serve malware as a result of a server compromise... some servers are configured to serve up exploits by their administrators." Do bad guys prefer GUIs?

You have to go to a previous Google study (PDF) to find what may be the single biggest reason for the discrepancy. In "The Ghost In The Browser: Analysis of Web-Based Malware," Google noted that "web-based malware infection has been enabled to a large degree by the fact that it has become easier to setup and deploy Web sites." Anyone can do it! And when one of your main selling points is ease of use, we should not be surprised if the less security-conscious among us gravitate toward IIS.