Fireball is a nasty piece of malware that could be affecting 250 million computers worldwide. Security firm Check Point has uncovered Fireball as well as the company that has implemented it. Rafotech is a Beijing-based advertising and marketing firm and the goal of Fireball is to generate ad revenue and clicks. Check Point says that at least 20% of corporate computers could be affected by this new malware with the major outbreaks being in Brazil, Mexico and India.
Once Fireball is on your system, it redirects the browser to alternate websites that look like search engines. From those pages, the malware generates ad clicks as well as collects private data from the target computer. The malware goes even further with the ability to send commands remotely as well as download and install other malware instances. The malware seems pretty nasty and complex and could be used in a variety of ways against a target or targets. Here are Check Point’s key findings on this new threat.
- Check Point analysts uncovered a high volume Chinese threat operation which has infected over 250 million computers worldwide, and 20% of corporate networks.
- The malware, called Fireball, acts as a browser-hijacker but and can be turned into a full-functioning malware downloader. Fireball is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.
- Fireball is spread mostly via bundling i.e. installed on victim machines alongside a wanted program, often without the user’s consent.
- The operation is run by Chinese digital marketing agency.
- Top infected countries are India (10.1%) and Brazil (9.6%)
The scope of the malware distribution is alarming. According to our analysis, over 250 million computers worldwide have been infected: specifically, 25.3 million infections in India (10.1%), 24.1 million in Brazil (9.6%), 16.1 million in Mexico (6.4%), and 13.1 million in Indonesia (5.2%). The United States has witnessed 5.5 million infections (2.2%).
Based on Check Point’s global sensors, 20% of all corporate networks are affected . Hit rates in the US (10.7%) and China (4.7%) are alarming;but Indonesia (60%), India (43%) and Brazil (38%) have much more dangerous hit rates.
Another indicator of the incredibly high infection rate is the popularity of Rafotech’s fake search engines. According to Alexa’s web traffic data, 14 of these fake search engines are among the top 10,000 websites, with some of them occasionally reaching the top 1,000.
To check if you’re infected, first open your web browser. Was your home-page set by you? Are you able to modify it? Are you familiar with your default search engine and can modify that as well? Do you remember installing all of your browser extensions?
If the answer to any of these questions is “NO”, this is a sign that you’re infected with adware. You can also use a recommended adware scanner, just to be extra cautious.
Check Point has a comprehensive write-up on their site at the link below, be sure to read that for the entire scope of the situation.