Just saw a SANS diary post discussing how drive-by downloads are now being delivered from /.sys/ folders on websites. This is actually a pretty old routine used by Koobface. Our blocks on malware from /.sys/ folders date back over a year, to February 2009. In addition to the URL including the scheme:

/.sys/?action=

other observed schemes also include:

/.sys/?getexe=

or

/.sys/path/filename

or

/.sys/filename

Though Koobface maintains a steady presence, in the overall scheme of things it's a pretty small one, representing less than .5% of all ScanSafe Web malware blocks in 2009. Optimistically, this indicates that at least among enterprises, users are getting the message that it's not safe to click links received unexpectedly - even from someone they know. Or maybe it's just that the volume of Web threats is so terribly high, that Koobface pales in comparison.