Monday, 10 October 2011
Some TDL/TDSS rootkit sites to block
220.127.116.11/24 is a Romanian host called Eurolan Solutions SRL, I've had this blocked for months with no ill-effects. 18.104.22.168/16 is Petersburg Internet Network Ltd in Russia, the whole /16 is sparsely populated and blocking that would probably do no harm. 22.214.171.124/22 is Latvia host RN Data SIA, given that Latvia hosts are such a sewer then blocking the /22 is probably also a good idea.
As for 126.96.36.199 (OTEL, Bulgaria), there appear to be a few malware servers in 188.8.131.52/23 mixed with several legitimate sites. 184.108.40.206, 220.127.116.11 and 18.104.22.168 also appear to be malicious. Blocking 22.214.171.124/28 should filter out the bad sites without blocking good ones.
The following domains are associated with these IPs, if you can't block by IP then blocking these might be a good idea,