About the IP classification method via Virus Tracker.
These are iInteresting observations about a RBN group 16 or 17 IP address to be blocked.
See: https://www.google.nl/#q=urlquery+RBN+group+16
This example has many groups using that specific url: https://urlquery.net/report.php?id=8785322
It is classified by the Virus Tracker as ufosaretrue.blogspot.no,Ghosted,
a nefarious DNS exploitation technique those cybercriminals use:, read:
http://resources.infosecinstitute.com/ghost-domain-names/
polonus
Another Ghosted one: htxp://sport-rf.forum2x2.ru/ IP 174.36.29.21 Host Name: f24.dnspro dot org eToxic
https://www.virustotal.com/nl/url/b5850b26b8d905a2949b9f60391f55912b39e5719d32082af931a0b2413ad4bf/analysis/1390151563/
See: http://urlquery.net/report.php?id=8881247 - http://sameid.net/ip/174.36.29.22/
Botbuilder can be found online, but it is not cool at all according to Dimitrij Tarakanov, see his article here :
http://www.securelist.com/en/blog/563/Ice_IX_not_cool_at_all
Also this one on same IP: http://urlquery.net/report.php?id=8816003
Common denominator = forum2x2.ru/ & fullforums → htxp://truyen.fullforums.net/ = truyen.fullforums dot net,Ghosted,
according to given Virus Tracker classification. Internal IP IDS alert for ET TROJAN DNS Reply Sinkhole - Microsoft - 199.2.137.0/24
reported about such an IDS alert here earlier: http://forum.avast.com/index.php?topic=127447.0
We would normally see traffic from "infected" machines heading for such a block.
Snort should have capture for what domain name did we get a Sinkhole as it
looks for the Sinkholed IP in the DNS reply. Ideally you would want to look
at what IP got replied and search through your webproxy \ Firewall logs
hopefully to see which client established a connection with that destination IP.
Quote credits go to ListArc;s Russell
pol