Stories
Slash Boxes
Comments

SoylentNews is people

Fireball Malware Infects 250 Million Computers

posted by martyb on Friday June 02 2017, @02:41PM   Printer-friendly
from the how-to-be-a-top-1000-web-site dept.

MrPlow writes:

Submitted via IRC for TheMightyBuzzard

Check Point Threat Intelligence and research teams recently discovered a high volume Chinese threat operation which has infected over 250 million computers worldwide. The installed malware, Fireball, takes over target browsers and turns them into zombies. Fireball has two main functionalities: the ability of running any code on victim computers–downloading any file or malware, and hijacking and manipulating infected users' web-traffic to generate ad-revenue. Currently, Fireball installs plug-ins and additional configurations to boost its advertisements, but just as easily it can turn into a prominent distributor for any additional malware.

This operation is run by Rafotech, a large digital marketing agency based in Beijing. Rafotech uses Fireball to manipulate the victims' browsers and turn their default search engines and home-pages into fake search engines. This redirects the queries to either yahoo.com or Google.com. The fake search engines include tracking pixels used to collect the users' private information. Fireball has the ability to spy on victims, perform efficient malware dropping, and execute any malicious code in the infected machines, this creates a massive security flaw in targeted machines and networks.

[...] According to our analysis, over 250 million computers worldwide have been infected: specifically, 25.3 million infections in India (10.1%), 24.1 million in Brazil (9.6%), 16.1 million in Mexico (6.4%), and 13.1 million in Indonesia (5.2%). The United States has witnessed 5.5 million infections (2.2%).

Based on Check Point's global sensors, 20% of all corporate networks are affected. Hit rates in the US (10.7%) and China (4.7%) are alarming; but Indonesia (60%), India (43%) and Brazil (38%) have much more dangerous hit rates.

Source: http://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Fireball Malware Infects 250 Million Computers | Log In/Create an Account | Top | 15 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by kaszz on Friday June 02 2017, @05:51PM (2 children)

    by kaszz (4211) on Friday June 02 2017, @05:51PM (#519471) Journal

    From the article:

    Uninstall the adware by removing the application from the Programs and Features list in the Windows Control Panel.

    For Mac OS users: /../ Use the Finder to locate the Applications

    Not so obvious. Like they PRESUME all people are Microsoft groupies.

    So it's a malware in two versions. For Microsoft Windows and Apple Mac OS.
    Which proves the point that those software ecosystems should be avoided.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by frojack on Friday June 02 2017, @07:43PM (1 child)

    by frojack (1554) on Friday June 02 2017, @07:43PM (#519541) Journal

    Its also so vague on the actual effects or detection of this Fearsome Fireball that its hard to know just WHAT users are supposed to remove.
    TFA is a masterpiece of uninformative reporting. Does it ever get around to one clear example?

    One could almost make the case that Fireball is actually Windows 10, since the global install base [theverge.com] is roughly the same size.

    --
    No, you are mistaken. I've always had this sig.

    • (Score: 2) by kaszz on Friday June 02 2017, @08:08PM

      by kaszz (4211) on Friday June 02 2017, @08:08PM (#519554) Journal

      As for detection:

      HOW CAN I KNOW IF I AM INFECTED?
      To check if you’re infected, first open your web browser. Was your home-page set by you? Are you able to modify it? Are you familiar with your default search engine and can modify that as well? Do you remember installing all of your browser extensions?

      And seeing any of these addresses in outgoing traffic is likely a direct indicator of foul play.

      C&C addresses

              attirerpage.com
              s2s.rafotech.com
              trotux.com
              startpageing123.com
              funcionapage.com
              universalsearches.com
              thewebanswers.com
              nicesearches.com
              youndoo.com
              giqepofa.com
              mustang-browser.com
              forestbrowser.com
              luckysearch123.com
              ooxxsearch.com
              search2000s.com
              walasearch.com
              hohosearch.com
              yessearches.com
              d3l4qa0kmel7is.cloudfront.net
              d5ou3dytze6uf.cloudfront.net
              d1vh0xkmncek4z.cloudfront.net
              d26r15y2ken1t9.cloudfront.net
              d11eq81k50lwgi.cloudfront.net
              ddyv8sl7ewq1w.cloudfront.net
              d3i1asoswufp5k.cloudfront.net
              dc44qjwal3p07.cloudfront.net
              dv2m1uumnsgtu.cloudfront.net
              d1mxvenloqrqmu.cloudfront.net
              dfrs12kz9qye2.cloudfront.net
              dgkytklfjrqkb.cloudfront.net
              dgkytklfjrqkb.cloudfront.net/main/trmz.exe

      But your point is straight on. The whole article reads just like a sales brief. Just puff and fluff but clinically clean of substance. It's probably easier to put up a honeypot and wait for any of these addresses to show up and then investigate the machine to find out some hard facts.