Fireball malware’s flames infect a quarter of a BILLION computers

David Bisson

Fireball malware's flames touch a quarter of a BILLION computers

Fireball malware's flames touch a quarter of a BILLION computers

A new family of malware called Fireball has infected more than a quarter of a billion computers worldwide thanks to some crafty monetizing.

The malware has already claimed approximately one out of every five corporate networks, according to researchers at Check Point.

The greatest share of individual Fireball infections have thus far occurred in India (25.3 million – 10.1%), Brazil (24.1 million – 9.6%), Mexico (16.1 million – 6.4%), and Indonesia (13.1 million – 5.2%). As of this writing, the United States accounts for just 2.2% of Fireball infections at 5.5 million malware instances.

Map1
Map of Fireball infections. (Source: Check Point)

Needless to say, it takes a lot of resources to generate such a high volume of infections. It therefore comes as no surprise that Rafotech, a digital marketing company based in China, is behind it. (After all, we’ve seen companies take the lead on other malware campaigns just recently.)

So what does a standard Fireball infection look like?

Well, it all starts when Rafotech installs Fireball on an unsuspecting user’s computer. The company uses a shady form of monetizing known as “bundling” where it pairs the malware with some of its other products or other freeware distributors. To create a sense of legitimacy, Fireball even comes with digital certificates, files which no doubt smaller issuers with flexible ethics are responsible for having doled out.

Upon successful installation, the Beijing-based marketing firm leverages the malware to its advantage. As Check Point’s threat researchers explain:

“Rafotech uses Fireball to manipulate the victims’ browsers and turn their default search engines and home-pages into fake search engines. This redirects the queries to either yahoo.com or Google.com. The fake search engines include tracking pixels used to collect the users’ private information.”

From there, Fireball installs plugins to boost the advertisements for Rafotech’s fake search engines and generate ad revenue.

Doesn’t sound too bad, does it?

Well, there’s the potential for MUCH greater harm. Fireball possesses the ability to run any code on an infected machine. As such, Rafotech could easily abuse it to harvest sensitive information from infected machines, drop additional malware, and execute code on the networks of some of the world’s largest enterprises.

Figure 1
Fireball infection flow. (Source: Check Point)

Given the threat of widespread harm, it’s important that users think twice before downloading freeware. Check Point’s researchers echo this sentiment:

“As with everything in the internet, remember that there are no free lunches. When you download freeware, or use cost-free services (streaming and downloads, for example), the service provider is making profit somehow. If it’s not from you or from advertisements, it will come from somewhere else.”

That’s not to say all freeware comes bundled with some dangerous program like Fireball. But that’s not saying a freely available program couldn’t come with a hidden threat.

To see if they’ve suffered a Fireball infection, users should carefully review their browsers’ home pages, default search engines, and extensions. If anything looks unfamiliar, they should try to reverse the changes. If they can’t, they should restore their web browsers to their default settings.

More details of Fireball, and how to clean-up infected systems, can be found on the Check Point blog.

David Bisson David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

14 Replies to “Fireball malware’s flames infect a quarter of a BILLION computers”

      1. Na. It's only when she is vomiting our more fake news propaganda from the failing Trump 'Administration' or the garbage lies from FauxSpews.

        1. In reply to, Likes To Get Off giving Trumps Head, or something like that.
          Socialist democratic losers Like you, remind me of Baghdad Bob, bombs falling everywhere but we're winning. The socialist Democrats like you have lost everything you have one leader, you have no conscience, your entire life is hate and fear, fear that you will never win again and that is a very valid fear. You have lost, give it up, cry on the shoulder of your one leader, Maxine Waters.

        2. It's all Trump's fault. I mean there were no computer virus under Obama?

          God you people are obsessed, not everything is about politics. Get over it.

  1. Now I know why Yahoo.com was acting weird today. When I used EDGE to check my yahoo mail the first page was a list down the left side with no graphics.

  2. How does freeware 'unchecky' (unchecky.com) fair here — it's sole mission is to untick check boxes of all that bundled software..
    I like to think it helps very many users, myself included, to avoid unwelcome/unwanted/potentially malicious bundled software by unticking or warning of bundled software .. It auto-updates and the maintainer/creator does a good job of responding to new software to add to it's detection/unticking behaviour.

        1. Maybe.. But what about a weary end user, one that is still logged in with admin privileges, where auto-updates are probably the best way to minimise exploitable software vulnerabilities, OR, when advising by email or telephone to update right now.. Unchecky will still be the most successful (statistically, compared to trying to educate the user for this infrequent software update event) mitigation against the end user installing unwelcome potentially malicious bundled software.

  3. "Flexible ethics" sounds like Louis Armstrong singing to Billie Holiday about his running around, "I don't lie. I'm just flexible with the truth."

  4. Hard to believe there is a threat and informed users have to eyeball their PCs to find the infection? What kind of security is that?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.