Check Point Software has sounded the alarm about Fireball, a malware that it estimates to have affected 250 million computers worldwide. Fireball takes over a machine’s browser and turns it into a “zombie,” allowing the malware to run any code on victims’ computers, while at the same time manipulating browser web traffic to generate revenue.

Fireball Malware Spreads Worldwide

Fireball has been distributed by Rafotech, a large digital marketing agency based in Beijing. Rafotech bundled Fireball with legitimate programs like Deal WiFi, Mustang Browser, SoSoDesk and FVP Image Viewer. Such programs may get explicit user consent for their installation, but not direct consent for the bundled programs that are also installed.

SecurityWeek recounts that, overall, India (25.3 million infections) and Brazil (24.1 million) were the largest geographic areas hit by Fireball. They were followed by Mexico (16.1 million) and Indonesia (13.1 million). In the United States, 5.5 million machines were found to be infected.

This is not just a consumer issue. According to Check Point, 20 percent of all corporate networks have been affected. Hit rates have reached as high as 60 percent in Indonesia, 43 percent in India and 38 percent in Brazil. The U.S. and China stand at 10.7 percent and 4.7 percent, respectively.

Fireball’s Tricks

Two of the tricks that Fireball uses are altering the default home page and hijacking the browser’s default search engine by directing the browser to one of its fake search engines. It collects information about its victims using tracking pixels that are part of the fake search engines.

Rafotech claims to have 300 million users worldwide but denies that it uses these fake search engines. Security researchers dispute this claim, noting that Rafotech may have also purchased additional distribution means from other threat actors.

The Fireball malware does not conform to usual characteristics of bundled software. Check Point asserts, “The malware and the fake search engines don’t carry indicators connecting them to Rafotech, they cannot be uninstalled by an ordinary user and they conceal their true nature.” Furthermore, Fireball “displays great sophistication and quality evasion techniques, including anti-detection capabilities, multilayer structure and a flexible C&C.”

Fortunately, the Check Point blog contains instructions on how to remove the malware from both Windows and Mac systems. It would seem prudent to block possible infections directly and to sanitize any affected system.