Unlike most malware, for which attribution is hard to determine, everyone knows where Fireball Malware comes from. Not only is it known to originate in China, but it is also known to be designed by the Chinese digital advertising firm, Rafotech. In fact, this may have been an advertising angle that got out of control. Digital advertising is a competitive business so many advertisers use browser plug-ins to increase their advertising effectiveness. That’s kind of what Rafotech did; at least initially.
The company’s website has disappeared, but its Linkedin page describes the company, in a somewhat garbled manner, as follows.
“Being years of publisher ourselves, Rafotech has deep understanding of what it means to monetize more. Started as a business unit of Rafo Technology Inc, one of the premium publisher powering over 6 billion monthly impressions, our solution to monetize both display and search traffic has been proved profitable and sustainable. It is a solution made by publisher and for publishers.”
My guess is that they are saying they can help you make more money by advertising more effectively. Well, they kind of kept their promise.
Initially, Rafotech installed plug-ins in browsers that could be used to control what ads appeared on pages that the user navigated to. Then they got a little too creative. They took advantage of the fact that all of us use a default search engine, and for many of us, that search engine is google.com or yahoo.com.
From the Check Point Report
By redirecting victims from their normal default search page to a Rafotech-approved search page, Fireball designers can position themselves to implant tracking pixels into browsers to gather user information. They can use the same technique to replace your normal home page with one of these search engines, like the one shown below.
Example of a Fireball-approved Search Engine
The reason they use this technique is to find out what a user is interested in and then target them with ads based on this interest. This advertising approach is not, in itself, dangerous. Its main use is to generate money for the company and its affiliates. However, the fact that the company controls your browser means Rafotech, or others, can use it to install malware onto your computer. They could, for example, send users to a malicious site that is designed to download remote access malware and take full control of your device. Although Rafotech has not done this, as far as we know, they have opened a backdoor that others could, perhaps, take advantage of.
From the Check Point Report
Actually, the line between this advertising strategy and a malware attack is very fuzzy. Adware distribution is not, in itself, considered a crime or the CEOs of all major social media firms would be in prison.
Check Point, the cybersecurity firm that discovered this malware, calls Fireball, “possibly the largest infection operation in history.” The main question, then, is: How did Fireball manage to infect 250 million computers? In a word, the answer is, bundling. Bundling is including other, usually unwanted programs, in a download that the user has chosen. Normally, when installing the wanted download, the user is given the option of a customized installation. If they do not choose this option, the malware or adware is automatically installed. In other words, the company did nothing wrong because you, the user, have accepted the extra programs in the bundle. And good luck trying to uninstall these programs. This is something left to experts only. Still, there is no law that says you have to make your programs easy to uninstall. To illustrate this difficulty, here is the advice given for uninstalling the Trotux search engine shown above.
“How to remove Trotux.com redirect (Removal Guide)
This malware removal guide may appear overwhelming due to the amount of the steps and numerous programs that are being used. We have only written it this way to provide clear, detailed, and easy to understand instructions that anyone can use to remove malware for free. Please perform all the steps in the correct order. If you have any questions or doubt at any point, STOP and ask for our assistance.”
At other times, you may not be given the choice of what adware or browser plug-ins are installed with your chosen download. You won’t even know they are there until your browser begins to act in unpredictable ways, suddenly leading you to sites you never chose to visit or opening your browser to a new home page. Again, it will be difficult to remove these browser controllers because, even when they are deleted from your browser, they will reinstall themselves once the browser is opened again. Sometimes, the only option left may be resetting your browser to its default settings.
Check Point also suspects that Fireball spreads by less than legitimate means, such as through spam or by using fake names on the freeware to make it appear as something that it isn’t. It would be difficult to get such a huge number of infections installed if bundling were the only distribution method. That’s because the infection power of this malware can only be called, astounding. In Indonesia, for example, 60% of corporate networks are infected. Check Point claims that 20% of the world’s corporate networks are infected with Fireball. The U.S. is just beginning to be targeted with ‘only’ 10.7% of U.S. corporate networks infiltrated.
The tools for a major security breech are, thus, in place. As Check Point notes, “Rafotech holds the power to initiate a global catastrophe.” I guess that about sums it up. What else could you say if 20% of the world’s corporate networks could be breached and sensitive information stolen? What if these computers were used in a DDoS attack? It is no exaggeration to say that most of the world’s internet services would be knocked offline. Keep in mind that the Mirai Botnet DDoS attack took down major internet sites around the world with only 100,000 infected endpoints. Fireball is hundreds of millions of times bigger. Just think about that for a while.
Are you or your enterprise network infected? Go to the Check Point post to read the removal instructions. Good luck.