DANGEROUS ‘FIREBALL’ ADWARE INFECTS A QUARTER BILLION PCS
February 22, 2018
Seid Yassin (557 articles)
Share

DANGEROUS ‘FIREBALL’ ADWARE INFECTS A QUARTER BILLION PCS

ADWARE THAT INFECTS your computer to display pop-ups is an annoyance. But when it infects as many as one in five networks in the world, and hides the capability to do far more serious damage to its victims, it’s an epidemic waiting to happen.

The security firm Check Point has warned of a massive new outbreak: They count 250 million PCs infected with malicious code they’ve called Fireball, designed to hijack browsers to change the default search engine, and track their web traffic on behalf of a Beijing-based digital marketing firm called Rafotech. But more disturbingly, Check Point says it found that the malware also has the ability to remotely run any code on the victim’s machine, or download new malicious files. It’s potentially serious malware, disguised as something more trivial.

“A quarter-billion computers could very easily become victims of real malware,” says Maya Horowitz, the head of Check Point research team. “It installs a backdoor into all these computers that can be very, very easily exploited in the hands of the Chinese people behind this campaign.”

The Hack
Check Point found that at least some portion of an estimated hundreds of millions of computers infected with Fireball contracted the malware via free software that was “bundled” with Rafotech’s code. The researchers point to freeware like Soso Desktop and FVP Imageviewer, both of which have been packaged with the adware in some cases. But since none of those free applications is particularly popular or even recognizable to Americans, Check Point’s Horowitz admits that the researchers don’t know if other common techniques, like phishing or exploit kits, are also used to install the malware. Rafotech didn’t respond to WIRED’s request for comment.

Check Point traced the Fireball infections to Rafotech by analyzing the domains of the command and control servers that the malware links back to. They were also able to check the registration of the domains used to host the highly obscure search engines—which actually load results from Google and Yahoo—Fireball forces on its victims.

Source | wired