Updated 3NT Solutions LLP / inferno.name / V3Servers.net IP ranges (2021 edition)

It's been about a zillion years (well, OK it was 2017) when I last published a list of IPs belonging to 3NT Solutions LLP that you probably want to block. Their name came up yet again in something I was looking at, and I was slightly surprised to see that the old list was still somewhat valid. However a bit of research found some new ranges and some that have been potentially cleaned up.

Current

5.45.64.0/19
5.61.32.0/19
37.1.192.0/19
37.252.0.0/20
46.22.211.0/25
46.22.211.128/26
80.79.124.128/26
91.193.180.0/22
92.48.122.0/28
92.48.122.16/28
92.48.122.32/28
92.48.122.48/28
130.0.232.0/21
185.4.64.0/22
188.116.27.0/24
212.95.54.0/24
212.95.58.0/24
212.95.63.0/24

Potentially clean

95.168.165.0/24
95.168.173.0/24
95.168.177.0/24
95.168.178.0/24
95.168.191.0/24
184.154.38.40/29

"Best porno ever" Necurs spam

This spam (apparently from the Necurs botnet) promises much, but seems not to deliver.

From:    Susanne@victimdomain.tld [Susanne@victimdomain.tld]
Date:    4 May 2018, 10:22
Subject:    Best porno ever

Hi [redacted],

Best gay,teen,animal porno ever
Please click the following link to activate your account.

hxxp:||46.161.40.145:3314

Regards,
Susanne

The sender's name varies, but is always in the same domain as the victim.

I only saw four different links in the body text:
Warning live links - do not click
http://46.161.40.145:3314/
http://37.1.211.221:1699/
http://31.207.47.125/3FgtbvCf
http://77.72.84.115/

None of these sites were working when I tested them. Hosting IPs are:

46.161.40.145 (Ankas Ltd, Moldova)
37.1.211.221 (3NT Solutions, UK)
31.207.47.125 (Hostkey, Netherlands)
77.72.84.115 (Netup, UK)

3NT Solutions are a well-known purveyor of badness and I recommend blocking everthing, What the payload is here is unclear, but you can guarantee that's it's nothing good. And probably not smut either.

Updated 3NT Solutions LLP / inferno.name / V3Servers.net IP ranges

 

[For the February 2021 version of this list, click here]

When I was investigating IOCs for the recent outbreak of BadRabbit ransomware I discovered that it downloaded from a domain 1dnscontrol.com hosted on 5.61.37.209. This IP belongs to a company called 3NT Solutions LLP that I have blogged about before.

It had been three-and-a-half years since I looked at their IP address ranges so I thought I would give them a refresh. My personal recommendation is that you block all of these, I have never seen anything of worth on any 3NT range. Note that inferno.name and V3Servers.net are the same outfit and I have included those too. If you know of any other ranges, please consider leaving a comment.

5.45.64.0/19
5.61.32.0/19
37.1.192.0/19
37.252.0.0/20
46.22.211.0/25
46.22.211.128/26
80.79.124.128/26
92.48.122.0/28
92.48.122.16/28
92.48.122.32/28
92.48.122.48/28
95.168.165.0/24
95.168.173.0/24
95.168.177.0/24
95.168.178.0/24
95.168.191.0/24
130.0.232.0/21
184.154.38.40/29
185.4.64.0/22
212.95.54.0/24
212.95.58.0/24
212.95.63.0/24

Malware spam: "New Fax Message" / administrator@local-fax.com leads to TrickBot

This fake fax leads to TrickBot which appears to be similar to the Dyre banking trojan that we saw a lot of last year..

From:    Administrator [administrator@local-fax.com]
To:    annie@[redacted]
Date:    1 November 2016 at 13:28
Subject:    New Fax Message
Signed by:    local-fax.com

Confidential Fax
Date: 01/11/2016
Recipient: annie@[redacted]
From: +443021881211
Attn:
Important document: For internal use only
The documents are ready. Check attached file for more information.

[THIS IS AN AUTOMATED MESSAGE - PLEASE DO NOT REPLY DIRECTLY TO THIS EMAIL]

Confidentiality Notice: The information contained in this message may be confidential and legally privileged. It is intended only for use of the individual named. If you are not the intended recipient, you are hereby notified that the disclosure, copying, distribution, or taking of any action in regards to the contents of this fax - except its direct delivery to the intended recipient - is strictly prohibited. If you have received this fax in error, please notify the sender immediately and destroy this cover sheet along with its contents, and delete from your system, if applicable.

Attached is a Word document (in this case Internal_Fax.doc) which has a pretty low detection rate at VirusTotal of 5/54. Both the Malwr report and Hybrid Analysis give some clues as to what is going on, but in fact the Malwr report comes out with a binary download location of:

www.tessaban.com/img/safafaasfasdddd.exe

This is a hacked legitimate website. Downloading that file manually and resubmitting it gives two rather more interesting Malwr and Hybrid Analysis reports give the following suspect traffic:

91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
37.1.209.51 (3NT Solutions LLP, UK)
138.201.44.28 (Philip Diver, Australia / Hetzner, Germany)
23.23.107.79 (Amazon EC2, US)

I can match all those IPs except the last to this ThreatGeek report, those IPs are a mix of what looks like dynamic IPs for hacked home users and static ones (highlighted):

5.12.28.0 (RCS & RDS Residential, Romania)
27.208.131.97 (China Unicom, China)
36.37.176.6 (VietTel, Cambodia)
37.1.209.51 (3NT Solutions LLP, UK)
37.109.52.75 (Cyfrowy Polsat, Poland)
46.22.211.34 (Inferno Solutions aka 3NT Solutions LLP, UK)
68.179.234.69 (ECTISP, US)
91.219.28.77 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
91.219.28.103 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)
104.250.138.194 (Sean Sweeney, US / Gorillaservers, US)
138.201.44.28 (Philip Diver, Australia / Hetzner, Germany)
188.116.23.98 (NEPHAX, Poland)
188.138.1.53 (PlusServer, Germany)
193.9.28.24 (FLP Kochenov Aleksej Vladislavovich aka uadomen.com, Ukraine)

3NT Solutions (aka Inferno Solutions / inferno.name) are very, very bad news and I would recommend blocking any IPs you can find for this outfit. FLP Kochenov Aleksej Vladislavovich aka uadomen.com has appeared here so many times [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] that really I have to categorise that as an Evil Network too.

If we excise the domestic IPs and blackhole the 3NT / Inferno / uadomen.com ranges we get a recommended blocklist of:

37.1.208.0/21
46.22.211.0/24
91.219.28.0/22
104.250.138.192/27
138.201.44.28
188.116.23.98
188.138.1.53
193.9.28.0/24

However, there's more to this too. The original email message is actually signed by local-fax.com and it turns out that this domain was created just today with anonymous registration details. The sending IP was 104.130.246.8 (Rackspace, US) and it also turns out that this is widely blacklisted and is probably worth blocking.

All the samples I have seen show a consistent MD5 of e6d2863e97523d2f0e398545989666e4 for the attachment, and all the recipients I have seen begin with the letter "a" curiously enough..

Malware spam: "Ieuan James" / "invoice EME018.docx"

So far this morning I've seen a handful of these malformed malware spams, claiming to be from a Ieuan James and with a subject of invoice EME018.docx. The body text contains some Base64 encoded data which presumably is meant to be an attachment.

For example..

From:    Ieuan James
Date:    8 January 2015 at 07:25
Subject:    invoice EME018.docx

--Apple-Mail-2E10F14F-2909-483A-9642-7C58A403A905
Content-Type: text/plain;
        charset=us-ascii
Content-Transfer-Encoding: 7bit

--Apple-Mail-2E10F14F-2909-483A-9642-7C58A403A905
Content-Type: application/msword;
        name="invoice EME018.doc";
        x-apple-part-url=D103C3C9-1CC9-4BE2-89E7-EB608B41F92A
Content-Disposition: attachment;
        filename="invoice EME018.doc"
Content-Transfer-Encoding: base64

0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAACAAAAIgAAAAAA
AAAAEAAAJAAAAAEAAAD+////AAAAACEAAAB/AAAA////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////
///////////////////////////////////spcEAKWAZBAAA8BK/AAAAAAAAEAAAAAAABgAA
AQgAAA4AYmpiaptVm1UAAAAAAAAAAAAAAAAAAAAAAAAZBBYALhAAAPk/AQD5PwEAAQAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//w8AAAAAAAAAAAD//w8AAAAAAAAAAAD//w8A
AAAAAAAAAAAAAAAAAAAAAKQAAAAAALADAAAAAAAAsAMAALADAAAAAAAAsAMAAAAAAACwAwAA
[snipped for clarity]

Some assembly is required with this malware, but if you decode the Base64 area you get one of two different Word documents with VirusTotal detection rates of just 1/56 [1] [2]. These malicious documents contain one of two macros [1] [2] [pastebin] that download an additional component from one of the following locations:

http://ecovoyage.hi2.ro/js/bin.exe
http://mateusz321.cba.pl/js/bin.exe

This binary is saved as %TEMP%\oHIGUIgifdg.exe and has a VirusTotal detection rate of 10/55. The Malwr report for this shows that it connects to:

http://74.208.11.204/
http://129.215.249.52/qZXI6nYL8NLtqX6%3DZ/@mF6s4lFjMN4JSfB%2CVPutSGtX/6Ww_r5R%3FlP_ce2A
http://78.140.164.160/LL7yk@O6E/Qyiy/6yz%3Dzs18r/s4$rV

It also queries some other hosts, meaning that it looks like it attempts to connect home to:

59.148.196.153 (HKBN, Hong Kong)
74.208.11.204 (1&1, US)
129.215.249.52 (Edinburgh University, UK)
78.140.164.160 (Webazilla, US)
37.1.208.21 (3NT Solutions LLP aka inferno.name, UK)
86.156.238.178 (BT, UK)

In addition, the Malwr report says that a malicious DLL is dropped with a detection rate of 2/56.

Recommended minimum blocklist:
59.148.196.153
74.208.11.204
129.215.249.52
78.140.164.160
37.1.208.21
86.156.238.178

In addition I suggest blocking 3NT Solutions LLP / inferno.name IP ranges on sight. I would very strongly recommend blocking the entire 37.1.208.0/21 range.

For researchers, a copy of all the files is available here, password is infected.

On the trail of 3NT Solutions LLP

NOTE: An updated list of IPs can be found here (October 2017)

Yesterday I blogged about a company called 3NT Solutions LLP apparently based in the UK and expressed my reservations about them as a business. They operate quite a large range of IP addresses, but a quick Google search shows pitifully little about this company.

Let's start our investigation by looking them up at Companies House. That gives some basic details:

3NT SOLUTIONS LLP
SUITE 4084
10 GREAT RUSSELL STREET
LONDON
ENGLAND
WC1B 3BQ
Company No. OC363382

LLPs are a relatively new type of company in the UK which allows a firm to be registered with the minimum of details, but there are reports that LLP structures are being widely abused. We'll have a look at the ownership in a moment, but first let's check out this grand-sounding office in Central London..

View Larger Map

It is, in fact, the Bloomsbury branch of Mail Boxes Etc and "suite" is simply a euphemism for "mail box".. in other words, this is a mail drop address that most likely forwards any mail to another address, a trick that conceals the full owners of the company.

OK, so that address is a bust. But the WHOIS records for their IP blocks, and their previous address registered at Companies House is something different:

DALTON HOUSE
60 WINDSOR AVENUE
LONDON
SW19 2RR

We can trundle over to that on Google StreetView too..

View Larger Map

Dalton House is basically the same thing as the MBE address, it offers a brass plaque somewhere and a mail forwarding service. So no real clues as to ownership here either.

A trip back to Companies House to find their Company Register information [rtf] reveals very little, except two related companies in Belize.

LLP DESIGNATED MEMBER:	DARL IMPEX LTD
Appointed:	01/04/2011
Nationality:	NATIONALITY UNKNOWN
No. of Appointments:	1
Address:	35 NEW ROAD
	BELIZE
	BELIZE
	NA

LLP DESIGNATED MEMBER:	LEGRANT TRADING LTD.
Appointed:	19/03/2013
Nationality:	NATIONALITY UNKNOWN
No. of Appointments:	1
Address:	BLAKE BUILDING SUITE 102, GROUND FLOOR, BLAKE BUIL
	CORNER EYRE&HUTSON STREETS
	BELIZE CITY
	BELIZE
	NA

Belize is a pretty much a haven for offshore companies, so it is quite likely that these two Belize companies are owned by someone in a different country again.

The domain registration for 3nt.com doesn't really give any more information, and oddly enough their website is down (so how do they expect to attract business?). But if we do a WHOIS lookup on one of their IP ranges then it becomes much more clear.

inetnum:        5.61.32.0 - 5.61.47.255
netname:        INFERNO-NL-DE
descr:          ********************************************************
descr:          * We provide virtual and dedicated servers on this Subnet.
descr:          *
descr:          * Those services are self managed by our customers
descr:          * therefore, we are not using this IP space ourselves
descr:          * and it could be assigned to various end customers.
descr:          *
descr:          * In case of issues related with SPAM, Fraud,
descr:          * Phishing, DDoS, portscans or others,
descr:          * feel free to contact us with relevant info
descr:          * and we will shut down this server: abuse@3nt.com
descr:          ********************************************************
country:        DE
admin-c:        TNTS-RIPE
tech-c:         TNTS-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-3NT
mnt-routes:     LEASEWEB-MNT
source:         RIPE # Filtered

person:         Neil Young
address:        3NT SOLUTIONS LLP
address:        DALTON HOUSE 60, WINDSOR AVENUE
address:        LONDON, UK
phone:          +442081333030
abuse-mailbox:  abuse@3nt.com
nic-hdl:        TNTS-RIPE
mnt-by:         MNT-3NT
source:         RIPE # Filtered

route:          5.61.32.0/20
descr:          Routed via LEASEWEB
origin:         AS16265
mnt-by:         OCOM-MNT
source:         RIPE # Filtered

Alright, let's cut a long story short because we know who this is.. it's Serbian web host inferno.name who have featured on this blog several times before all the way back to 2011. Similar records exist on all of 3NT's ranges, linking them firmly with inferno.name.

Not it's not a particular surprise to see that inferno.name is trading under a different name, as the scummy sites they host pretty much ruined their reputation. And yeah, this blog helped with that.

I had a look into some of 3NT's IP ranges and you can tell instantly from these samples [csv] that they are pretty low-grade spammy sites. What you can't tell from that list are the command and control servers that they run, and of course they also host malware.

The following IP range are allocated to 3NT Solutions LLP. I recommend that you block them.
5.45.64.0/21
5.45.72.0/22
5.45.76.0/22
5.61.32.0/20
37.1.192.0/21
37.1.200.0/21
37.1.208.0/21
37.1.216.0/21
37.252.2.0/24
37.252.12.0/24
130.0.232.0/21

In addition, these other (smaller) ranges are allocated to inferno.name and v3servers.net who are the same outfit. I also recommend that you block these:
 46.21.147.128/25
46.21.148.128/25
46.22.211.0/25
80.79.124.128/26
92.48.122.0/28
92.48.122.16/28
92.48.122.32/28
92.48.122.48/28
94.100.17.128/26
95.168.165.0/24
95.168.173.0/24
95.168.177.0/24
95.168.178.0/24
95.168.191.0/24
188.72.204.0/24
188.72.213.0/24
212.95.54.0/24
212.95.58.0/24
212.95.63.0/24

Something evil on 74.50.122.8, 5.61.36.231 and 94.185.85.131

Thanks to @Techhelplistcom for the heads up on this little mystery..

It all starts with a spam evil (described here)..

The link goes to a URLquery report that seems pretty inconclusive,  mentioning a URL of [donotclick]overcomingthefearofbeingfabulous.com/xjvnsqk/fbktojkxbxp.php [an apparently poorly secured server at 74.50.122.8, Total Internet Solutions Pvt. Ltd in India] that just does a redirect to a spammy diet pill site at thefxs.com [94.177.128.10, Linkzone Media Romania] if you have a Windows User Agent set.

As Techhelplist says, set the UA to an Android one and you get a very different result. In this case you get bounced to a site hosted on 5.61.36.231 (3NT Solutions / Inferno.name)
[donotclick]mobile.downloadadobecentral.ru/FLVupdate.php  then to
[donotclick]mobile.downloadadobecentral.ru/FLVupdate2.php from where it attempts to download a file FlashUpdate.apk

3NT Solutions / inferno.name is a known bad actor and you should block all their IPs on sight, in this case they have a netblock 5.61.32.0/20 which I strongly recommend that you route to the bitbucket.

FlashUpdate.apk has a VirusTotal detection rate of 22/47, but most Android users are probably not running anti-virus software. The Andrubis analysis of that .apk shows a network connection to 94.185.85.131 (Netrouting Telecom, Sweden) plus (oddly) some pages loaded from ticketmaster.com.

It just goes to show that what you think might be harmless spam can actually be something very, very different if you access it on a mobile device.

Recommended blocklist:
5.61.32.0/20
94.177.128.10
74.50.122.8
94.185.85.131
downloadadobecentral.ru
jariaku.ru
350600700200.ru
overcomingthefearofbeingfabulous.com

UPDATE 2014-05-25: Note that overcomingthefearofbeingfabulous.com has been cleaned up and appears to be no longer compromised.

Something evil on 85.17.222.80, lpicture.info and ghjvodka.info

Some sites appear to have been hit by a sophisticated multi-part injection attack that triggers only once per IP (so difficult to track down).

There are two injected elements, one is a .in site hosted on 85.17.222.80 [Leaseweb, Netherlands] which could be one of the following:

sds.vaselisa.in
dds.kiriloid.in
drf.yerevano.in
sddr.margarit.in
cd.fancyclu.in

There's a pretty inconclusive Wepawet report here but be assured that these domains have a malicious payload.

The second injection is a reference to lpicture.info which is hosted on 95.168.173.151, this is a Leasweb Germany IP address suballocated to inferno.name who appear to be a Serbian firm fronted in the UK. I strongly recommend blocking all their IP ranges (listed here) if you can. lpicture.info merely forwards to a malicious payload on ghjvodka.info (report here) and that in turn is listed on 37.59.198.55 (OVH, France) along with some other suspect looking sites that lead be to conclude that this IP address is worth blocking too:

ns2.deftheory.org
abcvodka.info
defvodka.info
ghjvodka.info
abcfree.info
ns1.abcfree.info
deffree.info
ghjfree.info
ns1.ghjfree.info
klmfree.info
opqfree.info
ns1.opqfree.info
rstfree.info
uvwfree.info
ns1.uvwfree.info
xyzfree.info
ns1.xyzfree.info
deflocal.info
ns1.deflocal.info
ghjlocal.info
klmlocal.info
noplocal.info
ghjseat.info
klmseat.info
ns1.klmseat.info

This malware seems to be quite good at avoid analysis. But if you can block these IPs then I strongly recommend that you block them.

Something evil on 212.95.54.22 (inferno.name)

Something evil is lurking on 212.95.54.22, a server belonging to black hat host inferno.name (mentioned here before).

I've never seen a legitimate site hosted by inferno.name, and I recommend that you block their IP ranges.. I ideidentified the following list last August, I haven't had the change to go back and check it again.

46.22.211.0/25
80.79.124.128/26
92.48.122.32/28
95.168.165.0/24
95.168.173.0/24
95.168.177.0/24
95.168.178.0/24
95.168.191.0/24
188.72.204.0/24
188.72.213.0/24
188.143.232.0/23
212.95.54.0/24
212.95.58.0/24
212.95.63.0/24

These are the some of malicious sites hosted on that server, it appears to be some sort of injection attack although it is still being analysed.

*.1905188000.1959caddylimousine.com
*.1959caddylimousine.com
*.2358552833.59caddylimousine.com
*.2851874892.elegantdesign-dfw.org
*.3278164984.elegantdesign-dfw.info
*.59caddylimousine.com
*.alvolo.co.uk.process.1905188000.1959caddylimousine.com
*.ca.redirect.3278164984.elegantdesign-dfw.info
*.co.uk.process.1905188000.1959caddylimousine.com
*.com.process.2851874892.elegantdesign-dfw.org
*.elegantdesign-dfw.info
*.elegantdesign-dfw.org
*.google.ca.redirect.3278164984.elegantdesign-dfw.info
*.google.com.process.2851874892.elegantdesign-dfw.org
*.google.it.process.2358552833.59caddylimousine.com
*.it.process.2358552833.59caddylimousine.com
*.process.1905188000.1959caddylimousine.com
*.process.2358552833.59caddylimousine.com
*.process.2851874892.elegantdesign-dfw.org
*.redirect.3278164984.elegantdesign-dfw.info
*.uk.process.1905188000.1959caddylimousine.com
1905188000.1959caddylimousine.com
212-95-54-22.local
2358552833.59caddylimousine.com
2851874892.elegantdesign-dfw.org
3278164984.elegantdesign-dfw.info
alvolo.co.uk.process.1905188000.1959caddylimousine.com
ca.redirect.3278164984.elegantdesign-dfw.info
co.uk.process.1905188000.1959caddylimousine.com
com.process.2851874892.elegantdesign-dfw.org
europschool.net.url.2523133614.elegantdesign-dfw.net
flyksa.com.redirect.465141941.59caddylimo.com
google.ca.redirect.3278164984.elegantdesign-dfw.info
google.com.process.2851874892.elegantdesign-dfw.org
google.it.process.2358552833.59caddylimousine.com
it.process.2358552833.59caddylimousine.com
oekb36.at.process.340120129.1959caddylimo.com
oekb36.at.redirect.411115172.59cadillaclimousine.com
process.1905188000.1959caddylimousine.com
process.2358552833.59caddylimousine.com
process.2851874892.elegantdesign-dfw.org
redirect.3278164984.elegantdesign-dfw.info
suche.aol.de.search.410468745.elegantdesign-dfw.org
uk.process.1905188000.1959caddylimousine.com
www.alvolo.co.uk.process.1905188000.1959caddylimousine.com
www.berrywestra.nl.search.43565349.1959caddylimousine.com
www.dianaamft.de.search.413644068.59caddylimo.com
www.feuerwehr-schweiz.ch.redirect.461037769.1959caddylimousine.com
www.frnd.de.query.333082952.1959caddylimo.com
www.frnd.de.url.318686353.elegantdesign-dfw.org
www.gaestehaus-schuett-niendorf.de.redirect.411264880.jennyspecialoffer.info
www.google.at.url.4079944488.59caddylimousine.com
www.google.ca.redirect.3278164984.elegantdesign-dfw.info
www.google.com.process.2851874892.elegantdesign-dfw.org
www.google.com.query.3384746824.elegantdesign-dfw.info
www.google.de.process.314184094.1959cadillaclimo.com
www.google.de.process.3384063282.59caddylimo.com
www.google.de.process.3464400104.elegantdesign-dfw.org
www.google.de.process.36453841.59cadillaclimo.com
www.google.de.process.412658054.59cadillaclimousine.com
www.google.de.query.15292270.elegantdesign-dfw.net
www.google.de.query.332541317.59cadillaclimousine.com
www.google.de.query.335211808.elegantdesign-dfw.org
www.google.de.query.3384406282.jennyspecialoffer.info
www.google.de.query.3464386393.59caddylimousine.com
www.google.de.query.464367892.1959caddylimo.com
www.google.de.redirect.3384265678.elegantdesign-dfw.info
www.google.de.redirect.3384350356.1959cadillaclimousine.com
www.google.de.redirect.3464464836.1959cadillaclimo.com
www.google.de.redirect.464534470.1959cadillaclimo.com
www.google.de.search.3384394923.1959cadillaclimo.com
www.google.de.search.3384492708.elegantdesign-dfw.com
www.google.de.search.382410083.1959cadillaclimousine.com
www.google.de.search.393679898.59caddylimousine.com
www.google.de.search.4082654881.1959caddylimousine.com
www.google.de.search.412756816.59caddylimousine.com
www.google.de.search.462774118.elegantdesign-dfw.info
www.google.de.search.463016893.59cadillaclimousine.com
www.google.de.url.15149077.59caddylimo.com
www.google.de.url.2523853156.elegantdesign-dfw.net
www.google.de.url.2531191013.1959cadillaclimousine.com
www.google.de.url.314298327.1959cadillaclimo.com
www.google.de.url.337083412.1959cadillaclimousine.com
www.google.de.url.3375711067.elegantdesign-dfw.net
www.google.es.process.3254798273.1959cadillaclimo.com
www.google.gr.process.11965077.1959cadillaclimousine.com
www.google.it.process.2358552833.59caddylimousine.com
www.google.nl.redirect.455319947.59caddylimo.com
www.google.nl.search.4251017144.1959cadillaclimousine.com
www.kefalonia-animal-trust.de.url.397020850.59cadillaclimousine.com
www.kgse.de.process.465129127.elegantdesign-dfw.info
www.klassik-in-berlin.de.search.464418679.59cadillaclimo.com
www.landwarenshop.de.search.463324361.59cadillaclimo.com
www.losan.de.redirect.318546405.1959cadillaclimousine.com
www.mein-unterrichtsmaterial.de.query.3254956884.1959cadillaclimousine.com
www.rafoeg.de.process.463558035.59caddylimo.com
www.sportfoto-vogler.de.process.337602454.elegantdesign-dfw.com
www.sportfoto-vogler.de.url.337492263.jennyspecialoffer.info
www.torleute.de.redirect.341391517.59caddylimo.com
www.welte.de.search.397762316.1959cadillaclimo.com

Update 15/11/12:
94.100.17.128/26 (94.100.17.128 - 94.100.17.191) is another inferno.name range that you should probably block.