Thursday, 11 August 2011
Something evil on 126.96.36.199: reddingtaxcm.com and inferno.name
The malware appears to be a variant of Vundo / Virtumundo, the infection mechanism looks to be some sort of injection attack on third party sites.
Although the IP 188.8.131.52 is allocated to NetDirekt (now Leaseweb Germany), it belongs to part of a range suballocated to inferno.name of Serbia (apparently also known as v3Servers.net). Inferno featured recently in this blog with another similar malware attack, that time on 184.108.40.206. 220.127.116.11/4 seems to be full of (possibly fake) pharma sites.
A lot of other IP addresses associated with this company are implicated with forum spamming.
Just in case you want to block traffic to/from inferno.name (although there may well be legitimate sites and servers in these ranges) then I have identified the following IP ranges, although there may well be more:
As for 18.104.22.168, watch for traffic going to subdomains of reddingtaxcm.com, for example: