June 5, 2017 By Larry Loeb 2 min read

Check Point Software has sounded the alarm about Fireball, a malware that it estimates to have affected 250 million computers worldwide. Fireball takes over a machine’s browser and turns it into a “zombie,” allowing the malware to run any code on victims’ computers, while at the same time manipulating browser web traffic to generate revenue.

Fireball Malware Spreads Worldwide

Fireball has been distributed by Rafotech, a large digital marketing agency based in Beijing. Rafotech bundled Fireball with legitimate programs like Deal WiFi, Mustang Browser, SoSoDesk and FVP Image Viewer. Such programs may get explicit user consent for their installation, but not direct consent for the bundled programs that are also installed.

SecurityWeek recounts that, overall, India (25.3 million infections) and Brazil (24.1 million) were the largest geographic areas hit by Fireball. They were followed by Mexico (16.1 million) and Indonesia (13.1 million). In the United States, 5.5 million machines were found to be infected.

This is not just a consumer issue. According to Check Point, 20 percent of all corporate networks have been affected. Hit rates have reached as high as 60 percent in Indonesia, 43 percent in India and 38 percent in Brazil. The U.S. and China stand at 10.7 percent and 4.7 percent, respectively.

Fireball’s Tricks

Two of the tricks that Fireball uses are altering the default home page and hijacking the browser’s default search engine by directing the browser to one of its fake search engines. It collects information about its victims using tracking pixels that are part of the fake search engines.

Rafotech claims to have 300 million users worldwide but denies that it uses these fake search engines. Security researchers dispute this claim, noting that Rafotech may have also purchased additional distribution means from other threat actors.

The Fireball malware does not conform to usual characteristics of bundled software. Check Point asserts, “The malware and the fake search engines don’t carry indicators connecting them to Rafotech, they cannot be uninstalled by an ordinary user and they conceal their true nature.” Furthermore, Fireball “displays great sophistication and quality evasion techniques, including anti-detection capabilities, multilayer structure and a flexible C&C.”

Fortunately, the Check Point blog contains instructions on how to remove the malware from both Windows and Mac systems. It would seem prudent to block possible infections directly and to sanitize any affected system.

More from

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today