Fireball Malware: Infects More than 250 Million Computers

China has long known to be a country that harbour hackers and virus makers. These would traditionally be users and bot farms that’d create malware which hacked systems worldwide. It now turns out that a Chinese digital advertising agency has joined the fray by creating a virus called “Fireball”. This malware is an adware package that takes complete control of victim's web browsers and turns them into zombies, potentially allowing attackers to spy on victim's web traffic and potentially steal their data and execute any malicious code in the infected machines, this creates a massive security flaw in targeted machines and networks.

A Beijing-based digital advertising company called Rafotech recently created this malware to generate profits for their own company. Rafotech uses Fireball to manipulate the victims’ browsers and turn their default search engines and home-pages into fake search engines. This redirects the queries to either yahoo.com or Google.com. The fake search engines include tracking pixels used to collect the users’ private information.

Fig 1. Rafotech's Advertisement on the Company's Official Website

Therefore, to maximize their ad revenues, Rafotech created this Fireball virus which is estimated to have infected over 250 million computers worldwide already. As the company uses digital certificates for this Fireball virus, it has managed to evade blocking and detection techniques employed by websites and security programs. 

The threat from the Fireball malware is even greater as this bug can access your personal information, passwords, and ever credit card data. While it seems that Rafotech has used it only for fake ad clicks until now, there is no guarantee that the company might not try to hack your personal information and use it for their profit.

Key Findings:

• A high volume Chinese threat operation which has infected over 250 million computers worldwide and 20% of corporate networks.
• Fireball is capable of executing any code on the victim machines, resulting in a wide range of actions from stealing credentials to dropping additional malware.
• Fireball is spread mostly via bundling i.e. installed on victim machines alongside a wanted program, often without the user’s consent.
• Chinese digital marketing agency runs this operation.
• Top infected countries are India (10.1%) and Brazil (9.6%).

According to Alexa’s web traffic data, 14 of these fake search engines are among the top 10,000 websites, with some of them occasionally reaching the top 1,000.

Fig 2. Fireball Global Infection Rates (darker pink = more infections)

Execution Flow:

Fireball acts as a browser hijacker, in any case, it can be transformed into a full-working malware down-loader. It controls user’s browsers and diverts them to fake web search engines. These fake search Engines have tracking pixel which gather’s users sensitive information.

Fig 3. Fireball Infection Flow

Am I Infected?

To check if you’re infected, first open your web browser. Was your home-page set by you? Are you able to modify it? Are you familiar with your default search engine and can modify that as well? Do you remember installing all of your browser extensions?

If the answer to any of these questions is “NO”, this is a sign that you’re infected with adware. Also, cross with the number of browser add-ons you have installed, If there are no changes then you are not infected with the adware. You can also use a recommended adware scanner, just to be extra cautious.

If I am infected, how to remove?

The primary way to prevent such infections is to be very careful when you agree to install. You should always pay attention when installing software, as software installers usually include optional installs. Opt for custom installation and then de-select anything that is unnecessary or unfamiliar.

To remove almost any adware, follow these simple steps:

• Uninstall the adware by removing the application from the Programs and Features list in the Windows Control Panel.

       For Mac OS users:

1. Use the Finder to locate the Applications
2. Drag the suspicious file to the Trash.
3. Empty the Trash.

• Scan and clean your machine, using:

1. Anti-Malware software
2. Adware cleaner software

• Remove malicious Add-ons, extensions or plug-ins from your browser:

      On Google Chrome:

1. Click the Chrome menu icon and select Tools > Extensions.
2. Locate and select any suspicious Add-ons.
3. Click the trash can icon to delete.

      On Internet Explorer:

1. Click the Setting icon and select Manage Add-ons.
2. Locate and remove any malicious Add-ons.

      On Mozilla Explorer:

1. Click the Firefox menu icon and go to the Tools tab.
2. Select Add-ons > Extensions.

      A new window opens.

1. Remove any suspicious Add-ons.
2. Go to the Add-ons manager > Plugins.
3. Locate and disable any malicious plugins.

      On Safari:

1. Make sure the browser is active.
2. Click the Safari tab and select preferences.

      A new window opens.

1. Select the Extensions tab.
2. Locate and uninstall any suspicious extensions.

• Restore your internet browser to its default settings:

      On Google Chrome:

1. Click the Chrome menu icon, and select Settings.
2. In the On start-up section, click Set Pages.
3. Delete the malicious pages from the Start-up pages list.
4. Find the Show Home button option and select Change.
5. In the Open this page field, delete the malicious search engine page.
6. In the Search section, select Manage search engines.
7. Select the malicious search engine page and remove from the list.

     On Internet Explorer:

1. Select the Tools tab and then select Internet Options.

      A new window opens.

1. In the Advanced tab, select Reset.
2. Check the Delete personal settings box.
3. Click the Reset button.

    On Mozilla Firefox:

1. Enable the browser Menu Bar by clicking the blank space near the page tabs.
2. Click the Help tab, and go to Troubleshooting information.

     A new window opens.

1. Select Reset Firefox.

     On Safari:

1. Select the Safari tab and then select Preferences.

      A new window opens.

1. In the Privacy tab, the Manage Website Data… button.

      A new window opens.

1. Click the Remove All button.

We would also advice users to refrain from clicking on unknown links, websites, and advertisements in order to prevent their systems from getting affected by Fireball and other similar malware.

As hackers get increasingly creative, the only way to defend against them is by greater cyber-security and knowledge. With regards to users, it is important that you stay vigilant and ensure that you never click on unknown websites that don’t look genuine or install apps that seem to be made by smaller or unknown Chinese developers.