It's probably watching for connections to files listed in robots.txt that should not be crawled, etc. Once a client tries to do that thing (which it was told not to do), then it gets tagged malicious and fed the zip file.

Long story short, I use memcached to track ips, user agent, and the use of POST method. The requests per minute, request payload, and past behavior will make isMalicious() return true.

I know ive been on THAT list before. Heaven forbid i dont have chrome or keep it up to date, shame on me!