June 26, 2017 By Douglas Bonderud 2 min read

Another day, another strain of malware. This time, it’s called Fireball.

Researchers from Check Point Software discovered that more than 250 million Windows computers worldwide were infected, SecurityWeek reported. According to the company’s blog, Fireball malware is like “a pesticide armed with a nuclear bomb. Yes, it can do the job, but it can also do so much more.”

As noted by the International Business Times, Microsoft disputed the infection numbers. It claimed that the malware never passed the 5 million mark, according to the software giant’s internal metrics. So who’s right and who’s wrong? More importantly, does it matter for enterprise IT security?

Fanning the Flame of Fireball Malware

Both Check Point and Microsoft agreed that the malware originated from a Chinese digital marketing agency called Rafotech, which uses the code to infect machines, hijack browsers and steal personal information. The company’s fake search engines rank among the world’s top 10,000 websites and occasionally break the top 1,000. It claims to have around 300 million users worldwide, which is suspiciously close to the 250 million infections reported by Check Point.

Using legitimate-seeming digital certificates, Rafotech managed to bundle Fireball with both its own products and other freeware. However, it ensured that both its fake search engines and the malware itself didn’t carry any identifying marks.

For the moment, Fireball installs plugins and additional configurations to boost advertisements. It also uses tracking pixels to collect personal data and redirect search queries.

Check Point noted, however, that the program can also run arbitrary code, download applications and harvest more sensitive information, such as banking and medical details. Since Fireball “displays great sophistication and quality evasion techniques” such as antidetection functions, multilayer structure and a flexible command-and-control (C&C), it’s only a matter of time before this threat grows from an inconvenient issue into a big problem. Even if Rafotech never uses it this way, cybercriminals could deconstruct and leverage the source code as the basis for new infections.

A Heated Dispute

According to Ars Technica, Microsoft has been tracking the malware since 2015 and offered a different take on the number of infected users. Basing its results on Fireball infections cleaned by both Windows Defender and the Malicious Software Removal Tool, the total came in around 40 million.

Microsoft argued that while the threat of Fireball is real, the extent of its reach “might have been overblown.” The software giant pointed to Check Point’s data collection methods, claiming that since the researchers used the number of visits to malware-carrying search pages and not endpoint device data itself, there’s no way to know if every machine that stopped by was actually infected.

A Lake of Fire

Microsoft stated that neither the Edge browser nor Windows 10 S are vulnerable to this type of malware. And while the company’s data might be more accurate, the dust up doesn’t showcase any disagreement on the method of infection or the potential destructive force of Fireball.

Think of it like this: For Check Point, this new malware strain is like a bonfire, burning bright across continents and computers. For Microsoft, it’s a lit match — it stings if it burns, but quickly goes out. The problem is that both flames are lit above a lake of gasoline. Big or small, the result is devastating if they go over the edge.

The Fireball malware may have infected 250 million devices, or maybe it was more like 40 million. But cold, hard numbers aside, there’s real potential here for users to get burned.

More from

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today