Capture Generators listed in Spamhaus CBL

3 posts / 0 new
Login or register to post comments
Last post
Wed, 12/03/2014 - 12:39
#1
puravida's picture
puravida
Jedi Warrior
Offline
Joined: 09/01/2007
Visit puravida's Website

We have recently learned that the capture generators have been listed in the CBL (composite blocking list) that Spamhaus uses to block spammers and botnets. The message is as follows:

----------
It was last detected at 2014-11-30 05:00 GMT (+/- 30 minutes), approximately 3 days, 12 hours, 30 minutes ago.

This IP address is infected with, or is NATting for a machine infected with "Gameover Zeus" or "GOZ" - previously it has been referred to as "ZeusV3" or "p2pzeus". GOZ is a version of the ZeuS malware that uses peer-to-peer (P2P) command and control mechanisms.

----------

The reason this is important in our case is that some website block sites listed with Spamhaus. In those cases, we cannot capture the actual site web page. Instead, we capture an access denied message. It is also important to prevent these types of malware from spreading or communicating in any way.

The capture servers themselves are not infected, because "Gameover Zeus" only targets Windows-based machines and we use Linux for our capture generators. However, the capture generators had NAT enabled for testing purposes and must have somehow been compromised to send the occasional "lighthouse" signature of "Gameover Zeus". As a result, we have disabled NAT on the machines and requested delisting from the CBL. That delisting should be handled quickly, but if the machines are somehow compromised again, they will be re-listed. We will need to monitor the situation.

Top
Tags:
Wed, 12/03/2014 - 12:52
#2
puravida's picture
puravida
Jedi Warrior
Offline
Joined: 09/01/2007
Visit puravida's Website

As it turns out, disabling NAT on the capture generators caused them to go offline. We were forced to re-enable NAT on the machines, which means that "Gameover Zeus" may use them again in the future. It has been 3 days since the last report, but that doesn't mean the problem is over. There must be a compromised Windows-based machine somewhere on the data center networks.

We will alert them to the problem, while we also try to lock down the NAT on our machines.

Top
Sun, 12/07/2014 - 15:32
#3
puravida's picture
puravida
Jedi Warrior
Offline
Joined: 09/01/2007
Visit puravida's Website

We have been asked if there is a "risk" posed to STW users, so I wanted to answer that publicly.

There is no risk to users of ShrinkTheWeb. Our servers are NOT infected. They are simply giving off a signal (sort of a beacon) being forwarded from an infected machine. This is also part of ShrinkTheWeb's back-end process and does not come in contact with end users of the service.

The front-end servers that users come in contact with (for the service and for the website itself) do not NAT and therefore are not listed in the CBL or any other spam/malware tracking database. So those servers are clean in any case. This only affects the back-end capture generators.

Top

ShrinkTheWeb® (About STW) is another innovation by Neosys Consulting
Contact Us | PagePix Benefits | Learn More | STW Forums | Our Partners | Privacy Policy | Terms of Use

Announcing Javvy, the best crypto exchange and wallet solution (coming soon!)

©2018 ShrinkTheWeb. All rights reserved. ShrinkTheWeb is a registered trademark of ShrinkTheWeb.