Chinese ‘Fireball’ malware infects 250 million
Fri 2 Jun 2017
Researchers have discovered a new type of malware that has infected over 250 million computers globally. The malware, dubbed ‘Fireball’, turns web browsers into zombies, manipulated for the purpose of generating advertising revenue.
Analysts at CheckPoint Security found the malware had spread to 250 million machines worldwide, infecting 20% of corporate networks. The Fireball malware is apparently distributed when bundled and unknowingly downloaded alongside other applications.
Once installed, Fireball acts as a browser hijacker. A user’s default search engines and home pages are replaced with fake sites, which can track and collect private information.
While at this time, Fireball appears to be used exclusively to install plug-ins and configurations to boost advertisements, researchers believe that it could easily be weaponized to spy on victims, execute malicious code, or drop additional malware in infected machines.
While CheckPoint notes that Fireball is a capable browser-hijacker, it is technically sophisticated in anti-detection, using a multi-layer structure and flexible command and control (C&C).
Fireball originated at Rafotech, a digital marketing agency based in Beijing. The researchers suspect that it is delivered when bundled with other Rafotech products including Deal Wifi and Mustang Browser. It may be bundled with other freeware distributors, and judging by how widespread the infection is, it could be distributed by other means including spam, freeware distributed under fake names, or even installs that have been purchased from threat actors.
The fact that Fireball spread to such a large number of machines is in itself alarming. India has the highest number of infected machines at 25.3 million, followed by 24.1 million in Brazil. Mexico is third, with 16.1 million infected computers. Indonesia, India and Brazil top the list of countries whose corporate networks have been hit with Fireball, with 60% of Indonesian corporations infected.
According to Alexa, 14 of the fake search engines installed using Fireball are among the top 10,000 websites in use worldwide, and some even break into the top 1,000 – another alarming indicator of just how widespread the Fireball infection is.
Maya Horowitz, threat intelligence group manager at CheckPoint, noted that while Fireball’s browser-hijacker function may appear innocuous, the malware could represent a real danger to systems worldwide.
“Someday all these machines could get the command to do something,” she said, comparing the Fireball infection to last year’s Mirai botnet DDoS attack. “Any risk you can think of; any code can run on these machines.”