In the March 2009 survey, we received responses from 224,749,695 sites. This has brought the total up by more than 9 million sites, with QQ and Microsoft making the most significant contributions. Apache remains in the lead with a total of 104 million sites, while Microsoft-IIS's gain of 3.3 million sites (mostly consisting of new Windows Live blogs) brings its total up to 66 million.

After storming into the survey last month, this month sees QQ gain a further 8.9 million sites. QQ now hosts nearly 29 million Qzone sites under the qzone.qq.com domain, all of which are served by its own QZHTTP server. Little is known about this server, although people have noticed a similarity that suggests QZHTTP may be a customised version of thttpd.

Although it is generally uncommon for websites to use fake Server headers, there are some cases that stand out more than others. One relatively prevalent example is ZX_Spectrum/1997 (Sinclair_BASIC), which is used by a Russian company to serve 0.02% of the world's websites. The ZX Spectrum was an 8-bit personal home computer released in 1982, but it was discontinued two years before the World Wide Web even existed.

With almost a quarter of a billion websites found by this months survey, it is timely to show which web servers run the busiest sites on the web.

Using traffic data compiled by aggregating visits from the Netcraft Toolbar community, we have determined the web servers used by the million busiest websites on the Internet. Examining a fixed number of high traffic sites produces a less volatile view which is uninfluenced by parked domains or the majority of personal sites, shared hosting accounts and blogs.

The clear leader amongst web servers used by the million busiest websites is Apache with a 66% share. It has a 47% lead over its closest competitor, Microsoft-IIS, much greater than on the web as a whole.

New York Internet was the most reliable hosting company site during February 2009, failing to respond to only one of the requests made by Netcraft's performance collectors throughout the month.

New York Internet was closely followed by UK2, Server Intellect, WebFusion and Pair Networks; each of which failed to respond to two requests in February.

This month's victory marks a hat trick for New York Internet, which also came joint first in the previous two months: January and December.

Established in 1996, New York Internet is located in the heart of the Wall Street area and owns and maintains its own data centers. The company's core services include dedicated servers, colocation and virtual web hosting. The company's main website is served by Apache running on FreeBSD.

FreeBSD is used by three of February's most reliable hosting company sites, with another three using Linux and one using Windows Server 2003.

Two years after their first appearance in the Netcraft SSL Survey, there are now more than 11 thousand Extended Validation (EV) SSL certificates in use on the Web. Despite enjoying two years of continued growth, EV SSL certificates still only make up around 1% of all SSL certificates in use on the Internet.

Nearly all modern browsers now support EV SSL certificates by colouring all or part of the address bar in green.

The proportion of EV SSL certificates rises considerably amongst the world's busiest websites, as shown by Netcraft's top 1 million sites dataset. In general, it seems, the more traffic an SSL site has, the more likely it is to use an EV certificate, and in particular, more than a quarter of the SSL certificates within the top 1,000 sites have extended validation.

In the February 2009 survey we received responses from 215,675,903 sites. This reflects a phenomenal monthly gain of more than 30 million sites, bringing the total up by more than 16%.

This majority of this month's growth is down to the appearance of 20 million Chinese sites served by QZHTTP. This web server is used by QQ to serve millions of Qzone sites beneath the qq.com domain.

QQ is already well known for providing the most widely used instant messenger client in China, but this month's inclusion of the Qzone blogging service instantly makes the company the largest blog site provider in the survey, surpassing the likes of Windows Live Spaces, Blogger and MySpace.

QQ's growth should not overshadow this month's other significant event: Apache has gained 7.8 million sites, making it the first vendor to be used by more than 100 million websites.

Microsoft-IIS gained 1.9 million sites, much of which came from Microsoft's own Windows Live Spaces service.

A new wave of phishing attacks against eBay is exploiting a clever combination of wildcard DNS records and cross-site scripting (XSS) vulnerabilities to use other people's websites to help steal credentials from victims.

The first attacks using this combined method of wildcard DNS records and XSS were detected by Netcraft on February 10th, although the source code behind the attacks suggest that the planning had begun a day earlier. The attacks have continued to the present day, and the fraudulent eBay login form remains accessible through the wildcard domains.

Fraudsters launched the attack using a number of sites that host vulnerable versions of iRedirector Subdomain Edition. This PHP and MySQL based system allows website owners to use wildcard DNS records on their domains to forward subdomains like http://user.example.com to URLs like http://www.example.com/members/~username.

A cross-site scripting vulnerability on the affected iRedirector sites is allowing the fraudsters to inject framesets into specific pages. These framesets load content from one of the fraudsters' websites hosted in France at http://df0x.54.pl, which in turn loads an iframe located at http://0xdc4bdd88:88/ws/eBayISAPI.dll/. This injected iframe presents a fraudulent eBay login page, which prompts the victim to submit their eBay User ID and Password to a site hosted by Sudokwonkangnambonbujang in South Korea.

Because the vulnerable sites can be accessed via wildcard DNS records, the fraudsters have made the attacks look all the more convincing by making the hostnames look similar to those used by the genuine eBay login page. For example, the attack has used many hostnames that are similar to this:

The hostnames used in these attacks also contain a seemingly random string of hexadecimal digits. These are simply MD5 hashes of small integers. It is likely that this semi-random measure is being used to try and bypass simplistic firewalls or email filters, which may not recognise fraudulent URLs if part of the hostname changes.

The unobtrusive methods used in the current wave of attacks have obvious appeal to fraudsters — the wildcard DNS records mean that it's easy to use arbitrary hostnames for each attack, allowing each vulnerable site to be convincingly used for many different targets. Furthermore, there is no need for the fraudsters to fully compromise a website, as the cross-site scripting vulnerability allows the fraudulent content to be placed on the sites without gaining internal access to the server. Finally, all it takes is a simple Google search to find additional sites with the same vulnerabilities. The combination of these factors makes it entirely feasible to automate the whole process.