This article is more than 1 year old

Goodness gracious, great Chinese 'Fireball' malware infects 250m systems worldwide

Researchers finger digital marketing agency Rafotech

A strain of Chinese browser-hijacking malware dubbed Fireball has infected 250 million computers.

The malware takes over web browsers and turns them into zombies, security firm Check Point warns. Fireball is capable of executing any code on the infected machines, resulting in a wide range of actions from stealing credentials to dropping additional software nasties.

Currently, Fireball installs plug-ins and additional configurations to boost its advertisements, but can just as easily turn into a prominent distributor for any additional malware. In its adware mode, Fireball hijacks and manipulates infected users' web traffic to generate ad revenue.

Fireball spreads mostly via "bundling", which means it is installed alongside a program the user wants to download, but without their consent. The biggest proportion of infections are in India, Brazil and Mexico, but there are over 5.5 million instances of the nasty in the US.

Fireball infection flow [source: Check Point blog post]

The malware has spread so widely that it's even affecting corporate networks, according to researchers. Fireball has infected more 250 million computers worldwide, with 20 percent occurring on corporate networks. Western corporate networks are looking healthier (Indonesia, India and Brazil are bearing the brunt) despite still showing multiple instances of the nasty.

Check Point's data shows that 9.3 per cent of corporate networks in the UK have at least one machine with the Fireball adware on it, the same as in the US. By comparison, 9.75 per cent of German corporate networks have a Fireball-infected machine, and 18 per cent in France.

Another indicator of the incredibly high infection rate is the popularity of Chinese digital marketing agency Rafotech's fake search engines. According to Alexa's web traffic data, 14 of these dodgy pages are among the top 10,000 websites.

Check Point alleges that Rafotech is slinging the potentially unwanted application (or PUP). El Reg invited Rafotech to comment on this claim via a message submitted through its website, but we're yet to hear back. We'll update this story as and when we learn more.

The researchers are critical of the Beijing-based firm's business practices.

Rafotech carefully walks along the edge of legitimacy, knowing that adware distribution is not considered a crime like malware distribution is. Many companies provide software or services for free, and make their profits by harvesting data or presenting advertisements. Once a client agrees to the install of extra features or software to his/her computer, it is hard to claim malicious intent on behalf of the provider.

Fortunately, disinfection is fairly straightforward. Fireball can be removed from PCs by uninstalling the adware using the Programs and Features list in the Windows Control Panel, or using Mac Finder function in the Applications folder on Macs. "Users should also be removing malicious add-ons, extensions or plug-ins from their browsers," Check Point further advises.

More details on Fireball – and how to get rid of it – can be found here. ®

More about


Send us news

Other stories you might like