Monday, 22 December 2014
Angler EK on 18.104.22.168
The infection chain that I have seen is as follows (don't click those links, obviously):
The last step is where the badness happens, hosted on 22.214.171.124 (Mir Telematiki Ltd, Russia) which is also being used to host the following malicious domains:
A quick look at the contents of 126.96.36.199/23 shows some other questionable sites. A look at the sites hosted in this /23 indicates that most of them appear to be selling counterfeit goods, so blocking the entire /23 will probably be no great loss.
Recommended minimum blocklist: