Fake email used to propagate malicious software

In recent days, different users reported an email to UNAM’s Computer Emergency Response Team, which included a link to download an alleged tax receipt in PDF format that came from an enterprise. However, clicking on the link started to download a compressed file with extension “.rar”. A screen capture of the email received is shown on the image below; on the bottom of the image the download link of the file can be seen.


Websites compromised due to injection of JavaScript code

In recent days, a system admin reported us that his website had been blocked and that his browser detected his site as malicious despite being legitimate. For this reason, UNAM’s Computer Emergency Response Team proceeded to analyze it.

Many antivirus engines identified that the website hosted an unwanted program that could be a virus.


Bot hosted on Hotfile's server


UNAM’s Computer Emergency Response Team received a report about an allegedly malicious file that was hosted on the known file hosting website “hotfile.com” with the name “filrulais.exe”. For this reason, we proceeded to analyze the sample.




Phishing website of the gusanito.com portal

A user notified UNAM-CERT about an email that contained an allegedly malicious attachment and an IP address on the body of the message that redirected to a malicious portal that pretended to be the popular e-card website gusanito.com. This kind of sites is known as phishing and its function is to take advantage of users, making them believe that they are navigating a legitimate website.



Virus that infects executable files through an allegedly update of the Adobe Flash plugin

Recently, the UNAM-CERT received a report about a malicious file that was propagating through the network and that pretended to be an update of the Adobe Flash Player plugin.

Once the website was accessed, it displayed a window to accept the download of the file.

After downloading the file, it saved itself with the name dia11_puxa_cliente2.exe and displayed the following page, that pretended to be a legitimate Adobe Flash website.


Malware used to generate electronic Money – Bitcoins

The use of malicious software to bitcoin mining has been increasing. There are reports of cases where the software propagates itself through the Skype service; however it is not limited to this service, computers can get infected by different media, such as websites or by using infected USB devices


Email that redirects to a phishing site of the Afirme Bank

SSI/UNAM-CERT received a report about a website that attempted to fake the portal of the Afirme financial group.

On the content of the email there was a link to the alleged website, as shown below:

 After the link is clicked, the user is redirected to the fake site of the Bank. As it can be observed, the URL contains the word “afirme”, to avoid suspicions and make the user think that the site is legitimate.


Linux machines infected by bots

UNAM-CERT received a report about an allegedly malicious file for Linux operating systems. According to the complainant, the system presented low performance and strange behavior; so we proceeded to analyze the sample.







Active botnets update their software


On April 4th we informed about a malicious email that used to propagate malware through applets. The report can be read here. This week we kept receiving emails, except in this occasion they were from the “Gusanito” ecards.



Likejacking: Kidnap of "Like", new propagation method in Facebook

On April 12th, the security company Sophos published on its blog a report about a new scam campaign (fraud) that has been propagating through Facebook with the message:

                     “Dad walks in on daughter... EMBARRASING!!!"