Another day, another strain of malware. This time, it’s called Fireball.

Researchers from Check Point Software discovered that more than 250 million Windows computers worldwide were infected, SecurityWeek reported. According to the company’s blog, Fireball malware is like “a pesticide armed with a nuclear bomb. Yes, it can do the job, but it can also do so much more.”

As noted by the International Business Times, Microsoft disputed the infection numbers. It claimed that the malware never passed the 5 million mark, according to the software giant’s internal metrics. So who’s right and who’s wrong? More importantly, does it matter for enterprise IT security?

Fanning the Flame of Fireball Malware

Both Check Point and Microsoft agreed that the malware originated from a Chinese digital marketing agency called Rafotech, which uses the code to infect machines, hijack browsers and steal personal information. The company’s fake search engines rank among the world’s top 10,000 websites and occasionally break the top 1,000. It claims to have around 300 million users worldwide, which is suspiciously close to the 250 million infections reported by Check Point.

Using legitimate-seeming digital certificates, Rafotech managed to bundle Fireball with both its own products and other freeware. However, it ensured that both its fake search engines and the malware itself didn’t carry any identifying marks.

For the moment, Fireball installs plugins and additional configurations to boost advertisements. It also uses tracking pixels to collect personal data and redirect search queries.

Check Point noted, however, that the program can also run arbitrary code, download applications and harvest more sensitive information, such as banking and medical details. Since Fireball “displays great sophistication and quality evasion techniques” such as antidetection functions, multilayer structure and a flexible command-and-control (C&C), it’s only a matter of time before this threat grows from an inconvenient issue into a big problem. Even if Rafotech never uses it this way, cybercriminals could deconstruct and leverage the source code as the basis for new infections.

A Heated Dispute

According to Ars Technica, Microsoft has been tracking the malware since 2015 and offered a different take on the number of infected users. Basing its results on Fireball infections cleaned by both Windows Defender and the Malicious Software Removal Tool, the total came in around 40 million.

Microsoft argued that while the threat of Fireball is real, the extent of its reach “might have been overblown.” The software giant pointed to Check Point’s data collection methods, claiming that since the researchers used the number of visits to malware-carrying search pages and not endpoint device data itself, there’s no way to know if every machine that stopped by was actually infected.

A Lake of Fire

Microsoft stated that neither the Edge browser nor Windows 10 S are vulnerable to this type of malware. And while the company’s data might be more accurate, the dust up doesn’t showcase any disagreement on the method of infection or the potential destructive force of Fireball.

Think of it like this: For Check Point, this new malware strain is like a bonfire, burning bright across continents and computers. For Microsoft, it’s a lit match — it stings if it burns, but quickly goes out. The problem is that both flames are lit above a lake of gasoline. Big or small, the result is devastating if they go over the edge.

The Fireball malware may have infected 250 million devices, or maybe it was more like 40 million. But cold, hard numbers aside, there’s real potential here for users to get burned.

More from

New Attack Targets Online Customer Service Channels

An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort. Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart is its infection vector. Malicious actors are leveraging the helpful nature of customer service agents to deliver their payload and drive the infection process. Here’s a look at how IceBreaker…

Operational Technology: The evolving threats that might shift regulatory policy

Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. Attacks on Operational Technology (OT) and Industrial Control Systems (ICS) grabbed the headlines more often in 2022 — a direct result of Russia’s invasion of Ukraine sparking a growing willingness on behalf of criminals to target the ICS of critical infrastructure. Conversations about what could happen if these kinds of systems were compromised were once relegated to “what ifs” and disaster movie scripts. But those days are…

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them. ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge. Understanding Attack Surface Management Here…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor…