Fireball malware infected 250 million computers worldwide

+ Watch the recorded webinar: Inside a Docker Cryptojacking Exploit

Check Point researchers discovered a high volume Chinese threat operation which has infected over 250 million computers worldwide. The installed malware, named Fireball, takes over target web browsers, turning them into zombies.

Fireball malware

Fireball has two main functionalities: one is the ability to run any code on victims’ computers and downloading any file or malware; the other is hijacking and manipulating infected users’ web-traffic to generate ad-revenue. Currently, Fireball installs plug-ins and additional configurations to boost its advertisements, but just as easily it can turn into a prominent distributor for any additional malware.

Who is behind this operation?

According to Check Point, this operation is run by Rafotech, a large digital marketing agency based in Beijing. Rafotech uses Fireball to manipulate the victims’ browsers and turn their default search engines and home-pages into fake search engines which simply redirect the queries to either yahoo.com or Google.com.

The fake search engines include tracking pixels used to collect the users’ private information. Fireball can also spy on victims, perform efficient malware dropping, and execute any malicious code in the infected machines, thus creating a massive security flaw in targeted machines and networks.

250 million infections worldwide

The scope of the malware distribution is quite alarming. Over 250 million computers worldwide are infected: specifically, there are 25.3 million infections in India (10.1%), 24.1 million in Brazil (9.6%), 16.1 million in Mexico (6.4%), and 13.1 million in Indonesia (5.2%). In the U.S. there are 5.5 million infections (2.2%).

Based on Check Point’s global sensors, the percentages of affected corporate networks are even higher: 20% of all corporate networks. Hit rates in the US (10.7%) and China (4.7%) are alarming, and even more so in Indonesia (60%), India (43%) and Brazil (38%).

Another indicator of the incredibly high infection rate is the popularity of Rafotech’s fake search engines. According to Alexa’s web traffic data, 14 of these fake search engines are among the top 10,000 websites, with some of them occasionally reaching the top 1,000.

Walking along the edge of legitimacy

Fireball and similar browser-hijackers are hybrid creatures, half seemingly legitimate software. Although Rafotech seemingly uses Fireball only for advertising and initiating traffic to its fake search engines, it actually can perform any action on the victims’ machines, which can have serious consequences.

Rafotech carefully walks along the edge of legitimacy, knowing that adware distribution is not considered a crime like malware distribution is. Many companies provide software or services for free, and make their profits by harvesting data or presenting advertisements. Once a client agrees to the install of extra features or software to his/her computer, it is hard to claim malicious intent on behalf of the provider.

This gray zone led to the birth of a new kind of monetizing method – bundling. Bundling is when a wanted program installs another program alongside it, sometimes with a user’s authorization and sometimes without. Rafotech uses bundling in high volume to spread Fireball.

It can be removed from PCs by uninstalling the adware using Programs and Features list in the Windows Control Panel, or the using Mac Finder function in the Applications folder on Macs. Users should also removing malicious Add-ons, extensions or plug-ins from their browsers.