The browser-hijacker called Fireball should be known as malware, not adware, according to Cylance.
The bad code first ignited concern in June, when it was found to have infected more than 250 million computers worldwide, and 20% of corporate networks globally. According to Check Point at the time, it takes over target web browsers, turning them into zombies. And, it seems focused on adware. Fireball manipulates victims’ browsers and turns their default search engines and home pages into fake search engines, which simply redirect the queries to either yahoo.com or Google.com to generate ad revenue. According to Alexa’s web traffic data, 14 of these fake search engines are among the top 10,000 websites, with some of them occasionally reaching the top 1,000. It also installs plug-ins and additional configurations to boost its advertisement activity.
However, according to Cylance, its behavior is also more akin to malware rather than an annoying click-fraud generator.
For one, the installation of the browser hijacker is effectively silent to the typical user. Installing itself without permission or notification to the user is clearly a malicious action, the firm pointed out in an analysis.
Second, getting rid of it is not a trivial process. “The standard user would likely have issues uninstalling any of these services, and would require a detailed guide,” Cylance said in a threat spotlight.
Further, Fireball performs the functions typical of a hijacker, changing a victim’s home page or redirecting browser traffic to desired locations—features that can go far beyond typical adware. Many of the Fireball-based services also contain detailed logging capability for gathering information on the host.
Then there’s the matter of Fireball’s other functionality: It also can be turned into a fully functioning malware downloader, and is capable of executing any code on the victim machines—a capability that Check Point had uncovered at the beginning. That means it can carry out a wide range of actions, including stealing credentials and loading ransomware.
So, Cylance warns, users should approach the code as something much worse than adware.
“A good first step is to ensure that your browser, OS and AV product of choice is up to date,” Cylance said. “But the best way to stay safe is to avoid downloading software from disreputable, third-party or otherwise sketchy websites. These sites often take legitimate software and bundle it with adware and programs like Fireball.”