Fake Twitter website steals user accounts

We received the notification of a phishing site used to steal usernames and passwords of twitter users. On this fake website you could see the old twitter interface, used about a year ago


Malware for Brazil hosted in Mexico

A few days ago, a link that was possibly distributing malware was reported to UNAM-CERT. The site was hosted in Mexico.

At first sight, the name of the file gives away some information about the type of the attack:



Kuluoz: a trojan that spreads through email


UNAM-CERT received a report about a possible malicious file. Even though the icon of the file seemed to belong to a word document, it was an executable. This trick is done by malware writers to deceive the users and make them execute the malware without noticing. An example of the icon can be shown on the image below:


Virus blocks antivirus websites

In recent days, a malicious file was captured and it was identified as a variant of "Sality" virus, which began to spread itself in early 2003, and nowadays it continues infecting a large number of computers because it authors have been improved methods of antivirus evasion


The captured file was downloaded with the name “inf.exe”. Its md5 signature is shown below.



VBScript obfuscated malicious code


In one of our previous posts on this blog, was performed the analysis of a malicious sample that was spread through USB devices. This time, the UNAM-CERT malware analysis team, show a method of how to revert this process on VBScript code corresponding to a variant of the malware "Servieca.vbs". 




Dorkbot variant download malware through an IRC C&C channel


In one previous post on this blog, it was performed the analysis of a malware sample that was spread on Skype, that sample was a Dorkbot variant. In recent days, several cases of infections performed by a computer worm were reported; therefore, the malware analysis team proceeded to conduct the inspection of the sample. 




Email leads to Trojan download

Recently, UNAM-CERT received a notification about an email that informs the user that he/she has been recently sued. Two PDF files are attached to the email, supposedly explaining the reasons of the demand. Below the email body:




By clicking on the file links, a redirection was made to two different sites hosted in different servers, leading to the download of the same file in ZIP file format on both of them.



Phishing targetting Apple users

In recent days, an email that supposedly came from the U.S. Company Apple Inc. was apread. The email was addressed to the company's customers with the subject "Please confirm your information". Below the message:




Fake email spoofs SAT in order to distribute malware



UNAM-CERT received a report of an email usurping the identity of the Mexican Tax Administration Service (SAT, Sistema de Administración Tributaria) that alleges statements related incidents, in order to review this, users had to consult a document included in the email. The message is shown in the image below:




Trojan - aims to be H magazine photos


Computer Emergency Response Team UNAM-CERT received an email that contained a download link of a potential malware. Below is the email message that refers to fake pictures of the H magazine: