I uploaded some private files in a directory on our web server yesterday (no password protection, but an obscure path), and I discovered in our IIS logs that somebody was downloading them from our server a few minutes later. The directory does not have browsing enabled in IIS7, and the filenames were too long for somebody to have just stumbled upon them. Furthermore, the "GET" command issued on the file was the only connection from the mystery IP address (18.104.22.168) recorded in the logs. No prior connects had been made from that IP to our server. So whoever it was knew the exact URL before they downloaded the file.
After some investigation, I determined that this only happens after I download the file from our web server using IE (not FireFox), and Microsoft SmartScreen filter connects to a SmartScreen server (22.214.171.124) to look up the URL I am downloading from. If I disable SmartScreen before I download my file, the mystery download never happens.
So clearly this "mystery" server at 126.96.36.199 is learning of the URL from SmartScreen. What I'm not sure of is whether this is normal behavior for Microsoft's SmartScreen servers (it seems a bit invasive to me!), or whether this is some hijack going on that I can't find.
I have some machines that don't seem to trigger this mystery download even though they have SmartScreen enabled. But I have two machines (Windows 7 with IE8 and Windows Server 2003 with IE8) that do it pretty consistently. The two machines that do it are completely unrelated machines on different networks at different companies, so I have no reason to suspect a common infection.
My PC scans clean with Spybot, AVG, Avast, and Malwarebytes.
I found some references to 188.8.131.52 in the Internet. One forum thread talks about it being a Microsoft SmartScreen (Phishing) filter server address. A Microsoft document about Trojan:Win32/Vundo.BH and another website about W32.Vundo/MS Juan Trojan Virus name it as a rogue server that is used to distribute ads or commands to this trojan! How odd that Microsoft would name one of their own IP addresses as a server that serves up ads to malware!
The mystery connection usually comes from an IP in 208.50.101.x (Global Crossing), but sometimes comes from 64.124.203.x (AboveNet).
Is anyone familiar with this behavior of SmartScreen? Does this sound like my PC is infected, or Microsoft is just being a little aggressive in checking up on my browsing?
Some additional notes:
I found a discussion between a few other people seeing the same behavior at athena.outer-reaches.com (I removed the full URL for the thread to avoid spammers getting a hold of it, but you can search for "scraped" on that website to find the discussion).
The mystery connection always converts the url to all-lowercase. Our web server is IIS so this doesn't prevent them from downloading the file.
A packet sniffer on the web server shows that the mystery connection is downloading the whole file, not just checking to see if the GET command succeeds.
They only download each file once, even if I download it again later. But if I rename the file and download it again with the new name, they connect a few minutes later and download the new file.