Ad agency in Beijing responsible for malware that infected 250 million computers worldwide, researchers claim
Security experts at Check Point have warned about a nasty piece of Chinese malware that has infected at least 250 million computers worldwide.
Once the malware, dubbed ‘Fireball’, infects a computer (both Windows PCs and Apple Macs) it takes over the machine’s web browser and turns it into a zombie client.
And to make matters worse, Check Point says the malware has not been written by cybercriminals, but rather a large digital marketing agency based in Beijing called Rafotech.
Check Point revealed the existence of this Chinese malware in a blog posting. The researchers said that Fireball has two main functions, firstly the ability to run any code on a victims computer (downloading any file or malware for example), and secondly hijacking and manipulating infected users’ web-traffic to generate ad-revenue.
“Currently, Fireball installs plug-ins and additional configurations to boost its advertisements, but just as easily it can turn into a prominent distributor for any additional malware,” blogged the researchers.
Check Point said that digital marketing agency Rafotech is responsible, and it uses Fireball to manipulate the victims’ browsers and turn their default search engines and home-pages into fake search engines.
“This redirects the queries to either yahoo.com or Google.com,” wrote Check Point. “The fake search engines include tracking pixels used to collect the users’ private information. Fireball has the ability to spy on victims, perform efficient malware dropping, and execute any malicious code in the infected machines, this creates a massive security flaw in targeted machines and networks.”
And IT admins around the world should be worried it seems, as Check Point analysts found that the malware has infected over 250 million computers worldwide, and 20 percent of corporate networks.
Most of the infections are in India (10.1 percent or 25.3 million); Brazil (9.6 percent or 24.1 million); Mexico (6.4 percent or 16.1 million).
The United States has witnessed 5.5 million infections (2.2 percent).
The way Fireball is spread is via bundling alongside other free Rafotech products such as Deal Wifi and Mustang Browser. This means it is installed on victim machines alongside a wanted program, often without the user’s consent.
Check Point was able to determine the ‘incredibly high infection rate’ of Fireball thanks to the popularity of Rafotech’s fake search engines. It said that according to Alexa’s web traffic data, 14 of these fake search engines are among the top 10,000 websites, with some of them occasionally reaching the top 1,000.
Edge Of Legitimacy
Check Point says that Rafotech’s Fireball is a hybrid piece of malware and the firm is walking along the edge of legitimacy, as its product is half seemingly legitimate software and half malware.
“Although Rafotech uses Fireball only for advertising and initiating traffic to its fake search engines, it can perform any action on the victims’ machines,” warned Check Point. “These actions can have serious consequences.”
“These browser-hijackers are capable on the browser level,” it warned. “This means that they can drive victims to malicious sites, spy on them and conduct successful malware dropping.”
Check Point said that Fireball is highly sophisticated and and utilises “quality evasion techniques, including anti-detection capabilities, multi-layer structure and a flexible C&C.”
The researchers advised firms to check if a web browsers home page was set by the user. Can they modify it, and has any unwanted browser extensions been installed?
They recommend the use of adware scanners as well.
It seems that the online world is awash with malware at the moment. Matters are not helped when legitimate firms also inadvertently spread malware.
IBM for example last month accidentally sent USB memory sticks containing malware to some customers that ordered its flash storage products.
Quiz: Are you a security pro?