Something evil on 192.95.44.0/27 (OVH Canada)

192.95.44.0/27 (spotted by Frank Denis) is another evil OVH Canada netblock which I assume belongs to their black hat customer r5x.org / Penziatki although now OVH seem to be masking the customer details.

I can see the following active subdomains within this range, all of which can be assumed to be malicious:

2gj95630ug7y42qc1-3.advanceservere.ru
2689xn49409xt8t-c3ho.gatheradvertisinge.ru
4022800068-3.acquireconnectionse.ru
6j2o7eo032s53sb0mx-l3.acquireconnectionse.ru
1635860128-6.reachmape.ru
2081021085-6.reachmape.ru
2401174936-7.reachmape.ru
2856584186-7.reachmape.ru
3430887989-6.reachmape.ru
3518242412-6.reachmape.ru
3912597189-7.reachmape.ru
w617131vc75-6.reachmape.ru
370r20to0282ph-y7.reachmape.ru
u1942lf033q46pr-6.reachmape.ru
37l7li34g8c990r3-7.reachmape.ru
qg285868sh2t65s6-6.reachmape.ru
167ef0p379w2y86-r6x.reachmape.ru
2ox085sv7899en16-6s.reachmape.ru
3i20et519228u9qf-j6.reachmape.ru
1400m6j1pf74a9w6-z6f.reachmape.ru
15v84492j0v8km9w-zw6.reachmape.ru
ql2f1c90s9u0h6210u-a7.reachmape.ru
ys1r0oi5cj2jz907340x-ai6.reachmape.ru
y1c8cw2ng90eh8ag8553q-6tg.reachmape.ru
117062511-6.reachprotectione.ru
719921944-6.reachprotectione.ru
3938936024-6.reachprotectione.ru
4019504775-7.reachprotectione.ru
3la26x1462a78-6le.reachprotectione.ru
n237qk5iv7rm34u7r5-7.reachprotectione.ru
2uk6u7g41q8051jd8r-6x.reachprotectione.ru
34d6na3b67vc4gn893c-zi6.reachprotectione.ru
1eu1q1l2k5kd2l73fn2j8f-6.reachprotectione.ru
2nn3x7f57at3fs4o7zj5s-7e.reachprotectione.ru
af4n0aw17pp96b82o2-oz6ag.reachprotectione.ru
rv3459hf4i7pt7x93jj3zy-7.reachprotectione.ru
158209179-6.accruespecialiste.ru
1833575162-6.accruespecialiste.ru
3201225904-6.accruespecialiste.ru
3475495830-6.accruespecialiste.ru
3594898209-6.accruespecialiste.ru
3783691616-6.accruespecialiste.ru
4084210708-6.accruespecialiste.ru
2174bi44g602tq8-6.accruespecialiste.ru
uh95eu436f34n87-6.accruespecialiste.ru
430pr3eq0pe0x422-n6f.accruespecialiste.ru
oc43yq0300l4o2wb2-6fk.accruespecialiste.ru
vd1j61155bu2j43m5er-6.accruespecialiste.ru
ed13202bx94a4k28pz-6mr.accruespecialiste.ru
ii66bd84z63oi5bp18am-6.accruespecialiste.ru
u1n1nf1w64j3jt57ip2-6g.accruespecialiste.ru
t3gs5c6me71ky6031wi0-l6s.accruespecialiste.ru
kt1ft42qg5rm6q5g47q8f1-e6w.accruespecialiste.ru
jj2ca4zb72iy56ue57tz4r5nv-te6.accruespecialiste.ru

I recommend that you apply the following blocklist:
192.95.44.0/27
accruespecialiste.ru
reachprotectione.ru
reachmape.ru
acquireconnectionse.ru

Evil network: OVH Canada / r5x.org / Penziatki (updated)

I've covered OVH Canada and their black hat customer r5x.org aka "Penziatki" before. They consistently host exploit kits, and the way that the bad hosts are spread over OVH's network looks like a deliberate attempt at snowshoeing.

The following blocks in the OVH range have hosted malware from this customer. Some of the IPs are identified through my own research, others through OSINT from others, notably Frank Denis, @ReverseChris and #MalwareMustDie.

192.95.6.24/29
192.95.6.92/30
192.95.6.196/30
192.95.7.8/30
192.95.7.224/28
192.95.10.16/29
192.95.10.208/28
192.95.12.56/30
192.95.40.240/30
192.95.41.88/29
192.95.43.160/28
192.95.44.0/27
192.95.46.56/30
192.95.46.60/30
192.95.46.132/30
192.95.47.232/30
192.95.47.236/30
192.95.51.164/30
192.95.58.176/30

198.27.96.132/30
198.27.103.204/30
198.27.114.16/30
198.27.114.64/27

198.50.164.240/30
198.50.172.64/30
198.50.172.68/30
198.50.172.72/30
198.50.172.76/30
198.50.177.120/30
198.50.185.64/27
198.50.186.232/30
198.50.186.236/30
198.50.186.252/30
198.50.197.28/30
198.50.197.48/30
198.50.197.52/30
198.50.197.56/30
198.50.197.60/30
198.50.204.240/30
198.50.204.244/30
198.50.212.116/30
198.50.212.172/30
198.50.216.144/30
198.50.219.240/30
198.50.219.248/30
198.50.224.240/30
198.50.231.204/30
198.50.235.196/30
198.50.241.120/30
198.50.242.120/30
198.50.246.240/30
198.50.247.248/30
198.50.247.252/30
198.50.251.168/30
198.50.251.172/30

Given the large number of exploits, you might want to consider a larger pre-emptive block on the OVH Canada ranges if you are in a security-sensitive environment and can live with blocking some of the legitimate sites that OVH also host.

192.95.0.0/16
198.27.0.0/16
198.50.0.0/16

I'll try to keep this blog post updated with more bad OVH Canada ranges as they are brought to my attention. Please consider adding any new information to the Comments if you have some. Thanks!

More OVH Canada hosted exploit kits

I've been a bit tardy with this look at the new OVH Canada ranges exposed by Frank Denis so some of these domains may already been dead.

Yesterday Frank identified three new OVH Canada ranges being used to host the Nuclear EK, again the customer is "r5x.org / Penziatki"

198.50.212.116/30
198.50.131.220/30
192.95.40.240/30

Update: also 192.95.51.164/30 according to this Tweet.

A full list of everything I can find is here [pastebin] but the abused domains that I have identified are:

shallowsvent.ru
riastrait.ru
chasmdell.ru
bararete.ru
overlooktableland.ru
volcanogully.ru
oceanhollow.ru
lavaisthmus.ru
overhangcoastline.ru
archipelagoriver.ru
coralreeflagoon.ru
rivermainland.ru
latitudebayou.ru
playacaldera.ru
morainegulch.ru
loesslakebed.ru
landformvale.ru
domehillside.ru
arroyogulch.ru
firthswamp.ru
coastmound.ru
atolllava.ru
passcove.ru

At a mininum I recommend that you block those IP ranges and/or domains.

Given the extremely poor reputation of these OVH Canada ranges, I would suggest blocking the following network ranges if you have a security-sensitive environment and are prepared to put up with the collateral damage of blocking some legitimate sites:
198.27.0.0/16
198.50.0.0/16
192.95.0.0/16

Something evil on 192.95.6.196/30

Another useful tip by Frank Denis on evil in the OVH Canada IP ranges, suballocated to their black hat customer "r5x.org / Penziatki", this time on 192.95.6.196/30.

The following domains should be considered as dangerous and I would recommend blocking them as soon as possible:
shoalfault.ru
addrela.eu
backinl.org

A full list of the domains I can find in this /30 can be found here [pastebin].

Given the extremely poor reputation of these OVH Canada ranges, I would suggest blocking the following network ranges if you have a security-sensitive environment and are prepared to put up with the collateral damage of blocking some legitimate sites:
198.27.0.0/16
198.50.0.0/16
192.95.0.0/16

Something evil on 198.50.140.64/27

Thanks again to Frank Denis (@jedisct1) for this heads up involving grubby web host OVH Canada and their black hat customer "r5x.org / Penziatki" hosting the Nuclear EK in 198.50.140.64/27.

A full list of all the web sites I can find associated with this range can be found here, but the simplest thing to do is block 198.50.140.64/27 completely (or if you are paranoid about security and don't mind some collateral damage block 198.27.0.0/16 and 198.50.0.0/16).

Domains in use that I can identify are listed below. I recommend you block all of them. Domains listed as malicious by Google are in red, those listed as suspect by SURBL are in italics.

Recommended blocklist:

198.50.140.64/27
ingsat.eu
kingro.biz
allnew-overstocked-items.us
auto-policy-june.us
creditscorerangeadvice.com
endenergy-bills.us
endundereyedarkcircles.us
getmatch-on-line.us
godating-thurs.us
gomarine-nows.us
neweyehealth-now.us
new-omeganew.us
nowreverse-new.us
topomegafi-x.us
calculated1.usadvisoracct.us
auto9spec.us
autocquotes.us
brightmangroup.us
car04212.us
dailytips4health.us
estrexpe.eu
facts4burningfat.us
fallspecials1.us
freereview.us
fsaccounting.us
homes1research.us
homesavngs.us
hometactics.us
ieligible.us
imusiche.biz
kleycast.biz
kunstar.eu
maoride.eu
micklet.com
my3newscores.us
myreport3card.us
newdaily-health-tip.us
new-healthtip-today.us
newomegaheartfix.us
newoverstock-now.us
newproprate.us
newvisionsummer.us
note018271.us
rate-changes1.us
ratedropps.us
ratenotice09182.us
renew-autoprotection.us
reportcenter3.us
repostcc.us
sandersonhomes.us
spauto1.us
theactivity3.us
unifiedregister1.us
updateon3report.us
updateratehr.us
updscore03.us
uptodate-records3.us

Evil network: OVH Canada / r5x.org / Penziatki

Note: a more up-to-date list can be found here.

Hat tip to Frank Denis (@jedisct1) for this report on Nuclear EK's hosted by OVH Canada using their infamous "Penziatki" customer which is linked to black-hat host r5x.org. The blocks have been identified as belonging to that customer and I would recommend that you block them:

198.27.114.16/30
198.27.114.64/27
198.50.186.232/30
198.50.186.236/30
198.50.186.252/30
198.50.231.204/30

OVH Canada have repeatedly hosted exploit kits for this customer to the extent that I am suspicious that either they have been compromised in some way. These following blocks have been identified as serving up malware in the recent past:

192.95.6.24/29
192.95.7.8/30
192.95.7.224/28
192.95.10.16/29
192.95.10.208/28
192.95.41.88/29
192.95.43.160/28
192.95.46.56/30
192.95.46.60/30
192.95.46.132/30
192.95.47.232/30
192.95.47.236/30
198.27.96.132/30
198.27.103.204/30
198.27.114.16/30
198.27.114.64/27
198.50.164.240/30
198.50.172.64/30
198.50.172.68/30
198.50.172.72/30
198.50.172.76/30
198.50.197.28/30
198.50.197.48/30
198.50.197.52/30
198.50.197.56/30
198.50.197.60/30
198.50.186.232/30
198.50.186.236/30
198.50.186.252/30
198.50.204.240/30
198.50.204.244/30
198.50.212.172/30
198.50.219.240/30
198.50.219.248/30
198.50.224.240/30
198.50.231.204/30
198.50.235.196/30
198.50.242.120/30
198.50.246.240/30
198.50.247.248/30
198.50.247.252/30
198.50.251.168/30
198.50.251.172/30

Obviously there is a problem here. If you are in a security-sensitive environment then you might simply want to block traffic to the following ranges:

198.27.0.0/16
198.50.0.0/16

Of course this will block many legitimate sites, but if stopping exploit kits is a priority over some user inconvenience then you may want to consider it. If you want a slightly more nuanced blocklist then these ranges contain the biggest concentration of malware:

198.27.114.0/24
198.50.172.0/24
198.50.186.0/24
198.50.197.0/24
198.50.231.0/24

OVH must be aware of the reputation of their customer. I wonder why they keep tolerating them on their network?

Something evil on 192.95.7.224/28

Another OVH Canada range hosting criminal activity, 192.95.7.224/28 is being used for several malicious .pw domains being used to distribute malware (as used in this attack). The malware domains seem to rotate through subdomains very quickly, possibly in an attempt to block analysis of their payload.  This block is carrying out the same malicious activity that I wrote about a few days ago.

OVH have suballocated this IP block to an entity that I believe is connected with black hat host r5x.org.

CustName:       Private Customer
Address:        Private Residence
City:           Penziatki
StateProv:     
PostalCode:     30000
Country:        RU
RegDate:        2014-01-24
Updated:        2014-01-24
Ref:            http://whois.arin.net/rest/customer/C04859114

These IPs are particularly active:
192.95.7.232
192.95.7.233
192.95.7.234

There is nothing of value in this /28 block and I recommend that you block the entire IP range plus the following domains (which are all already flagged as being malicious by Google)

Recommended blocklist:
192.95.7.224/28
archerbocce.pw
athleticsmove.pw
battingrelay.pw
bicyclecompete.pw
bicyclingcrew.pw
billiardsdiver.pw
bronzecatcher.pw
competitionathletics.pw
competitionexercise.pw
dartboardolympics.pw
dartfield.pw
divebicycling.pw
divingrelay.pw
fieldergymnast.pw
golferboomerang.pw
hardballkayaker.pw
hockeyarchery.pw
hoopjudo.pw
javelinbowler.pw
leaguehockey.pw
netarcher.pw
playingriding.pw
racerathlete.pw
racerbronze.pw
runrafting.pw

Something evil on 192.95.10.208/28

192.95.10.208/28 (OVH, Canada) is being used to deliver exploit kits utlising .pw domains, for an example see this URLquery report.  The following domains are being used in these attack (although there may be more):

accountantillustrator.pw
actuarydancer.pw
ambassadoradvisor.pw
animatorcarpenter.pw
animatorgovernor.pw
archeractor.pw
archerclub.pw
archerlecturer.pw
archerycartoonist.pw
arenacycling.pw
arenalandlord.pw
arrowcompete.pw
arrowfitness.pw
artistgovernor.pw
athleteexplorer.pw
athleteexterminator.pw
athletehandyman.pw
athleticsbanker.pw
athleticsdrycleaner.pw
attorneygeologist.pw
ballballerina.pw
ballcoroner.pw
ballerinaconsul.pw
ballerinalaundress.pw
balllobbyist.pw
ballracer.pw
baseballdefense.pw
baseballhardball.pw
baseballmechanic.pw
basketballdj.pw
basketballillustrator.pw
batdart.pw
batdj.pw
batmonk.pw
batolympics.pw
batterpool.pw
battingconcierge.pw
battingrunning.pw
biathlonlandscaper.pw
bicyclebarber.pw
bicyclechaplain.pw
bicycleracket.pw
bikegeneral.pw
bikingoptician.pw
biologistcabdriver.pw
bobsleighcaterer.pw
bobsleighcop.pw
bobsleighfirefighter.pw
bobsleighjockey.pw
boccebowling.pw
boccepercussionist.pw
boomerangbobsleigh.pw
boomerangcompete.pw
bowcobbler.pw
bowlerkayaking.pw
boxercashier.pw
bronzehairdresser.pw
buntcop.pw
buntexporter.pw
buntgymnastics.pw
butchernegotiator.pw
canoegardener.pw
carpenterorderly.pw
cartographerlandscaper.pw
catchergeologist.pw
catchlandscaper.pw
championbatting.pw
championshipcobbler.pw
championshipdoorman.pw
championshipgear.pw
championshipjester.pw
championshipjockey.pw
championshipmarketer.pw
clubfarmer.pw
coachbarber.pw
coachgolfer.pw
competeexporter.pw
competepediatrician.pw
competingbowler.pw
competingcoach.pw
competitioncryptographer.pw
competitionexplorer.pw
competitorhairdresser.pw
competitornovelist.pw
conciergemanufacturer.pw
contractorexterminator.pw
crewastronaut.pw
crewmusician.pw
cricketgoalie.pw
cricketjailer.pw
custodiancobbler.pw
cyclebellhop.pw
cyclistcaptain.pw
dartboardequipment.pw
dartboardnavigator.pw
dartboardpathologist.pw
dartlifeguard.pw
decathlonbellhop.pw
decathlondriver.pw
defensenet.pw
defensepaleontologist.pw
dermatologistinstructor.pw
designerbabysitter.pw
designercoach.pw
diamondgolfer.pw
diamondlobbyist.pw
divecycle.pw
diveeconomist.pw
divepainter.pw
diverbabysitter.pw
diverbowler.pw
divingauthor.pw
djnegotiator.pw
dodgeballgolfer.pw
doormanparkranger.pw
driverpawnbroker.pw
editordictator.pw
electricianbaker.pw
engineerastronaut.pw
entomologistbowler.pw
entrepreneurpatrol.pw
epeebowler.pw
epeeintern.pw
epeelandlord.pw
epeelinguist.pw
epeerunning.pw
exercisebatter.pw
exportercatcher.pw
farmerlecturer.pw
fencinghandball.pw
fieldercartographer.pw
fielderpaleontologist.pw
fielderpercussionist.pw
fieldingauctioneer.pw
figureskatingbuilder.pw
figureskatingchemist.pw
footballbunt.pw
footballcustodian.pw
footballlyricist.pw
frisbeebike.pw
gamenurse.pw
gearathlete.pw
generalillustrator.pw
geneticisteconomist.pw
geneticistgolfer.pw
goalbicycling.pw
goalcatcher.pw
goaldj.pw
goalhardball.pw
goaliebilliards.pw
goalielocksmith.pw
goalmedal.pw
goalmedal.pw
goalpawnbroker.pw
goalpercussionist.pw
golferdoorman.pw
golferentomologist.pw
golfingfirefighter.pw
guardcryptographer.pw
guardextra.pw
guardhandyman.pw
gymeducator.pw
gymmarketer.pw
gymnastcardiologist.pw
gymnasticsarchery.pw
gymnasticscobbler.pw
gymnasticsdictator.pw
gymnastnun.pw
halftimeillustrator.pw
handballhome.pw
hardballactress.pw
hardballastronomer.pw
hardballjumper.pw
helmetgolfer.pw
helmetjailer.pw
highjumpbiologist.pw
highjumpcashier.pw
highjumpguide.pw
hoboexporter.pw
hoopbiking.pw
hoopgear.pw
huddlecompete.pw
huddleparalegal.pw
hurdlebutler.pw
hurdlecompetitor.pw
hurdleforeman.pw
hurdlemove.pw
jailercardiologist.pw
javelinskate.pw
joggerdirector.pw
journalisthairdresser.pw
judomayor.pw
jumperfisherman.pw
jumperlibrarian.pw
jumpingorderly.pw
jumpingreferee.pw
karatemanufacturer.pw
karateparalegal.pw
kayakathlete.pw
kayakballerina.pw
kayakerbiologist.pw
kayakercabdriver.pw
kayakingconsul.pw
kayakingoperator.pw
kayakingskating.pw
kayaknurse.pw
kickballnurse.pw
lacrossemuralist.pw
lacrosseorderly.pw
landlordexterminator.pw
landlordgardener.pw
landscapercook.pw
landscaperoptician.pw
lecturergatherer.pw
linguistdetective.pw
locksmithillustrator.pw
maidblacksmith.pw
maidornithologist.pw
marinecellist.pw
martialartslinguist.pw
mayordrummer.pw
monklyricist.pw
movemedal.pw
oboistbowler.pw
olympicscompetition.pw
olympicsengineer.pw
opticiannegotiator.pw
orienteeringjanitor.pw
paintergeneral.pw
paralegalbuilder.pw
paralegaleconomist.pw
pawnbrokermanufacturer.pw
peddlerbellhop.pw
pingpongathlete.pw
pingpongbasketball.pw
pingpongempress.pw
pingponghelmet.pw
pitchactor.pw
pitchdart.pw
pitchjanitor.pw
pitchlifeguard.pw
playchauffeur.pw
playerskate.pw
playingoboist.pw
playoffscycle.pw
playoffspeddler.pw
playorienteering.pw
polekayaking.pw
poolgeneticist.pw
poolnegotiator.pw
quarterbackgeneral.pw
quartergeographer.pw
racedrummer.pw
raceengineer.pw
racercellist.pw
racketarcher.pw
racketbaseball.pw
racketdart.pw
racketleague.pw
racketskate.pw
raftingbarber.pw
raftingdancer.pw
raftingfrisbee.pw
raftingkayaker.pw
relaydrycleaner.pw
relayrace.pw
ridingcabdriver.pw
ridingnurse.pw
runbasketball.pw
rundrummer.pw
runningaccountant.pw
runningactuary.pw
skatepole.pw
skatingmuralist.pw
teacherjockey.pw
toolmakerfisherman.pw

The IP forms part of a /28 block belonging to a known bad actor:
NetRange:       192.95.10.208 - 192.95.10.223
CIDR:           192.95.10.208/28
OriginAS:       AS16276
NetName:        OVH-CUST-413973
NetHandle:      NET-192-95-10-208-1
Parent:         NET-192-95-0-0-1
NetType:        Reassigned
RegDate:        2014-01-24
Updated:        2014-01-24
Ref:            http://whois.arin.net/rest/net/NET-192-95-10-208-1

CustName:       Private Customer
Address:        Private Residence
City:           Penziatki
StateProv:     
PostalCode:     30000
Country:        RU
RegDate:        2014-01-24
Updated:        2014-01-24
Ref:            http://whois.arin.net/rest/customer/C04859113

I believe that these IPs are connected with a black hat host r5x.org and IPs with these WHOIS details are very often used in exploit kit attacks. I would strongly recommend that you block 192.95.10.208/28 in addition to the domains listed above.

Evil network: R5X.org / OVH

Russian web host R5X.org has featured on this blog a few times before, but I took the opportunity to look at it a little more closely. What I found wasn't nice.

Out of 300 domains that I found hosted now or recently in R5X.org's space (rented from OVH), 177 (59%) are flagged as malicious by Google, and 230 (77%) are flagged as spam or malware by SURBL. MyWOT ratings indicate that there are no legitimate sites in the IP address ranges I checked.

R5X.org doesn't have a network of its own but it rents IPs from OVH. I have identified several small netblocks which I strongly recommend that you block, although there may be others.

37.59.232.208/28
37.59.254.224/28
46.105.166.68/30
46.105.166.96/30
178.33.208.208/30
192.95.7.8/30
192.95.41.88/29
192.95.46.132/30
198.27.103.204/30
198.27.96.132/30

According to the WHOIS details, the blocks are suballocated to:

organisation:   ORG-RL152-RIPE
org-name:       R5X.org ltd
org-type:       OTHER
address:        Krasnoselskaja 15-219
address:        346579 Moscow
address:        RU
abuse-mailbox:  abuse@r5x.org
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
source:         RIPE # Filtered

Last year when R5X.org was using Hetzner, there was a name Tomas Gailiavicius associated with R5X although I do not know if that was accurate.

A list of all the domains I can find, current IP addresses, MyWOT rating, the Google prognosis  and SURBL codes can be found here [csv] else I recommend using the following blocklist:

37.59.232.208/28
37.59.254.224/28
46.105.166.68/30
46.105.166.96/30
178.33.208.208/30
192.95.7.8/30
192.95.41.88/29
192.95.46.132/30
198.27.103.204/30
198.27.96.132/30
airmicro.biz
alertimagine.biz
alertnovel.biz
analyzeidea.biz
analyzeideal.biz
analyzeimprovise.biz
anoticegenuine.biz
appearancemanager.biz
aprilfoolsheavenly.biz
aprilfoolsstylish.biz
aprilfoolstrend.biz
ardaymarvl.biz
artimpact.biz
assayfresh.biz
assayimagination.biz
assaythink.biz
assessinspire.biz
auditforward.biz
auditinnovation.biz
auditstrategy.biz
azimuthcalculating.biz
batillbicdaylook.biz
blackholerapture.biz
blackhoneydo.biz
blobhotel.com
bombepear.biz
bondcontracts.biz
boxingdaymarvel.biz
briefthink.biz
browseinspire.biz
canadadayglamorous.biz
ccenvicionety.biz
ccoutfutute.biz
celectgenuine.biz
checkbegin.biz
checkfuture.biz
checkimprovise.biz
checkimptovice.biz
checklead.biz
checkoriginal.biz
checkoutimprovise.biz
checkoutinnovation.biz
checkoutinvent.biz
check-out-invent.biz
checkoutmint.biz
checkoutnew.biz
choicedesign.biz
chqqwyottqqqg.biz
cityju.biz
claimpermanent.biz
clipalarm.biz
columbusdaystylish.biz
commentfocuc.biz
commentform.biz
commentforward.biz
commentfotwetd.biz
comthytria.biz
considerdesign.biz
coolcraft.biz
coolcv.biz
coonotho.biz
criticalgenuine.biz
criticizeprogress.biz
critiqueinnovation.biz
critiqueoriginal.biz
critiquepioneer.biz
critiqueprogress.biz
ctitiquenewmint.biz
cummetynew.biz
cupcakelemon.biz
custardpeach.biz
datasearch.biz
dattheupfront.com
dbolohokno.biz
dcolocdns.biz
ddcorpcdn.biz
decadiet.biz
degreeexplore.biz
degreeforward.biz
degreeimage.biz
degteeinnovete.biz
dfixedddns.biz
dfreecdn.biz
dfreshatnet.biz
dglibling.org
diagnoseimagine.biz
diagnosethink.biz
diccuccdecign.biz
digiedu.biz
dindaclubz.biz
dinwhatyoutrus.com
dinwheremyon.biz
diwalisplendid.biz
dknuspit.biz
dmineworl.com
dminicdn.biz
dojoplan.com
donthecolo.biz
dtnek.biz
dtryandgetit.com
dunicombix.biz
dwewellgo.biz
dwhyyouathere.org
dyesweboz.biz
dzalkombi.biz
easterprincess.biz
ecceyincpite.biz
emancipationdaymarvel.biz
enelyzeideel.biz
enelyzeimptovice.biz
evaluateresearch.biz
examineconcept.biz
examinesee.biz
examinevisionary.biz
explorefuture.biz
eyenovel.biz
eyethink.biz
fathersdaydelight.biz
feedbackdiscover.biz
feedbackfresh.biz
feedbackmove.biz
feedbeckdiccovet.biz
feelconcept.biz
fluagdaychic.biz
futureaqua.biz
gelatolime.biz
gradefocus.biz
gradeimagine.biz
gradesfresh.biz
grandparntdaycharming.biz
greatsimply.biz
groundhogdaycharm.biz
guyfawkdayfahionabl.biz
hanukkahlooks.biz
heliumvenal.biz
higifts.biz
homecomputer.biz
independencedaygallant.biz
injunctionpositions.biz
innocentfulltime.biz
inspectinstitute.biz
inspectionimagination.biz
inspectoriginal.biz
inspectresearch.biz
instantdevelopment.biz
internetcrea.biz
ithealthcare.biz
iwantfilm.biz
iwantmega.biz
judgebegins.biz
kwanzaavanity.biz
lawyeravailable.biz
lctiondayfabulou.biz
lctoqdoycott.biz
lightfund.biz
likeinspire.biz
lincolnsbirthdaydazzle.biz
lookbackidea.biz
lookbackprogress.biz
lookbeckptogtecc.biz
lookoriginal.biz
mackids.biz
magicbizic.biz
mapviral.biz
mardigraslooks.biz
markforge.biz
maydaylganc.biz
mcwar.info
measurestyle.biz
mediationjob.biz
meecutectyle.biz
meringuebreadfruit.biz
mmorialdayattractiv.biz
mmorialdaychic.biz
muttnikcontntmnt.biz
mypioneer.biz
newtellypioneet.biz
notefresh.biz
noteftech.biz
noteresearch.biz
noticedream.biz
noticeform.biz
noticeforward.biz
noticefotm.biz
observemodern.biz
othtdoyttqd.biz
ovetviewnewfotm.biz
penumbraoptimism.biz
picksearch.biz
planetarycontentment.biz
plantabicrycontntmnt.biz
pocinctity.biz
pointcctyle.biz
pointsnovel.biz
precessionrelieved.biz
pridntdaynchant.biz
probediscover.biz
profilechange.biz
ptobemint.biz
qualityconcept.biz
quectmodetn.biz
quectnewimptovice.biz
questnew.biz
questsee.biz
randayflar.biz
rangeinnovation.biz
rateidea.biz
ratewish.biz
readvisionary.biz
recapcreate.biz
recapimagination.biz
remarkinstitute.biz
retrospectfuture.biz
retrospectmove.biz
retrospectschange.biz
reviewimprovise.biz
reviewmint.biz
reviewstyle.biz
rohhahanahfabulou.biz
rohhahanahway.biz
roshhashanahlovely.biz
sayinstitute.biz
scannew.biz
scanvisionary.biz
scoreoriginal.biz
scoringchange.biz
scoringdiscover.biz
scoringprogress.biz
scoutforward.biz
scoutinstitute.biz
screenthink.biz
seelabs.biz
selectgenuine.biz
sentryforge.biz
settlementgig.biz
shakedownconcept.biz
shakedowncreate.biz
spiralhotel.tk
summaryinnovation.biz
summarymint.biz
sundaebanana.biz
surveyresearch.biz
surveythink.biz
sustainagency.biz
synodicintent.biz
synopsislab.biz
synopsisnovel.biz
synopsisstrategy.biz
tallystyle.biz
tecepimeginetion.biz
tectideel.biz
tectteceetch.biz
tectthink.biz
teedinctitute.biz
tellydteem.biz
temetknewleb.biz
testimonyjobs.biz
testresearch1.biz
testthink.biz
tettocpenewctmove.biz
ticketdnewevelop.biz
tlttygtpy.biz
tnewecepcteete.biz
todiotionont.biz
tortekiwi.biz
truffleraspberry.biz
ttnikcontntnt.biz
ttoqlbcqotcol.biz
ttydiccovet.biz
ttyvicionety.biz
usurycontracts.biz
valentinespell.biz
valntincharming.biz
valntindaycoutur.biz
valntintrnd.biz
viewfotmnew.biz
viewmove.biz
vigiladvance.biz
vigiledvence.biz
vipscan.biz
vqolqtqdoyodl.biz
waxingtriumph.biz
wetchimptovice.biz
yomkippurmodel.biz
yourtheme.biz
youtgenuine.biz
yvanity.biz
zodiacafraid.biz

Malware sites to block 9/12/2013

These malicious sites and IPs are related to this attack (thanks to the folks at ThreatTrack Security for the tip). Although a lot of the sites are not currently resolving, those that are up are hosted on 37.59.254.224 and 37.59.232.208 which are a pair of OVH IPs suballocated to:

organisation:   ORG-RL152-RIPE
org-name:       R5X.org ltd
org-type:       OTHER
address:        Krasnoselskaja 15-219
address:        346579 Moscow
address:        RU
abuse-mailbox:  abuse@r5x.org
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
source:         RIPE # Filtered

R5X.org IPs have featured a couple of times before here [1] [2] so I would suggest blocking any that you find. I'll do some research on those soon, but in the meantime I would recommend blocking the following IPs and domains. Domains that are already flagged by Google are highlighted.

37.59.232.208/28
37.59.254.224/28
activresa.biz
adskills.biz
aircoach.biz
alertnovel.biz
alertsieve.biz
allba.biz
allbat.biz
alldental.biz
analyzebroil.biz
appcars.biz
appgather.biz
appraisecore.biz
artgauther.biz
artgolf.biz
assaythink.biz
assessimprovise.biz
assessinspire.biz
assessjell.biz
atvilla.biz
auditform.biz
auditinnovation.biz
autosquare.biz
bighype.biz
biovote.biz
bizspiecial.biz
blackconstruction.biz
blackla.biz
booktv.biz
brandprinting.biz
briefsearch.biz
celectgenuine.biz
checkcan.biz
checkimprovise.biz
checklead.biz
checkoriginal.biz
checkouthash.biz
checkoutimprovise.biz
checkoutinnovation.biz
checkoutmint.biz
choiceoil.biz
choiceprogress.biz
choiceshell.biz
citycomputer.biz
classicbon.biz
clickresearch.biz
codeway.biz
commentfocus.biz
comwin.biz
coolcraft.biz
cosong.biz
creativegeo.biz
critiqueoriginal.biz
critiquepreserve.biz
dailyaqua.biz
dailyteach.biz
dailyyaqua.biz
datasoccer.biz
degreeaerate.biz
degreedream.biz
degreeforward.biz
degreefresh.biz
degreeimage.biz
designdating.biz
diagnosethink.biz
diagnoseturn.biz
digitalquant.biz
digitalra.biz
directtiny.biz
discussexplore.biz
discussinspire.biz
djmeta.biz
drcoupon.biz
eurosync.biz
evaluatebrown.biz
evaluatefresh.biz
examinesearch.biz
experptware.biz
expertsurvey.biz
eyenovel.biz
eyerise.biz
eyethink.biz
facequant.biz
feedbackfresh.biz
feedbackmove.biz
firstozip.biz
firststudy.biz
flypanda.biz
flyradio.biz
foodneo.biz
freebill.biz
funelectronics.biz
gaugefuture.biz
gaugegenuine.biz
gaugeimage.biz
globalhoneydo.biz
gotpuppy.biz
gradefocus.biz
gradeimagine.biz
gradeschange.biz
gradesdesign.biz
gradesfresh.biz
gradesimagine.biz
gradewhisk.biz
hexvox.biz
ideatablet.biz
ideawatches.biz
imagepop.biz
inspectionprogress.biz
inspectstrategy.biz
instantconsulting.biz
instaontent.biz
interbpixo.biz
interfx.biz
interloan.biz
interpixo.biz
jobgrow.biz
judgebegins.biz
judgelab.biz
judgelabzs.biz
learinatlas.biz
learnatlas.biz
lifehuman.biz
lightcasa.biz
likecore.biz
localbuddy.biz
lookbackcreate.biz
lookbackgenuine.biz
lookbackidea.biz
lookdevelop.biz
macresume.biz
magicse.biz
mapchawalit.biz
mapmchawalit.biz
mapmove.biz
mapsport.biz
markforge.biz
maxliberty.biz
mccolor.biz
measurefocus.biz
measurewedge.biz
medialiving.biz
mediavliving.biz
megalittle.biz
megasi.biz
micromicro.biz
microtheme.biz
miniint.biz
morecrm.biz
moreve.biz
moviehello.biz
movielegal.biz
movieprice.biz
neodating.biz
netknowledge.biz
newsnice.biz
newtellypioneet.biz
nextsuccess.biz
notesee.biz
noticechange.biz
noticedream.biz
noticegenuine.biz
observebrown.biz
observewedge.biz
okmagazine.biz
onbytce.biz
onbyte.biz
onlincerobo.biz
onlinerobo.biz
openphotography.biz
optioncoddle.biz
optionescallop.biz
optionstrategy.biz
ournext.biz
ourrecipe.biz
overvieworiginal.biz
perfectcore.biz
peterqwwhite.biz
petfaast.biz
petwhite.biz
petzen.biz
photosuper.biz
pickmarinate.biz
planetbright.biz
planextbright.biz
playgraphics.biz
playlittle.biz
pointname.biz
pointtraining.biz
polypink.biz
popmom.biz
popmotm.biz
powerrtie.biz
probediscover.biz
profilechange.biz
profilepioneer.biz
profreelance.biz
profrqeelance.biz
projectcharity.biz
provote.biz
qualitybegin.biz
qualitycan.biz
qualityconcept.biz
qualitydebone.biz
qualityschirr.biz
questnew.biz
rangeinspire.biz
rangerender.biz
rangetop.biz
rankmodern.biz
ratebigdata.biz
ratedream.biz
rateimagine.biz
ratewish.biz
readdiscover.biz
readstrategy.biz
readvisionary.biz
recapgenuine.biz
recapimagination.biz
redbike.biz
redbiqke.biz
remarkdevelop.biz
remarkinstitute.biz
reviewmint.biz
reviewstyle.biz
revuewhisk.biz
runfair.biz
safemeta.biz
savedash.biz
savedecor.biz
saydeglaze.biz
sayinstitute.biz
sayzest.biz
scanbeat.biz
scanskewer.biz
scoringfocus.biz
scoringsprinkle.biz
scoutforward.biz
scoutinstitute.biz
scoutsearch.biz
scoutskewer.biz
screenthink.biz
searchcars.biz
seekbodybuilding.biz
seekdiet.biz
seekimg.biz
seekiumg.biz
seelabs.biz
selectexplore.biz
selectjell.biz
sentrymeasure.biz
sentrymodern.biz
shakedownconcept.biz
shakedowngrease.biz
sharework.biz
sharpice.biz
silvekrkitchen.biz
silverkitchen.biz
simplegeo.biz
simpllegeo.biz
simplyportal.biz
simplyvintage.biz
skycrnedit.biz
socialtrain.biz
sociaulmicro.biz
softanimal.biz
softflex.biz
spaceshow.biz
star123.biz
startprinting.biz
studibothe.biz
studiothe.biz
surveyskim.biz
surveywedge.biz
tecepimeginetion.biz
tectideel.biz
televintage.biz
testmash.biz
testthink.biz
tettocpenewctmove.biz
thinkisoftware.biz
thinkmetal.biz
thinkurban.biz
tickersweeten.biz
ticketdnewevelop.biz
tierovercook.biz
tierwarm.biz
tnewecepcteete.biz
true3d.biz
truetrack.biz
trydiscover.biz
tryforward.biz
ttyvicionety.biz
urbanyour.biz
usaab.biz
usafuture.biz
usalion.biz
usana.biz
usanat.biz
usatrvack.biz
videoleo.biz
vipscan.biz
vipwicsh.biz
virtualpush.biz
virtuqalspark.biz
watchgel.biz
webbipolar.biz
winarc.biz
worlddigest.biz
wwwems.biz
youcoqnsultant.biz
yourform.biz
yourglaze.biz
youtgenuine.biz
zenweight.biz
1stnerd.biz
activesa.biz
aerofinance.biz
airlead.biz
airmicro.biz
alertcaramelize.biz
alertimagine.biz
alertpulp.biz
alerttenderize.biz
analyzeidea.biz
analyzeknead.biz
analyzesteep.biz
appraisesliver.biz
appwebdesign.biz
artgather.biz
artimpact.biz
assayinspire.biz
assayseparate.biz
assessfocus.biz
assessoil.biz
assessscore.biz
assesssoak.biz
assesssteam.biz
assessstir.biz
assessturn.biz
assesswhisk.biz
auditbarbecue.biz
auditcut.biz
auditgel.biz
auditserve.biz
autoglam.biz
besttechnology.biz
bizspecial.biz
blackhoneydo.biz
briefjell.biz
browsegarnish.biz
browsejell.biz
browsezest.biz
checkoutmeasure.biz
checkoutroll.biz
checkoutsnip.biz
checkparboil.biz
checkpercolate.biz
choicesear.biz
cityju.biz
clickdiscover.biz
commentbarbecue.biz
commentbrown.biz
commentdevil.biz
commentpeel.biz
commentpress.biz
commentseason.biz
considerbaste.biz
considerclarify.biz
considerscramble.biz
considershuck.biz
coolcv.biz
coolno.biz
cosmogift.biz
criticalescallop.biz
criticalmeasure.biz
criticalsear.biz
criticizebaste.biz
criticizeoil.biz
criticizesouse.biz
critiquechurn.biz
critiquemint.biz
critiquesoak.biz
critiquestrain.biz
critiquesweeten.biz
cybervirtual.biz
cynopcnewicleb.biz
datasearch.biz
decadiet.biz
decaintel.biz
decavo.biz
degreeinnovate.biz
degreeshuck.biz
diagnosegrind.biz
diagnoseimagine.biz
diagnosemicrowave.biz
diagnosethin.biz
diagnosetruss.biz
digiedu.biz
digitoalquant.biz
discussblend.biz
discussdesign.biz
djcraft.biz
djposot.biz
djpost.biz
djzen.biz
dot123.biz
drimpact.biz
ecoemail.biz
ecoify.biz
ecotrans.biz
eduwi.biz
euroalt.biz
evaluatebaste.biz
evaluatejell.biz
evaluatemix.biz
expertware.biz
explorelab.biz
explorepeel.biz
eyeflambe.biz
eyefreeze.biz
eyemold.biz
feedbackbroil.biz
feedbackgrate.biz
feedbackserve.biz
feedbackskin.biz
feelinnovate.biz
feellayer.biz
feelroll.biz
feelseason.biz
feelstir.biz
firstzip.biz
freepush.biz
freshcloud.biz
funrealty.biz
futureaqua.biz
futurecake.biz
futuregeo.biz
gamemon.biz
gaugebeat.biz
gaugegrease.biz
gaugeice.biz
gaugerender.biz
getventure.biz
goking.biz
gotus.biz
gradeaerate.biz
gradeaerateq.biz
gradefreeze.biz
gradesbatter.biz
gradescallop.biz
gradesfold.biz
gradesinnovation.biz
gradesmash.biz
greatsimply.biz
healthvintage.biz
higifts.biz
homecomputer.biz
ideascript.biz
ideasurf.biz
ideawwatches.biz
imagemag.biz
imdinrectory.biz
imdirectory.biz
infoobesity.biz
inspectglaze.biz
inspectinstitute.biz
inspectoriginal.biz
inspectsnip.biz
inspecttoast.biz
instantdevelopment.biz
instantent.biz
interloanz.biz
internetcrea.biz
ithealthcare.biz
iwantfilm.biz
iwantmega.biz
judgecaramelize.biz
judgecured.biz
judgeresearch.biz
learnsolutions.biz
levitin.biz
lifelocal.biz
lightfund.biz
likebutterfly.biz
likegel.biz
likehash.biz
likescramble.biz
lookbackskim.biz
lookbackvisionary.biz
lookbackwhip.biz
lookmicrowave.biz
lookpoach.biz
lookrefrigerate.biz
lookshred.biz
looktoast.biz
lovedo.biz
mackids.biz
mapviral.biz
markbegin.biz
markchop.biz
markcut.biz
markjell.biz
marksaute.biz
markskewer.biz
measurefry.biz
measurelabs.biz
measurerefrigerate.biz
measuresaute.biz
megaperformance.biz
metahitech.biz
metartri.biz
metatri.biz
microelastic.biz
minidelivery.biz
moreycrm.biz
mrhits.biz
mrhiuts.biz
mrroom.biz
mychurn.biz
myfroth.biz
mypioneer.biz
mypoach.biz
myseparate.biz
neopan.biz
neosource.biz
netveri.biz
nextsolid.biz
nextvoice.biz
notebeat.biz
notebraise.biz
notebread.biz
notebutterfly.biz
notegrease.biz
notequarter.biz
noterender.biz
noteresearch.biz
noticebake.biz
noticefry.biz
observemodern.biz
observemold.biz
okimmo.biz
onsweet.biz
optionpoach.biz
ourbooks.biz
overviewbind.biz
overviewform.biz
overviewoil.biz
oxyhelp.biz
pcincome.biz
petfast.biz
pickheat.biz
pickquarter.biz
picksearch.biz
picksweeten.biz
pickvision.biz
pointsdevelop.biz
pointsgrate.biz
pointsnovel.biz
pointsstyle.biz
pointswarm.biz
powertie.biz
probebrush.biz
probedrain.biz
probemint.biz
probeshred.biz
profilebarbecue.biz
profilefrost.biz
profileprocess.biz
profilesmoke.biz
qualitydough.biz
qualitymeasure.biz
qualityroast.biz
qualityscald.biz
questdebone.biz
questdeglaze.biz
questflavor.biz
questflip.biz
questimprovise.biz
questmodern.biz
questsee.biz
questthin.biz
questtoast.biz
rangebutterfly.biz
rangedice.biz
rangedough.biz
rangeglaze.biz
rangeinnovation.biz
rangemash.biz
rangetopz.biz
rankbeat.biz
rankjulienne.biz
rankshred.biz
rateescallop.biz
rateidea.biz
rateideal.biz
rateschirr.biz
readfrost.biz
readinstitute.biz
readroll.biz
readthicken.biz
recapblacken.biz
recapbread.biz
recapcream.biz
redcoffee.biz
redopginion.biz
redopinion.biz
remarkage.biz
remarkblanche.biz
remarkboil.biz
remarkdip.biz
remarkferment.biz
remarkgenuine.biz
remarkheat.biz
remarkjell.biz
remarkpreserve.biz
remarktruss.biz
retrospectblend.biz
retrospectcreate.biz
retrospectdeglaze.biz
retrospectferment.biz
retrospectfuture.biz
retrospectquarter.biz
retrospectschange.biz
reviewimprovise.biz
reviewsear.biz
reviewunmold.biz
revuecream.biz
revuedevelop.biz
revuegrate.biz
revueimage.biz
revuelayer.biz
revuepuree.biz
rungeek.biz
runpoker.biz
runrank.biz
safeconsult.biz
saverobot.biz
sayfilter.biz
saygarnish.biz
sayglaze.biz
sayheat.biz
scangrease.biz
scanimagination.biz
scannew.biz
scanpress.biz
scansmoke.biz
scoredecorate.biz
scoredescale.biz
scoreferment.biz
scoremacerate.biz
scoresliver.biz
scorevision.biz
scoringbatter.biz
scoringboil.biz
scoringchange.biz
scoringdiscover.biz
scoringleaven.biz
scoringoriginal.biz
scoringsimmer.biz
scoringthin.biz
scoutdescale.biz
scoutnovel.biz
screenchop.biz
screenpreserve.biz
screentemper.biz
searchbe.biz
seepercolate.biz
seepoach.biz
selectdiscover.biz
sentryprepare.biz
sentrysnip.biz
sentrytoss.biz
sentrywedge.biz
shakedownclarify.biz
shakedowncreate.biz
shakedowndry.biz
shakedowngel.biz
shakedowngenuine.biz
shakedownpoach.biz
shakedownpress.biz
shakedownprocess.biz
shakedownzest.biz
sharerebel.biz
sharpmy.biz
silversuccess.biz
silversurvival.biz
simplefreelance.biz
skycredit.biz
skyipad.biz
socialmicro.biz
sosecure.biz
spyjuice.biz
spymac.biz
spyslice.biz
studioroom.biz
studygarnish.biz
summarychar.biz
summarycut.biz
summaryfold.biz
sunmagazine.biz
surveygarnish.biz
surveyinfuse.biz
surveythink.biz
synopsisrender.biz
synopsiswhisk.biz
tallydough.biz
tallydrain.biz
tallyglaze.biz
tallymicrowave.biz
tallyoil.biz
tallysaute.biz
tallystyle.biz
testchop.biz
testdice.biz
testdrizzle.biz
testmelt.biz
testresearch1.biz
testrub.biz
thinkgame.biz
thinksoftware.biz
tickercaramelize.biz
tickerfrost.biz
tickerseason.biz
tierchurn.biz
tierdesign.biz
tierpreserve.biz
timequality.biz
tradeenergy.biz
truehotels.biz
trybeat.biz
tryblacken.biz
trybrown.biz
trybutterfly.biz
ultrafa.biz
usatrack.biz
valuesoak.biz
videocoffee.biz
viewbind.biz
viewbroil.biz
viewform.biz
viewmold.biz
viewresearch.biz
viewseason.biz
vipwish.biz
virtualspark.biz
watchflavor.biz
watchimprovise.biz
watchsteam.biz
worldfish.biz
worldninja.biz
youconsultant.biz
yourcore.biz
yourdeglaze.biz
yourdip.biz
yourflavor.biz
yourflip.biz
yourmint.biz
yourmodern.biz
yoursear.biz
yourtheme.biz
yourthink.biz

6rf.net and something evil on 198.50.225.121, 85.25.108.10 and 178.33.208.211

Here are a couple of IPs serving exploit kits.. the case in question is a legitimate site that loads code from 6rf.net and this in turn loads an exploit kit from [donotclick]yandex.ru.sgtfnregsnet.ru and [donotclick]l451l.witnessvacant.biz.

The .biz domain in this case is hosted on 198.50.225.121 (OVH, Canada) along with subdomains of the following (more here):

witnessvacant.biz
objectiongigs.biz
prosecutorpro.biz

That IP hosts various exploit kits and is suballocated to a Russian customer:

CustName:       Private Customer
Address:        Private Residence
City:           Penziatki
StateProv:    
PostalCode:     430000
Country:        RU
RegDate:        2013-08-12
Updated:        2013-08-12
Ref:            http://whois.arin.net/rest/customer/C04667583

Those domains are also associated with some other OVH IPs of 178.33.208.211 and 46.105.166.99 (OVH, France). In both those cases, the OVH range is delegated to another Russian customer:
 organisation:   ORG-RL152-RIPE
org-name:       R5X.org ltd
org-type:       OTHER
address:        Krasnoselskaja 15-219
address:        346579 Moscow
address:        RU
abuse-mailbox:  abuse@r5x.org
mnt-ref:        OVH-MNT
mnt-by:         OVH-MNT
source:         RIPE # Filtered

Domains associated with the OVH France servers (and I would recommend blocking these) are:
caseagency.biz
chqqwyotlook.biz
cqcodoyogold.biz
flogdoyfohoqobl.biz
gyfowkdoylgoqc.biz
hearsayavailable.biz
jailprojects.biz
liablegigs.biz
lqcolqbtthdoydozzl.biz
objectiongigs.biz
objectionjobs.biz
othtdoyttqd.biz
ottptqc.biz
ottylook.biz
prosecutorpro.biz
qdpqdqcdoyplqdd.biz
subpoenaproject.biz
testimonyjobs.biz
thoqkgvqqgchot.biz
tohhohoqohwoy.biz
vqolqtqdoyodl.biz
witnessvacant.biz

But that's not the only infection that 6rf.net is punting, as there is another malicious domain of [donotclick]yandex.ru.sgtfnregsnet.ru in use (report here) hosted on 85.25.108.10 (Intergenia AG, Germany). There appears to be at least one other malicious domain on the same server (googlebot.ru) which is also serving up an exploit kit [1] [2] and an examination of the rest of the domains on that IP show nothing at all of value:

yandex.ru.sgtfnregsnet.ru
googlerobot.ru
google.directadvertstat.ru
nationalaustralia.org

It looks like other malware sites have been hosted on that IP in the past, so I would recommend blocking that too, giving this recommended blocklist:
46.105.166.99
85.25.108.10
178.33.208.211
198.50.225.121
6rf.net
caseagency.biz
chqqwyotlook.biz
cqcodoyogold.biz
flogdoyfohoqobl.biz
gyfowkdoylgoqc.biz
hearsayavailable.biz
jailprojects.biz
liablegigs.biz
lqcolqbtthdoydozzl.biz
objectiongigs.biz
objectionjobs.biz
othtdoyttqd.biz
ottptqc.biz
ottylook.biz
prosecutorpro.biz
qdpqdqcdoyplqdd.biz
subpoenaproject.biz
testimonyjobs.biz
thoqkgvqqgchot.biz
tohhohoqohwoy.biz
vqolqtqdoyodl.biz
witnessvacant.biz
yandex.ru.sgtfnregsnet.ru
googlerobot.ru
google.directadvertstat.ru
nationalaustralia.org

Something evil on 178.63.195.128/26

The IP address range 178.63.195.128/26 nominally belongs to grey hat host Hetzner in Germany, although it has been reallocated to a registrant in Israel. This block recently came up as the source for a ZeroAccess infection picked up from 178.63.195.170.

A look at the 178.63.195.128/26 range (178.63.195.128 - 178.63.195.191) shows several suspicious websites with domains apparently generated by DoItQuick (more info here). Most of the domains are too new to have any reputation, although given the live distribution of malware and the randomly chosen names then they are unlikely to be doing anything nice.

Also, I notice that quite a lot of suspect sites have recently been moved from this range to point at 127.0.0.1 instead, a common trick when malcious domains needs to be pointed somewhere else quickly.

The registrant for this block is:

 inetnum:         178.63.195.128 - 178.63.195.191
netname:         R5X
descr:           r5x
country:         DE
admin-c:         TG3863-RIPE
tech-c:          TG3863-RIPE
status:          ASSIGNED PA
mnt-by:          HOS-GUN
source:          RIPE # Filtered

person:          Tomas Gailiavicius
address:         r5x
address:         Kalinina 47-71
address:         188760 Priozersk
address:         RUSSIAN FEDERATION
phone:           +79876960550
nic-hdl:         TG3863-RIPE
mnt-by:          HOS-GUN
source:          RIPE # Filtered

178.63.195.163
altspanning.org
atherosplaylists.org
betasreceivable.org
bringsgrade.org
contenderfilesplitting.org
csidisengage.org
designercomcast.org
encouragesprosuite.org
excellentinvolving.org
firefoxorbitz.org
harvardhqv.org
journalcleanup.org
musicmakingranging.org
ndascontinuum.org
netbiosmediocre.org
originatingcomplicated.org
outlinedpart.org
pantspool.org
preciselycolormatching.org
rantcloned.org
sciencehearted.org
splitnearparent.org
threeparagraphrequirements.org
undeniableblues.org
upscalingfinalproduction.org
vhsintellectual.org
violationsmazes.org
weekendshadows.org
wellthoughtoutestablish.org
workforcefortunately.org

178.63.195.167
builtvaults.org
crystaljacket.org
photomanagementheadhunternet.org
spywareonlyadept.org
starshapedoutstanding.org
static-globe.info

178.63.195.168
bentowe.org
catchespayoff.org
connect4free.in
dvstitems.com
eeechock.org
flyeralone.info
flyersregard.com
free2connect.org
free4connect.org
hatssystem.org
internalpackaged.info
interviewsyamaha.org
operateriot.org
packageswml.info
playerhill.info
successfulmpfs.org
tetrisbroaden.com
zippedjump.com

178.63.195.170
abroad.name
cloud18.name
crimson25.name
dr4ms.name
du5t.name
fakejoke.name
fastservice.name
hlops.name
r0cket.name
ramaro.name
sameday.name
strongalc.name

178.63.195.171
bedtimeblues.org
book-placed.info
bookpart.info
bookpedias.info
bookposters.info
bookposts.info
builderviral.org
jeat-services.info
jeatservices.info
jeatstore.info
jetpremiums.info
jetsbookings.info
krym-house.info
krym-invest.info
krym4x4.info
krymvip-avto.info
krymzakupka.info
netledgerstumblrs.org
teatr-benefis.info
teatrbilet.info
teatrflowers.info
teatrglas.info
teatrgroup.info
trust-spb.info
truthbearers.info
trutrance.info
trworkshop.info
tryfxdata.info

Also these domains appear to be deactivated by pointing them to 127.0.0.1, but you might want to block them just in case:
addonsthoughultrasharp.info
adjustmentsmarginal.info
affectingmacrobiotics.org
alternatelylaughs.info
amalgamie.org
androidstwothirds.info
appleawardwinningstarshaped.info
attractionintrusive.org
aufdeal.info
blurbswatermarks.org
boltsmaking.info
caligarisflipboard.org
circlekidlandias.org
citegologo.org
cleanerspreview.info
collagesenjoyed.info
compensateversamail.info
computercontrolledtelsurf.info
conducivesnag.org
createasimfreemium.info
criesvendor.info
csspoets.info
curiousrebuilding.info
deletingpricelinecom.org
dependentssecond.org
desksorganize.org
didcontinuous.org
discoveredshuts.info
discussioncommentingmonths.info
disqushomepremier.info
embracedpreset.info
endurancescream.info
enforcesfinetune.org
epublishingtodays.info
exploredestabilized.info
extendscrosscountry.org
feedsproxystyle.org
filesyncingenigmatic.org
founderslogin.info
friendshipinterrupt.org
grandmasterpre.org
gunsgml.info
heftyends.info
idlpatterns.org
inboxtie.org
inputsecho.info
invoicedimplementations.info
javacentricunencumbered.org
kevinverizon.info
legalzoomspeak.org
licensedcrispest.org
likingmodule.info
lingeriegiftgiving.org
lodebombermonster.org
machinesruns.info
merchandiseorderingcommerce.org
mixedprone.info
mobileslockeddown.org
mouthmindmanager.org
mydocumentsredirected.info
myspaceatsale.org
namepasswordcobble.info
nanimatedpaperclip.info
notificationloose.org
obihaiwebfriendly.org
omissioncurve.info
onboardstougher.info
onchipimpressively.info
oneoffsynched.info
outshineresearcher.info
ownorcleared.info
pairautoupdate.info
permittighter.org
pimsluernarrating.info
programundo.org
realarcadeextranet.org
reallifeinformation.org
referjustifies.org
relinquishfloated.org
removersitevalidation.info
resettingeyeopening.info
ripoffsfliers.info
roadtripearlier.info
rocfloating.org
sanknowledge.info
selfemployedspeed.info
sierrastorms.org
silenceshalls.info
softpedalswav.info
solitaryorions.org
southmouse.org
specimenfortunate.info
spellingsurfinshield.info
sportsbare.info
stateforbid.org
staticmarkets.org
steveapprovals.org
stumbledunrooted.info
stylizeawarded.info
submenusonlineoriented.info
supplantbriefly.org
suspendersnine.org
textuallythrifty.org
tiabberation.info
touchtypinglower.org
treasuregiftgiving.org
turningcustomized.info
underlinedavira.org
uniquenesstrademarks.info
visibilityprerecorded.info
wavernewlyminted.org
wellasideallotted.org