Security experts say the malware, dubbed “Fireball,” is currently being used as a form of adware. Fireball hijacks web browsers in an effort to display ads that generate revenue for Rafotech, the Chinese digital marketing agency that is believed to have created it. But Firewall includes additional functionality that could potentially be used to wreak havoc across the globe.
How Fireball works
Security researchers believe Rafotech orchestrates the distribution of Fireball by bundling the malware with its popular programs, including Mustang Browser, Soso Desktop, Deal Wifi and FVP Imageviewer. Fireball has also been distributed through third-party freeware offerings and spam campaigns.
The threat has affected more than 250 million computers worldwide, including 25.3 million computers in India, 24.1 million in Brazil and 16.1 million in Mexico. The hardest hit systems are based in Indonesia and Brazil.
Fireball malware carries its own digital certificates, which give it an air of legitimacy. But it’s unclear how Fireball acquired the certificates. In reality, Fireball is far from legitimate. Check Point’s Threat Intelligence Research Team, which discovered the threat, explains in a blog post.
“Rafotech uses Fireball to manipulate the victims’ browsers and turn their default search engines and homepages into fake search engines. This redirects the queries to either yahoo.com or Google.com,” the blog post reads. “The fake search engines include tracking pixels used to collect the users’ private information. Fireball has the ability to spy on victims, perform efficient malware dropping, and execute any malicious code in the infected machines. This creates a massive security flaw in targeted machines and networks.”
CheckPoint said Fireball represents “possibly the largest infection operation in history” and warns that the software can potentially be used to distribute other forms of malware. Security software company Malwarebytes agrees.
“Fireball drops a botnet malware family on all the endpoints, turning [them] into the most powerful Distributed Denial Of Service weapon ever created,” Malwarebytes wrote in a blog post. “[This] could be used for taking down the web servers of critical infrastructure [providers], competitor websites, game servers, social media and even our unfortunately designed internet backbone (registrars and top level DNS servers). [That] could prevent many people from accessing their favorite websites.”
How to avoid getting burned
The best way to avoid an infection with Fireball is to avoid all Rafotech programs. If a computer becomes infected with Fireball, the best thing to do is download and run adware and malware removal tools.
It’s also a good idea to make sure all computer files are fully backed up to the cloud. That way, if Fireball is ever used to distribute malware that corrupts your files, you’ll easily be able to download clean copies from your cloud backup service.
For more news an information on the battle against ransomware, visit the FightRansomware.com homepage today.