reddingtaxcm.com is a legitimate domain that is registered at GoDaddy and has been hijacked to serve up malware, hosted on 95.168.177.144 (NetDirekt, Germany but more below..).
The malware appears to be a variant of Vundo / Virtumundo, the infection mechanism looks to be some sort of injection attack on third party sites.
Although the IP 95.168.177.144 is allocated to NetDirekt (now Leaseweb Germany), it belongs to part of a range suballocated to inferno.name of Serbia (apparently also known as v3Servers.net). Inferno featured recently in this blog with another similar malware attack, that time on 95.168.178.206. 95.168.177.0/4 seems to be full of (possibly fake) pharma sites.
The malware appears to be a variant of Vundo / Virtumundo, the infection mechanism looks to be some sort of injection attack on third party sites.
Although the IP 95.168.177.144 is allocated to NetDirekt (now Leaseweb Germany), it belongs to part of a range suballocated to inferno.name of Serbia (apparently also known as v3Servers.net). Inferno featured recently in this blog with another similar malware attack, that time on 95.168.178.206. 95.168.177.0/4 seems to be full of (possibly fake) pharma sites.
Read more:
http://blog.dynamoo.com/2011/08/something-evil-on-95168177144.html
The sooner Leaseweb/NetDirekt boot Inferno, the better (they're well known for their involvement with criminals, so quite why it's not been done yet is beyond me).
3 comments:
i concur with this recent malware attack on a customer of mine originating from 184.154.201.18 which is a block of singlehop ip's in the US. Sent mail to their abuse department. we will see how it goes.
I got an 'attack' from 184.154.201.18. Mcfee blocked it apparently. My computer had a meltdown yesterday.
I had an 'attack' from 184.154.201.18 yesterday. My computer has had a meltdown aswell. Did a 24 hour restore on it and its back to normal after the antivirus download.
Post a Comment