A browser-hijacker called Fireball has ignited concern, having already infected more than 250 million computers worldwide, and 20% of corporate networks globally.
According to Check Point, it takes over target web browsers, turning them into zombies. However, Fireball also can be turned into a fully functioning malware downloader, and is capable of executing any code on the victim machines. That means it can carry out a wide range of actions, including stealing credentials and loading ransomware.
For now, it seems focused on adware. Fireball manipulates victims’ browsers and turns their default search engines and home pages into fake search engines, which simply redirect the queries to either yahoo.com or Google.com to generate ad revenue. According to Alexa’s web traffic data, 14 of these fake search engines are among the top 10,000 websites, with some of them occasionally reaching the top 1,000.
Fireball also installs plug-ins and additional configurations to boost its advertisement activity.
“It’s run by a Chinese digital marketing agency, called Rafotech,” Check Point noted in an analysis. “Rafotech carefully walks along the edge of legitimacy, knowing that adware distribution is not considered a crime like malware distribution is. Many companies provide software or services for free, and make their profits by harvesting data or presenting advertisements. Once a client agrees to the install of extra features or software to his/her computer, it is hard to claim malicious intent on behalf of the provider.”
Fireball is spread mostly via bundling, i.e., it’s installed on victims’ machines alongside a program the user wants to download, but without the users’ consent.
In addition to the ad fraud aspect of things and the malware-downloading capability, Fireball contains another threat: The fake search engines include tracking pixels used to collect the users’ private information, so Fireball can also spy on victims.
Fireball has turned out to be virulent, with an enormous infection rate. The biggest proportion of infections are in India, Brazil and Mexico, and there are more than 5.5 million in the US. Based on Check Point’s global sensors, the percentages of affected corporate networks are even higher: Hit rates in the US (10.7%) and China (4.7%) are alarming, and even more so in Indonesia (60%), India (43%) and Brazil (38%).
The good news is that Fireball can be removed from PCs by uninstalling the adware using Programs and Features list in the Windows Control Panel, or using the Mac Finder function in the Applications folder on Macs.