Fireball malware’s flames infect a quarter of a BILLION computers

Mainly generates ad-revenue. But that could easily change...

Fireball malware's flames touch a quarter of a BILLION computers

A new family of malware called Fireball has infected more than a quarter of a billion computers worldwide thanks to some crafty monetizing.

The malware has already claimed approximately one out of every five corporate networks, according to researchers at Check Point.

The greatest share of individual Fireball infections have thus far occurred in India (25.3 million - 10.1%), Brazil (24.1 million - 9.6%), Mexico (16.1 million - 6.4%), and Indonesia (13.1 million - 5.2%). As of this writing, the United States accounts for just 2.2% of Fireball infections at 5.5 million malware instances.


Map of Fireball infections. (Source: Check Point)

Needless to say, it takes a lot of resources to generate such a high volume of infections. It therefore comes as no surprise that Rafotech, a digital marketing company based in China, is behind it. (After all, we’ve seen companies take the lead on other malware campaigns just recently.)

So what does a standard Fireball infection look like?

Well, it all starts when Rafotech installs Fireball on an unsuspecting user’s computer. The company uses a shady form of monetizing known as “bundling” where it pairs the malware with some of its other products or other freeware distributors. To create a sense of legitimacy, Fireball even comes with digital certificates, files which no doubt smaller issuers with flexible ethics are responsible for having doled out.

Upon successful installation, the Beijing-based marketing firm leverages the malware to its advantage. As Check Point’s threat researchers explain:

Rafotech uses Fireball to manipulate the victims’ browsers and turn their default search engines and home-pages into fake search engines. This redirects the queries to either or The fake search engines include tracking pixels used to collect the users’ private information.”

From there, Fireball installs plugins to boost the advertisements for Rafotech’s fake search engines and generate ad revenue.

Doesn’t sound too bad, does it?

Well, there’s the potential for MUCH greater harm. Fireball possesses the ability to run any code on an infected machine. As such, Rafotech could easily abuse it to harvest sensitive information from infected machines, drop additional malware, and execute code on the networks of some of the world’s largest enterprises.

Figure 1

Fireball infection flow. (Source: Check Point)

Given the threat of widespread harm, it’s important that users think twice before downloading freeware. Check Point’s researchers echo this sentiment:

As with everything in the internet, remember that there are no free lunches. When you download freeware, or use cost-free services (streaming and downloads, for example), the service provider is making profit somehow. If it’s not from you or from advertisements, it will come from somewhere else.”

That’s not to say all freeware comes bundled with some dangerous program like Fireball. But that’s not saying a freely available program couldn’t come with a hidden threat.

To see if they’ve suffered a Fireball infection, users should carefully review their browsers’ home pages, default search engines, and extensions. If anything looks unfamiliar, they should try to reverse the changes. If they can’t, they should restore their web browsers to their default settings.

More details of Fireball, and how to clean-up infected systems, can be found on the Check Point blog.

Tags: ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts


14 Responses

  1. RDaleBarrow

    June 2, 2017 at 9:24 pm #

    Flexible ethics”: sounds like a Kellyanne Conwayism to me! ;-)

    • Etaoin Shrdlu in reply to RDaleBarrow.

      June 2, 2017 at 11:32 pm #

      When she is talking about the democrats or media.

      • Off With Trumps Head in reply to Etaoin Shrdlu.

        June 3, 2017 at 12:13 am #

        Na. It’s only when she is vomiting our more fake news propaganda from the failing Trump ‘Administration’ or the garbage lies from FauxSpews.

        • MRBIGER in reply to Off With Trumps Head.

          June 3, 2017 at 4:00 am #

          In reply to, Likes To Get Off giving Trumps Head, or something like that.
          Socialist democratic losers Like you, remind me of Baghdad Bob, bombs falling everywhere but we’re winning. The socialist Democrats like you have lost everything you have one leader, you have no conscience, your entire life is hate and fear, fear that you will never win again and that is a very valid fear. You have lost, give it up, cry on the shoulder of your one leader, Maxine Waters.

        • Not Insane in reply to Off With Trumps Head.

          June 3, 2017 at 11:57 am #

          It’s all Trump’s fault. I mean there were no computer virus under Obama?

          God you people are obsessed, not everything is about politics. Get over it.

    • cyberhackster in reply to RDaleBarrow.

      June 3, 2017 at 2:46 pm #

      I bet she is flexible…

  2. AL

    June 3, 2017 at 1:33 am #

    Now I know why was acting weird today. When I used EDGE to check my yahoo mail the first page was a list down the left side with no graphics.

  3. Alistair

    June 5, 2017 at 9:18 am #

    How does freeware ‘unchecky’ ( fair here -- it’s sole mission is to untick check boxes of all that bundled software..
    I like to think it helps very many users, myself included, to avoid unwelcome/unwanted/potentially malicious bundled software by unticking or warning of bundled software .. It auto-updates and the maintainer/creator does a good job of responding to new software to add to it’s detection/unticking behaviour.

    • Mark Jacobs in reply to Alistair.

      June 5, 2017 at 12:44 pm #

      You shouldn’t be installing software often enough, that you’d need unchecky!

      • Mark Jacobs in reply to Mark Jacobs.

        June 5, 2017 at 12:44 pm #

        Software installation should be a big event, with lots of bells and whistles.

        • Alistair in reply to Mark Jacobs.

          June 5, 2017 at 3:05 pm #

          Maybe.. But what about a weary end user, one that is still logged in with admin privileges, where auto-updates are probably the best way to minimise exploitable software vulnerabilities, OR, when advising by email or telephone to update right now.. Unchecky will still be the most successful (statistically, compared to trying to educate the user for this infrequent software update event) mitigation against the end user installing unwelcome potentially malicious bundled software.

  4. Michael Ponzani

    June 5, 2017 at 4:37 pm #

    Flexible ethics” sounds like Louis Armstrong singing to Billie Holiday about his running around, “I don’t lie. I’m just flexible with the truth.”

  5. Michael Ponzani

    June 5, 2017 at 4:38 pm #

    OOOPS I meant to say Careless with the truth.

  6. DoktorThomas™

    June 8, 2017 at 2:21 pm #

    Hard to believe there is a threat and informed users have to eyeball their PCs to find the infection? What kind of security is that?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.