Malware News Fireball Malware Infects 20% of Corporate Networks Worldwide

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
A browser-hijacker called Fireball has ignited concern, having already infected more than 250 million computers worldwide, and 20% of corporate networks globally.

According to Check Point, it takes over target web browsers, turning them into zombies. However, Fireball also can be turned into a fully functioning malware downloader, and is capable of executing any code on the victim machines. That means it can carry out a wide range of actions, including stealing credentials and loading ransomware.

For now, it seems focused on adware. Fireball manipulates victims’ browsers and turns their default search engines and home pages into fake search engines, which simply redirect the queries to either yahoo.com or Google.com to generate ad revenue. According to Alexa’s web traffic data, 14 of these fake search engines are among the top 10,000 websites, with some of them occasionally reaching the top 1,000.

Fireball also installs plug-ins and additional configurations to boost its advertisement activity.

“It’s run by a Chinese digital marketing agency, called Rafotech,” Check Point noted in an analysis. “Rafotech carefully walks along the edge of legitimacy, knowing that adware distribution is not considered a crime like malware distribution is. Many companies provide software or services for free, and make their profits by harvesting data or presenting advertisements. Once a client agrees to the install of extra features or software to his/her computer, it is hard to claim malicious intent on behalf of the provider.”

Fireball is spread mostly via bundling, i.e., it’s installed on victims’ machines alongside a program the user wants to download, but without the users’ consent.

In addition to the ad fraud aspect of things and the malware-downloading capability, Fireball contains another threat: The fake search engines include tracking pixels used to collect the users’ private information, so Fireball can also spy on victims.

Fireball has turned out to be virulent, with an enormous infection rate. The biggest proportion of infections are in India, Brazil and Mexico, and there are more than 5.5 million in the US. Based on Check Point’s global sensors, the percentages of affected corporate networks are even higher: Hit rates in the US (10.7%) and China (4.7%) are alarming, and even more so in Indonesia (60%), India (43%) and Brazil (38%).

The good news is that Fireball can be removed from PCs by uninstalling the adware using Programs and Features list in the Windows Control Panel, or using the Mac Finder function in the Applications folder on Macs.
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,714
Fireball is spread mostly via bundling, i.e., it’s installed on victims’ machines alongside a program the user wants to download, but without the users’ consent.

So, basically if an employee doesn't download whatever he/she wants then the network won't get infected. Lockdown the computer.
 

HarborFront

Level 72
Verified
Top Poster
Content Creator
Oct 9, 2016
6,140
Last edited:

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
You can use the following on-demand adware removal software like

AdwCleaner
ZHPCleaner
Ultra Adware Killer
RogueKiller

....after you get infected.

But is there any real-time software to prevent browser hijack, plug-ins etc.

I wonder whether Unchecky can handle this?

More details of Fireball here

FIREBALL - The Chinese Malware of 250 Million Computers Infected | Check Point Blog
How about Zemana? ;)
If at all it fails in realtime to detect and block this installation, it's periodic scanning/startup scanning should be able to detect such rogueware/adware/Hijacking infections, though a bit later.
Zemana detects such elements straight as hijacking or PUP or PUAs, that most AVs do not report purposefully.
Unchecky won't help if it doesn't find the checkbox elements. Here it seems that the carrier apps don't show a hint/ask for installing the adware as a bundle, hence. If it does have the hint, Unchecky should work.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top