Fireball & the explosive malware heard around the world

When is adware not just adware? When it’s also malware, of course!

Fireball, a new threat out of China, created by marketing firm Rafotech, is just one such example of a threat that is one part adware and one part malware. Together, these two parts pack quite a wallop, one which has infected over 250 million computer users in the last month alone.

Fireball, discovered by security firm Check Point, is making its way onto systems via software bundling. Bundling is what happens when unwanted software is pushed to users via downloads of wanted software. Using some legal loopholes and a lot of fancy footwork, these distributors manage to stay just on the right side of the law. The thing is that the wares they pedal are typically unwanted by the recipient, hence their name around the industry is a “Potentially Unwanted Program”, or PUP for short.

PUPs can range from relatively benign programs to annoying ad distribution software to truly destructive malware. In Fireball, researchers have noted the delivery of both annoying the adware as well as the more dangerous malware. Researchers have been able to pinpoint some of the programs that Fireball came with, including Soso Desktop and FVP Image viewer, which are relatively common programs in China. But since a very significant number of infections have been found on non-Chinese computers that likely have not come into contact with these Chinese programs, it’s hard to pinpoint just how these machines became infected. At the moment, researchers are placing their bets on elaborate phishing scams or on a yet-discovered stealthy exploit.

What Fireball Does

In its current format, Fireball is a browser hijacker that has the ability to switch the unlucky victim’s home page to a rogue one that will then direct the user to certain websites and search engines. These websites are filled with ads that make money for Rafotech each time a user clicks one of them. What’s more, the search engines place tracking pixels on the user’s browser to collect information, which essentially spies on them.

The most disturbing part? According to Check Point, Fireball is capable of executing any code on any machine once it has infiltrated. This means that while Fireball may not be doing anything malicious at the moment, it has the ability to switch gears on a dime and begin executing highly dangerous code.

At the moment Fireball is most prevalent in India, with 25 million infected machines, 24 million infected machines in Brazil and 61 million hits in Mexico. It has infiltrated enterprise machines as well as personal computers and seems to still be spreading.

Adware Gone Rogue

This isn’t the first time adware has walked that thin line between annoying and evil, only to wind up on the evil side. Last year’s Faster Internet and 2015’s Vonteera proved that a trojanized piece of adware can do plenty of harm. Faster Internet may have started out life as a mere tool for ad distribution, but eventually, it began taking snapshots of users’ computers and phoned that information home to unknown parties. Vonteera had been around for quite a while before it began disabling legitimate antimalware products so that it could do its dirty work uninterrupted.

As bad as these variants were, they didn’t have nearly the strength that Fireball has. Having reached over a quarter of a billion computers in a matter of days (that’s one out of every five computers; good luck trying to wrap your head around that one), coupled with the fact that it can basically do anything it darn well pleases once on a machine, Fireball makes most other exploits look childish in comparison.

So how will you know if you have been hit with Fireball? If you’re in India, Brazil or Mexico, there is a pretty significant chance that you may already be compromised. Otherwise, it seems like the odds are on your side. Either way, the signs of infection to watch for are the same:

• Your homepage has been changed to a different one without your consent or knowledge
• You are forced into using a different search than you normally do and it can not be overridden in your settings
• You have new browser extensions that you didn’t install

If any of these sound familiar, there is a decent chance that Fireball is the culprit.
Removal of Fireball is similar to any other threat, with the notable difference that the program conceals itself very well, which may make it difficult to locate. To get rid of it for good, run a scan with a malware scanner like RAV Endpoint Protection which will locate it and remove the threat.

The most effective ways to keep things like Fireball and other exploits from infiltrating?

• Be incredibly careful when downloading software
• Stay away from freeware as much as possible
• When you do install new software, read each frame of the installer as it runs to ensure you understand what’s taking place on your machine
• Make sure to choose the “custom install” option when installing new programs. The “express install” option can fill your computer with tons of PUPs.

Aside, the Unchecky feature that’s built-in to RCS prevents unwanted software from being installed to keep you even more secure. Fireball isn’t your typical attack and quite honestly, that in and of itself should be discomforting. Attackers are experts at changing their game on a dime and Fireball represents the kind of ingenuity today’s hackers are using to get what they want – i.e. your, and the rest of the world’s, data.