Fireball: The Zombie Apocalypse for Internet Browsers
Security researchers have reported the presence of another malware, which infects yours system via an adware attack. Read on to learn more.
Join the DZone community and get the full member experience.Join For Free
If a zombie apocalypse looks like hordes of the undead eating human flesh, a browser zombie apocalypse looks like computer screens around the world getting flooded with unwanted browser ads. And according to Check Point Software Technologies, the browser zombie apocalypse is upon us.
On June 1st, Check Point researchers reported that more than 250 million computers worldwide have been infected with malware that turns computers into ad-flooded zombies. Dubbed Fireball, the malware is reported to be backed by Rafotech, a digital marketing company in China that offers gaming apps to 300 million customers.
Rafotech seems to generate revenue by injecting advertisements—in the form of banners—into browsers. The issue here, beyond annoying ads, is that Fireball is basically a ticking time bomb. Since the infection has already spread, at any moment it could turn into a massive agent of destruction by unleashing a plethora of malware into networks around the world. If this were to happen, it would result in one of the most significant cybersecurity breaches in history.
Fireball is a type of malware called adware; it comes bundled with freeware downloaded from certain sites. Once installed, Fireball adds an extension to your browser without your consent. After it infects your system, this malware extension turns your browser into an ad revenue-generating zombie. It does this by manipulating your browser to direct search engine traffic through Trotux, a fake search engine, before redirecting you back to a screen that looks like your default search engine. This method of faking search engines is used to generate traffic for Rafotech, and Fireball supplements this by barraging you with ads.
Although it hasn't surfaced as a major issue yet, Fireball opens up an insecure avenue for additional malware to be installed on your computer. The scariest part of all is that it also tracks data about your web traffic, collecting information on which sites you are browsing as well as personal information you submit via an infected browser. Adding to that, Fireball has anti-detection capabilities, a flexible command-and-control server, and the ability to drive users to malicious sites.
According to Check Point, of the 250 million Fireball infections, India experienced 10.1 percent, while Brazil and U.S. had 9.6 percent. Their current estimates indicate that 20 percent of corporate networks have been infected worldwide.
Though Rafotech has not accepted responsibility for Fireball's widespread infection, the company's scope and reach, along with Check Point's research, point to it as the perpetrator. Apart from this, Rafotech also displays the following image on their website, which mentions “300 million users,” a number that is coincidently similar to the number of reported Fireball infections.
Rafotech seems to be using bundling to spread Fireball, as many users download bundled software without authorizing the additional parts. Experts suspect that two popular vectors—Deal WiFi and Mustang Browser— are bundling this malware with other Rafotech products. This bundling may also be occurring via other freeware distributors, including products such as Soso Desktop and FVP Imageviewer. After this outbreak caused a serious buzz, Rafotech's website seemed to be momentarily down.
Determining if your computer has been infected is easy. Fireball shows tell-tale signs of infection. For example, if you open your browser and see that the homepage is not something you set—and you can't modify it—then this is a clear indicator. You can further confirm the infection by checking if your search engine settings have been modified. If you find any browser extensions that you didn't install, there's a good chance your computer could be infected.
How do I remove Fireball from my computer?
- For Windows: Uninstall the adware from the Programs and Features list in the Control Panel.
- For Mac: Use Finder to locate Applications, then drag the suspicious file to the Trash. Then empty the Trash.
- Using anti-virus: Run a threat scan to find and eliminate all traces of Fireball.
- Remove extensions: Remove malicious add-ons from all your browsers and restore your browser to its default settings.
Researchers suspect that another company, ELEX Technology, is working with Rafotech. There appears to be some sort of deal between them because ELEX Technology seems to be producing similar adware. While inserting ads into your browser may qualify as an irritation, Fireball's ability to download additional files, including more damaging malware, is prompting Security companies to address this adware as a potential threat. Likewise, organizations should also recognize the threat, and scan for and eliminate adware in their networks as soon as possible, before this zombie apocalypse evolves. Likewise, organizations should also recognize the threat, and scan for and eliminate adware in their networks as soon as possible, before this zombie apocalypse evolves. Employ a endpoint management solution which has powerful capabilities to stay proactive rather being reactive.
Opinions expressed by DZone contributors are their own.