Microsoft SmartScreen filter triggers mysterious downloading of private files from web server

I uploaded some private files in a directory on our web server yesterday (no password protection, but an obscure path), and I discovered in our IIS logs that somebody was downloading them from our server a few minutes later.  The directory does not have browsing enabled in IIS7, and the filenames were too long for somebody to have just stumbled upon them.  Furthermore, the "GET" command issued on the file was the only connection from the mystery IP address (208.50.101.152) recorded in the logs.  No prior connects had been made from that IP to our server.  So whoever it was knew the exact URL before they downloaded the file.

After some investigation, I determined that this only happens after I download the file from our web server using IE (not FireFox), and Microsoft SmartScreen filter connects to a SmartScreen server (65.54.225.100) to look up the URL I am downloading from.  If I disable SmartScreen before I download my file, the mystery download never happens.

So clearly this "mystery" server at 208.50.101.152 is learning of the URL from SmartScreen.  What I'm not sure of is whether this is normal behavior for Microsoft's SmartScreen servers (it seems a bit invasive to me!), or whether this is some hijack going on that I can't find.

I have some machines that don't seem to trigger this mystery download even though they have SmartScreen enabled.  But I have two machines (Windows 7 with IE8 and Windows Server 2003 with IE8) that do it pretty consistently.  The two machines that do it are completely unrelated machines on different networks at different companies, so I have no reason to suspect a common infection.

My PC scans clean with Spybot, AVG, Avast, and Malwarebytes.

I found some references to 65.54.225.100 in the Internet.  One forum thread talks about it being a Microsoft SmartScreen (Phishing) filter server address.  A Microsoft document about Trojan:Win32/Vundo.BH and another website about W32.Vundo/MS Juan Trojan Virus name it as a rogue server that is used to distribute ads or commands to this trojan!  How odd that Microsoft would name one of their own IP addresses as a server that serves up ads to malware!

The mystery connection usually comes from an IP in 208.50.101.x (Global Crossing), but sometimes comes from 64.124.203.x (AboveNet).  

Is anyone familiar with this behavior of SmartScreen?  Does this sound like my PC is infected, or Microsoft is just being a little aggressive in checking up on my browsing?  

Some additional notes:

I found a discussion between a few other people seeing the same behavior at athena.outer-reaches.com (I removed the full URL for the thread to avoid spammers getting a hold of it, but you can search for "scraped" on that website to find the discussion).

The mystery connection always converts the url to all-lowercase.  Our web server is IIS so this doesn't prevent them from downloading the file.

A packet sniffer on the web server shows that the mystery connection is downloading the whole file, not just checking to see if the GET command succeeds.

They only download each file once, even if I download it again later.  But if I rename the file and download it again with the new name, they connect a few minutes later and download the new file.

Any suggestions?
trusnockAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
trusnockConnect With a Mentor Author Commented:
I contacted Microsoft's Policy and Risk Manager for Windows Live Safety Platform, and he acknowledged that these "mystery" IPs are part of the Microsoft SmartScreen Filter system.  The SmartScreen feature in IE sends the URL to Microsoft, and Microsoft's servers queue the URL for evaluation.  This often involves their servers accessing the URL and downloading the file, then scanning it for dangerous content.

It's a little unsettling, and some people might have a problem with it, but it makes sense that their servers would need to learn about the URL and sample it to determine if it should be filtered for future visitors.
0
 
stokerbrittCommented:
It would be nice to see the logs you are refering to, are you sure it isnt the web server, moving the files to the appropriate directory?

check out this whois entry for your mystery ip and see if anything there helps you out
http://whois.domaintools.com/208.50.101.152
0
 
trusnockAuthor Commented:
Here is a sample from the logs.  I downloaded the files "Tom12.zip", "Tom13.zip", and "Tom14.zip" from the web server to my PC.  A few minutes later, these Global Crossing IP addresses (208.50.101.155, 208.50.101.154) downloaded two of the three files that I had downloaded previously.

I've masked my web server and office IP addresses in these logs, but I left the mystery IPs intact...

2010-04-10 02:24:29 {WEB_SERVER_IP} GET /logs/Tom12.zip - 80 - {MY_OFFICE_IP} Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.2;+.NET+CLR+1.1.4322) 200 0 0 6364
2010-04-10 02:26:51 {WEB_SERVER_IP} GET /logs/Tom13.zip - 80 - {MY_OFFICE_IP} Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.2;+.NET+CLR+1.1.4322) 200 0 0 6708
2010-04-10 02:27:03 {WEB_SERVER_IP} GET /logs/Tom14.zip - 80 - {MY_OFFICE_IP} Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.2;+.NET+CLR+1.1.4322) 200 0 0 5725
2010-04-10 02:30:11 {WEB_SERVER_IP} GET /logs/tom12.zip - 80 - 208.50.101.155 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1) 200 0 0 8751
2010-04-10 02:32:25 {WEB_SERVER_IP} GET /logs/tom13.zip - 80 - 208.50.101.154 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1) 200 0 0 4539

I'm not sure what I said that led you to believe this might be the server moving files around.  As I mentioned above, I used a packet sniffer on our web server and saw the Global Crossing IP address connecting to the server and downloading the file.

Thanks for your help and input,
-Tom R.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
stokerbrittCommented:
please look through this information about that IP address, does that address look familiar to you, that is the ip address info, for the ip that is downloading files from you, are you certain your web server, not sure if it is inhouse, sounds like it is somewhere else, are you certain they dont backup everything for you?

IP Information for 208.50.101.152

IP Location:       United States       Global Crossing
IP Address:       208.50.101.152               
OrgName:    Global Crossing
OrgID:      GBLX
Address:    14605 South 50th Street
City:       Phoenix
StateProv:  AZ
PostalCode: 85044-6471
Country:    US

ReferralServer: rwhois://rwhois.gblx.net:4321

NetRange:   208.48.224.0 - 208.50.127.255
CIDR:       208.48.224.0/19, 208.49.0.0/16, 208.50.0.0/17
NetName:    GBLX-6C
NetHandle:  NET-208-48-224-0-1
Parent:     NET-208-0-0-0-0
NetType:    Direct Allocation
NameServer: NAME.ROC.GBLX.NET
NameServer: NAME.PHX.GBLX.NET
NameServer: NAME.SNV.GBLX.NET
NameServer: NAME.JFK1.GBLX.NET
Comment:    THESE ADDRESSES ARE NON-PORTABLE
RegDate:    1999-07-29
Updated:    2009-06-25

RTechHandle: IA12-ORG-ARIN
RTechName:   GBLX-IPADMIN
RTechPhone:  +1-800-404-7714
RTechEmail:  

OrgAbuseHandle: GBLXA-ARIN
OrgAbuseName:   GBLX-Abuse
OrgAbusePhone:  +1-800-404-7714
OrgAbuseEmail:  

OrgNOCHandle: GBLXN-ARIN
OrgNOCName:   GBLX-NOC
OrgNOCPhone:  +1-800-404-7714
OrgNOCEmail:  

OrgTechHandle: IA12-ORG-ARIN
OrgTechName:   GBLX-IPADMIN
OrgTechPhone:  +1-800-404-7714
OrgTechEmail:  

== Additional Information From rwhois://rwhois.gblx.net:4321 ==

network:Class-Name:network
network:ID:16373.208.50.101.144/28
network:Auth-Area:net.208.50.0.0-17
network:Network-Name:5526.5526.MSNHO
network:IP-Network:208.50.101.144/28
network:Organization;I:5526.MSNHO
network:Tech-Contact;I:.5526.MSNHO
network:Admin-Contact;I:.5526.MSNHO
network:Created:20080123
network:Updated:20090911
network:Updated-By:
0
 
trusnockAuthor Commented:
I'm positive.  I'm intimately familiar with our server.  I've already looked at the whois for all of the IP addresses in question, and there is no reason they should be downloading unpublished files from our server.  I've already established that this does not happen when I disable Microsoft SmartScreen or when I use a non-IE browser, so I am quite certain this has something to do with SmartScreen, and not some backup service that I'm not aware of.
-Tom
0
 
trusnockAuthor Commented:
I have now posted the solution, which I found myself.  I think this question would be helpful to others in the future, so I don't think it should be deleted.
0
All Courses

From novice to tech pro — start learning today.