Fireball malware’s flames infect a quarter of a BILLION computers

Published on: June 03rd, 2017

Mainly generates ad-revenue. But that could easily change…

David Bisson | June 2, 2017 7:13 pm | Filed under: macOS, Malware, Windows 3

Fireball malware’s flames touch a quarter of a BILLION computers

A new family of malware called Fireball has infected more than a quarter of a billion computers worldwide thanks to some crafty monetizing.

The malware has already claimed approximately one out of every five corporate networks, according to researchers at Check Point.

The greatest share of individual Fireball infections have thus far occurred in India (25.3 million – 10.1%), Brazil (24.1 million – 9.6%), Mexico (16.1 million – 6.4%), and Indonesia (13.1 million – 5.2%). As of this writing, the United States accounts for just 2.2% of Fireball infections at 5.5 million malware instances.

Map of Fireball infections. (Source: Check Point)
Needless to say, it takes a lot of resources to generate such a high volume of infections. It therefore comes as no surprise that Rafotech, a digital marketing company based in China, is behind it. (After all, we’ve seen companies take the lead on other malware campaigns just recently.)

So what does a standard Fireball infection look like?

Well, it all starts when Rafotech installs Fireball on an unsuspecting user’s computer. The company uses a shady form of monetizing known as “bundling” where it pairs the malware with some of its other products or other freeware distributors. To create a sense of legitimacy, Fireball even comes with digital certificates, files which no doubt smaller issuers with flexible ethics are responsible for having doled out.

Upon successful installation, the Beijing-based marketing firm leverages the malware to its advantage. As Check Point’s threat researchers explain:

“Rafotech uses Fireball to manipulate the victims’ browsers and turn their default search engines and home-pages into fake search engines. This redirects the queries to either yahoo.com or Google.com. The fake search engines include tracking pixels used to collect the users’ private information.”

From there, Fireball installs plugins to boost the advertisements for Rafotech’s fake search engines and generate ad revenue.

Doesn’t sound too bad, does it?

Well, there’s the potential for MUCH greater harm. Fireball possesses the ability to run any code on an infected machine. As such, Rafotech could easily abuse it to harvest sensitive information from infected machines, drop additional malware, and execute code on the networks of some of the world’s largest enterprises.

Fireball infection flow. (Source: Check Point)
Given the threat of widespread harm, it’s important that users think twice before downloading freeware. Check Point’s researchers echo this sentiment:

“As with everything in the internet, remember that there are no free lunches. When you download freeware, or use cost-free services (streaming and downloads, for example), the service provider is making profit somehow. If it’s not from you or from advertisements, it will come from somewhere else.”

That’s not to say all freeware comes bundled with some dangerous program like Fireball. But that’s not saying a freely available program couldn’t come with a hidden threat.

To see if they’ve suffered a Fireball infection, users should carefully review their browsers’ home pages, default search engines, and extensions. If anything looks unfamiliar, they should try to reverse the changes. If they can’t, they should restore their web browsers to their default settings.