Chinese ‘Fireball’ malware infects 250 million systems worldwide

A malware campaign that’s infected 250 million computer systems worldwide was discovered earlier this month. Labelled ‘Fireball’ by the researchers at Check Point who identified it, the malware works on behalf of Beijing-based digital marketing firm Rafotech to manipulate infected users’ web traffic to generate ad revenue.

However, Check Point warns that the malware is potentially a lot more harmful, having the ability to run code on the victim’s machine or download malicious files.

Not considered a crime

Although Check Point believes the main aim of Rafotech’s campaign is to generate ad revenue, Fireball’s capabilities mean that it is arguably not just adware. It’s spread via ‘bundling’, which means it’s secretly installed alongside a program a user has chosen to download, and it continues to mask its presence once it’s been downloaded. It changes users’ default search engine to a facsimile of either Google or Yahoo, and when users enter a search on the fake site, it redirects to the genuine site’s search results.

Fireball is also able to spy on its victims, perform efficient malware dropping, and execute malicious code on the infected machines.

According to Check Point, the Rafotech products that Fireball is bundled with include Soso Desktop, Deal Wifi, Mustang Browser, and FVP Imageviewer – none of which are popular or even recognizable to most people outside of Asia, as Maya Horowitz, head of Check Point’s research team, told Wired. As such, she admitted her team are unsure whether the malware is installed via other common techniques, such as phishing or exploit kits.

Regardless, as the researchers told The Register, they don’t approve of Rafotech’s business practices:

Rafotech carefully walks along the edge of legitimacy, knowing that adware distribution is not considered a crime like malware distribution is. Many companies provide software or services for free, and make their profits by harvesting data or presenting advertisements. Once a client agrees to the install of extra features or software to his/her computer, it is hard to claim malicious intent on behalf of the provider.

Fortunately, as The Register reports, removing the malware is fairly straightforward: “Fireball can be removed from PCs by uninstalling the adware using the Programs and Features list in the Windows Control Panel, or using Mac Finder function in the Applications folder on Macs.”

Additionally, Check Point advises users to “remove malicious add-ons, extensions or plug-ins from [their] browsers.”

Protect yourself

The way Fireball gets on to systems is relatively uncommon. You are much more likely to be targeted by malware or cyber attack through phishing. According to Verizon’s 2017 Data Breach Investigations Report, phishing was present in 21% of all cyber attacks last year.

If you’re an employer concerned about your organization’s ability to defend against phishing attacks, you should take a look at IT Governance’s Phishing Staff Awareness course. It explains what phishing is, how it works, and how you can identify and respond to a phishing scam.

Find out more about our Phishing Staff Awareness course >>