I found these domains and IPs today while investigating a machine apparently infected with Vawtrak (aka Tepfer), most of them seem to be active:
http://80.243.184.239/posting.php
http://80.243.184.239/viewforum.php
http://146.185.233.97/posting.php
http://146.185.233.97/viewforum.php
http://ipubling.com/posting.php
http://ipubling.com/viewforum.php
http://magroxis.com/posting.php
http://magroxis.com/viewforum.php
http://maxigolon.com/viewforum.php
http://terekilpane.com/viewforum.php
Some of these domains are associated with the email address ctouma2@gmail.com. 
You could block the sites individually, but because the sites are not isolated, I would personally recommend using the following blocklist:
146.185.233.0/24
80.243.184.224/27
The 146.185.233.0/24 range is allocted to "Cherepanova" in Russia. 80.243.184.224/27 is Redstation in the UK.

No comments:
Post a Comment