Fake MP3 download sites pushing Zlob malware

This time Zlob gang is using the "free MP3 downloads" gimmick as a means to infect PCs. A simple Google search yields a lot of junk sites offering "free" MP3 downloads. Here are the screenshots of fake MP3 sites as they appear in Google search results:


All these sites look same. Here's a screenshot of one of the site:

And, to download MP3s from these sites you need to install a plugin. And, this plugin is nothing but a variant of Zlob malware. Here's a screenshot of one of the fake site asking user to download a plugin in order to prevent leeching:

The plugin, fast-ticket2006.exe, is a Zlob/DNSChanger variant and is hosted at www.fast-ticket.net. However, this installer is a fairly old variant of Zlob and most of the AVs detect it. It installs a rootkit which hooks APIs in Ntdll.dll. Here's a screenshot of rooted file and some of the APIs hooked by the rootkit:


This malware redirects browsers to rogue sites, and generates popups that urge users to install rogue security applications like ContraVirus, AdvancedCleaner etc.

Most of these sites resolve to IP addresses 70.85.246.49 and 70.85.246.49 . Here's a Whois lookup, from SamSpade, for some of the sites:

1freemp3s.cn = [ 70.85.246.48 ]
(Asked whois.cnnic.net.cn:43 about 1freemp3s.cn)
Domain Name: 1freemp3s.cn
ROID: 20070720s10001s27391265-cn
Domain Status: ok
Registrant Organization: SAVIHA SHENYI
Registrant Name: Hotis Navashit
Administrative Email: sto@gartwa.ch
Sponsoring Registrar:
Name Server: ns1.pro-mp3.cn
Name Server: ns2.pro-mp3.cn
Registration Date: 2007-07-20 20: 21
Expiration Date: 2008-07-20 20: 21

mp3mania.cn = [ 70.85.246.49 ]
(Asked whois.cnnic.net.cn:43 about mp3mania.cn)
Domain Name: mp3mania.cn
ROID: 20070720s10001s27538514-cn
Domain Status: ok
Registrant Organization: SAVIHA SHENYI
Registrant Name: Hotis Navashit
Administrative Email: sto@gartwa.ch
Sponsoring Registrar:
Name Server: ns1.pro-mp3.cn
Name Server: ns2.pro-mp3.cn
Registration Date: 2007-07-20 23: 47
Expiration Date: 2008-07-20 23: 47

Finally, here's a list of these fake sites. But there could be more than the ones covered below! (Do NOT visit links given below):

mp3record.cn
hardmp3.cn
music4me.cn
supermp3s.cn
mp3stars.cn
mp3djs.cn
livemp3s.cn
freedlmusic.cn
freshmp3s.cn
listmp3.cn
musicforfun.cn
take4freemp3.cn
load4freemp3.cn
musicdreams.cn
mp3sfan.cn
soundwishes.cn
mp3library.cn
nocreditmp3.cn
zoneofmp3.cn
mp3for3.cn
mp3client.cn
musicstream.cn
musicstream.cn
freedlmusic.cn
mp3daily.cn
total-music.cn
filesmp3.cn
1freemp3s.cn
homemp3s.cn
mp3portal.cn
sound-online.cn
freesoundclub.cn
music-center.cn
freemp3lib.cn
muchmp3.cn
livemp3s.cn
directmp3.cn
mp3complete.cn
mp3mania.cn
allmp3s.cn
hotmp3ology.cn
mp3-downloads.cn
mp3area.cn
bestmp3s.cn
for3mp3.cn
soundwishes.cn
mp3archiv.cn
freshmp3.cn
mp3gifts.cn
mp3spider.cn
pro-mp3.cn