Fake MP3 download sites pushing Zlob malware
This time Zlob gang is using the "free MP3 downloads" gimmick as a means to infect PCs. A simple Google search yields a lot of junk sites offering "free" MP3 downloads. Here are the screenshots of fake MP3 sites as they appear in Google search results:
All these sites look same. Here's a screenshot of one of the site:
And, to download MP3s from these sites you need to install a plugin. And, this plugin is nothing but a variant of Zlob malware. Here's a screenshot of one of the fake site asking user to download a plugin in order to prevent leeching:
The plugin,
fast-ticket2006.exe, is a Zlob/DNSChanger variant and is hosted at www.fast-ticket.net. However, this installer is a fairly old variant of Zlob and most of the AVs detect it. It installs a rootkit which hooks APIs in Ntdll.dll. Here's a screenshot of rooted file and some of the APIs hooked by the rootkit:
This malware redirects browsers to rogue sites, and generates popups that urge users to install rogue security applications like ContraVirus, AdvancedCleaner etc.
Most of these sites resolve to IP addresses
70.85.246.49 and 70.85.246.49 . Here's a Whois lookup, from SamSpade, for some of the sites:1freemp3s.cn = [ 70.85.246.48 ]
(Asked whois.cnnic.net.cn:43 about 1freemp3s.cn)
Domain Name: 1freemp3s.cn
ROID: 20070720s10001s27391265-cn
Domain Status: ok
Registrant Organization: SAVIHA SHENYI
Registrant Name: Hotis Navashit
Administrative Email: sto@gartwa.ch
Sponsoring Registrar:
Name Server: ns1.pro-mp3.cn
Name Server: ns2.pro-mp3.cn
Registration Date: 2007-07-20 20: 21
Expiration Date: 2008-07-20 20: 21
mp3mania.cn = [ 70.85.246.49 ]
(Asked whois.cnnic.net.cn:43 about mp3mania.cn)
Domain Name: mp3mania.cn
ROID: 20070720s10001s27538514-cn
Domain Status: ok
Registrant Organization: SAVIHA SHENYI
Registrant Name: Hotis Navashit
Administrative Email: sto@gartwa.ch
Sponsoring Registrar:
Name Server: ns1.pro-mp3.cn
Name Server: ns2.pro-mp3.cn
Registration Date: 2007-07-20 23: 47
Expiration Date: 2008-07-20 23: 47
Finally, here's a list of these fake sites. But there could be more than the ones covered below! (Do NOT visit links given below):
mp3record.cn
hardmp3.cn
music4me.cn
supermp3s.cn
mp3stars.cn
mp3djs.cn
livemp3s.cn
freedlmusic.cn
freshmp3s.cn
listmp3.cn
musicforfun.cn
take4freemp3.cn
load4freemp3.cn
musicdreams.cn
mp3sfan.cn
soundwishes.cn
mp3library.cn
nocreditmp3.cn
zoneofmp3.cn
mp3for3.cn
mp3client.cn
musicstream.cn
musicstream.cn
freedlmusic.cn
mp3daily.cn
total-music.cn
filesmp3.cn
1freemp3s.cn
homemp3s.cn
mp3portal.cn
sound-online.cn
freesoundclub.cn
music-center.cn
freemp3lib.cn
muchmp3.cn
livemp3s.cn
directmp3.cn
mp3complete.cn
mp3mania.cn
allmp3s.cn
hotmp3ology.cn
mp3-downloads.cn
mp3area.cn
bestmp3s.cn
for3mp3.cn
soundwishes.cn
mp3archiv.cn
freshmp3.cn
mp3gifts.cn
mp3spider.cn
pro-mp3.cn
Labels: fake mp3 downloads, rootkit, Zlob
posted by swatkat at 6:57 PM
DiggIt! |
Del.icio.us |
Reddit
5 Comments:
Swatkat i have some problem . i need your help about "windows could not start because file is missing " i choose second method because first method it's not work then i have some problem with installation driver . it have error message "Teh RPC server is unavailable " please help me and sent your explaination at waew_getreal@yahoo.com
The latest version of your antirootkit is detected by Clam Antivirus as a potentially unwanted application. Clam's PUA signatures look for hacker tools, malware packers, and attempts to obfuscate in files/applications. A couple of other small antiviruses also give a similar warning, but my NOD32 gives it a clean bill of health.
Regards,
Anon...
Hey, just thought I'd mention it, but whoever it is that is trying to get people to download "advancecleaner" is also using websites for free chord charts now, not just MP3s.
I prefer to download mp3 legally and cheap.
Find my music reviews at stereoballs.blogspot.com
I recently came upon your website and I must say that you have done a great job and noticed we have similar topics like Free Mp3 Download and Video Download
i'd like to know if I can add a link to your website on the resource page of my website mp3suck.com I am sure that my visitors might get something out of your work.
Please let me know if this is OK. Then send me the title and URL you want me to use for
your link.
And also do you think my website is worthy to be listed on yours?
Just in case you'd like to include my link on your site, just link it to http://www.mp3suck.com with the title "Free Mp3 Download" Take care.
Thanks,
Ian
Email: pop(at)mp3suck.com
Website: http://www.mp3suck.com
Post a Comment
<< Home