Monday, 10 October 2011
Some TDL/TDSS rootkit sites to block
18.104.22.168/24 is a Romanian host called Eurolan Solutions SRL, I've had this blocked for months with no ill-effects. 22.214.171.124/16 is Petersburg Internet Network Ltd in Russia, the whole /16 is sparsely populated and blocking that would probably do no harm. 126.96.36.199/22 is Latvia host RN Data SIA, given that Latvia hosts are such a sewer then blocking the /22 is probably also a good idea.
As for 188.8.131.52 (OTEL, Bulgaria), there appear to be a few malware servers in 184.108.40.206/23 mixed with several legitimate sites. 220.127.116.11, 18.104.22.168 and 22.214.171.124 also appear to be malicious. Blocking 126.96.36.199/28 should filter out the bad sites without blocking good ones.
The following domains are associated with these IPs, if you can't block by IP then blocking these might be a good idea,