Earlier this month, our partner company, Check Point, announced the identification of a new high-volume threat operation taking over target browsers and turning them into zombies. Check Point claims the Chinese malware Fireball has affected up to 250 million computers around the globe, though Microsoft now estimates the figure may be closer to 40 million. Regardless, this browser hijacker may have also impacted up to 20% of corporate networks and therefore is a major concern for employers worldwide.
Fireball works by hijacking the browser of an infected computer so that it uses a fake search engine run and a different homepage. The fake search engines include tracking pixels used to capture users’ private data, which could be personal or professional in nature. Check Point and Microsoft agree that the infection is spread easily because it’s being bundled with programs users are deliberately installing, include media and various apps that may be of “dubious origin.” The malware then uses typical malware anti-detection and command-and-control techniques to download all kinds of other software once the initial infection has taken place.
Check Point has pointed the finger at a Chinese digital marketing firm named Rafotech, claiming it piggy backs on legitimate software the company has developed but may also be spread through spam, other malware and other freeware. While the majority of machines impacted are in India and Brazil, the U.S. has been far from immune to the infection; some 5.5 million infections may have happened here.
What’s most alarming is that Chinese malware Fireball is very sophisticated in nature due to its bundling. Check Point describes the situation: “While the distribution of Fireball is both malicious and illegitimate, it actually carries digital certificates imparting them a legitimate appearance. Confused? You should be.
“Rafotech carefully walks along the edge of legitimacy, knowing that adware distribution is not considered a crime like malware distribution is. How is that? Many companies provide software or services for free, and make their profits by harvesting data or presenting advertisements. Once a client agrees to the installment of extra features or software to his/her computer, it is hard to claim malicious intent on behalf of the provider.
This gray zone led to the birth of a new kind of monetizing method – bundling. Bundling is when a wanted program installs another program alongside it, sometimes with a user’s authorization and sometimes without. Rafotech uses bundling in high volume to spread Fireball.”
If you’re responsible for corporate networks at your company, it’s critical you have clear policies and procedures in place for allowing employees to download software of any kind on a desktop or laptop computer, or any other mobile device. As the developers of malware use more sophisticated methods of attack, users and their employers must remain vigilant to protect their company’s most precious resource – its data.
If you suspect your machine or others in your company are infected, follow the instructions provided by Check Point to identify any adware and then remove it.
