June 26, 2017 By Douglas Bonderud 2 min read

Another day, another strain of malware. This time, it’s called Fireball.

Researchers from Check Point Software discovered that more than 250 million Windows computers worldwide were infected, SecurityWeek reported. According to the company’s blog, Fireball malware is like “a pesticide armed with a nuclear bomb. Yes, it can do the job, but it can also do so much more.”

As noted by the International Business Times, Microsoft disputed the infection numbers. It claimed that the malware never passed the 5 million mark, according to the software giant’s internal metrics. So who’s right and who’s wrong? More importantly, does it matter for enterprise IT security?

Fanning the Flame of Fireball Malware

Both Check Point and Microsoft agreed that the malware originated from a Chinese digital marketing agency called Rafotech, which uses the code to infect machines, hijack browsers and steal personal information. The company’s fake search engines rank among the world’s top 10,000 websites and occasionally break the top 1,000. It claims to have around 300 million users worldwide, which is suspiciously close to the 250 million infections reported by Check Point.

Using legitimate-seeming digital certificates, Rafotech managed to bundle Fireball with both its own products and other freeware. However, it ensured that both its fake search engines and the malware itself didn’t carry any identifying marks.

For the moment, Fireball installs plugins and additional configurations to boost advertisements. It also uses tracking pixels to collect personal data and redirect search queries.

Check Point noted, however, that the program can also run arbitrary code, download applications and harvest more sensitive information, such as banking and medical details. Since Fireball “displays great sophistication and quality evasion techniques” such as antidetection functions, multilayer structure and a flexible command-and-control (C&C), it’s only a matter of time before this threat grows from an inconvenient issue into a big problem. Even if Rafotech never uses it this way, cybercriminals could deconstruct and leverage the source code as the basis for new infections.

A Heated Dispute

According to Ars Technica, Microsoft has been tracking the malware since 2015 and offered a different take on the number of infected users. Basing its results on Fireball infections cleaned by both Windows Defender and the Malicious Software Removal Tool, the total came in around 40 million.

Microsoft argued that while the threat of Fireball is real, the extent of its reach “might have been overblown.” The software giant pointed to Check Point’s data collection methods, claiming that since the researchers used the number of visits to malware-carrying search pages and not endpoint device data itself, there’s no way to know if every machine that stopped by was actually infected.

A Lake of Fire

Microsoft stated that neither the Edge browser nor Windows 10 S are vulnerable to this type of malware. And while the company’s data might be more accurate, the dust up doesn’t showcase any disagreement on the method of infection or the potential destructive force of Fireball.

Think of it like this: For Check Point, this new malware strain is like a bonfire, burning bright across continents and computers. For Microsoft, it’s a lit match — it stings if it burns, but quickly goes out. The problem is that both flames are lit above a lake of gasoline. Big or small, the result is devastating if they go over the edge.

The Fireball malware may have infected 250 million devices, or maybe it was more like 40 million. But cold, hard numbers aside, there’s real potential here for users to get burned.

More from

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today