We have recently learned that the capture generators have been listed in the CBL (composite blocking list) that Spamhaus uses to block spammers and botnets. The message is as follows:
----------
It was last detected at 2014-11-30 05:00 GMT (+/- 30 minutes), approximately 3 days, 12 hours, 30 minutes ago.
This IP address is infected with, or is NATting for a machine infected with "Gameover Zeus" or "GOZ" - previously it has been referred to as "ZeusV3" or "p2pzeus". GOZ is a version of the ZeuS malware that uses peer-to-peer (P2P) command and control mechanisms.
----------
The reason this is important in our case is that some website block sites listed with Spamhaus. In those cases, we cannot capture the actual site web page. Instead, we capture an access denied message. It is also important to prevent these types of malware from spreading or communicating in any way.
The capture servers themselves are not infected, because "Gameover Zeus" only targets Windows-based machines and we use Linux for our capture generators. However, the capture generators had NAT enabled for testing purposes and must have somehow been compromised to send the occasional "lighthouse" signature of "Gameover Zeus". As a result, we have disabled NAT on the machines and requested delisting from the CBL. That delisting should be handled quickly, but if the machines are somehow compromised again, they will be re-listed. We will need to monitor the situation.