Wednesday, 25 April 2012
Something evil on 22.214.171.124, lpicture.info and ghjvodka.info
There are two injected elements, one is a .in site hosted on 126.96.36.199 [Leaseweb, Netherlands] which could be one of the following:
There's a pretty inconclusive Wepawet report here but be assured that these domains have a malicious payload.
The second injection is a reference to lpicture.info which is hosted on 188.8.131.52, this is a Leasweb Germany IP address suballocated to inferno.name who appear to be a Serbian firm fronted in the UK. I strongly recommend blocking all their IP ranges (listed here) if you can. lpicture.info merely forwards to a malicious payload on ghjvodka.info (report here) and that in turn is listed on 184.108.40.206 (OVH, France) along with some other suspect looking sites that lead be to conclude that this IP address is worth blocking too:
This malware seems to be quite good at avoid analysis. But if you can block these IPs then I strongly recommend that you block them.