Chinese 'Fireball' Malware Infects Nearly 250 Million Computers Worldwide

Check Point researchers have discovered a massive malware campaign, dubbed Fireball, that has already infected more than 250 million computers across the world, including Windows and Mac OS. The Fireball malware "is an adware package that takes complete control of victim's web browsers and turns them into zombies, potentially allowing attackers to spy on victim's web traffic and potentially steal their data," reports The Hacker News. From the report: Check Point researchers, who discovered this massive malware campaign, linked the operation to Rafotech, a Chinese company which claims to offer digital marketing and game apps to 300 million customers. While the company is currently using Fireball for generating revenue by injecting advertisements onto the browsers, the malware can be quickly turned into a massive destroyer to cause a significant cyber security incident worldwide. Fireball comes bundled with other free software programs that you download off of the Internet. Once installed, the malware installs browser plugins to manipulate the victim's web browser configurations to replace their default search engines and home pages with fake search engines (trotux.com). "It's important to remember that when a user installs freeware, additional malware isn't necessarily dropped at the same time," researchers said. "Furthermore, it is likely that Rafotech is using additional distribution methods, such as spreading freeware under fake names, spam, or even buying installs from threat actors."

So, uhhh

[Snotnose]

How do I find out if I'm infuckted? File to look for? Program I can download and run to say yay/nea?

Re:So, uhhh

[hcs_$reboot]

You should see an icon (bottom left) click on it, and click "About". If you see "wIndows" anywhere, you're infected.

Re:

[CaptainDork]

Kwit it.

Yer Killin' me lol

Re: So, uhhh

[Brockmire]

Why is this funny? There's no "About" in the start menu. Exactly 0 would be infected. You guys have extremely low bars for funny.

Re:

[AHuxley]

Malwarebytes. If on Mac or Windows its aways good to have some AV.

Re:

[__aadota8673]

I am responsible for security at an unnamed 3 letter government agency. I make sure patches are applied to 80k laptop and desktop windows workstations, and I can tell you Malwarebytes is not a realistic way to defend against something like this. Back in my days as a video game white-hat tester I wrote a python script. After much refactoring, it now logs in to every box through a client listener socket I have open on each workstation, and checks to make sure everything is patched. This is the only realis

Re: So, uhhh

[hunter44102]

Did you read the article? This will indeed install on your patched systems because it comes as a payload with freeware software that the users install. So Malwarebytes is exactly what is needed to find and remove it.

Re:So, uhhh

[mreed911]

"Back in my days as a video game white-hat tester I wrote a python script. After much refactoring, it now logs in to every box through a client listener socket I have open on each workstation, and checks to make sure everything is patched." So you have homegrown python code listening on a custom socket and that has the ability to do administrative things on the computer? I see... tell me more about this setup, please... in the interest of "science."

Re:

[dbIII]

listening on a custom socket and that has the ability to do administrative things on the computer

MS Windows is like that :(
MS Windows security is like a starlet's underwear. If it's there at all it doesn't cover much and is just there for decoration.
You need third party tools (which do administrative things on the computer that in an ideal world only MS supplied tools could do) to fill up the gaps. So the above poster probably wrote something that acted like third party antivirus for specific situations

Re:

[LostMyBeaver]

A socket is a means of communicating between processes (and the kernel) in UNIX. Berkeley implemented a sockets API for network communications as part of BSD and called it Berkeley sockets and later, a similar API called WinSock was implemented to provide a similar platform of communications on Windows, though it wasn't technically a socket.

There are hundreds (probably thousands) of operating systems which don't use sockets for communications as the API is often overkill for small applications. Instead, the

Re:

[LostMyBeaver]

Oh, I'm about to roll over and die here. This is just brilliant, I wanted to see what you were responding to and I clicked back one... it was beautiful. I've actually made a bookmark to this one as it's going down in history as one of my favorite examples of how pathetic people "responsible for security" on government networks are.

Did you even read what mreed911 wrote? If so, did you understand it?

I love this!!! Criemer, you're absolutely brilliant. I think you might be my favorite new comedian... and you d

Re:

[LostMyBeaver]

We all know you started as a video game tester. 95% of your posts mention your entire history, high school grades included.

You still didn't get the joke either. Mreed911 said something pretty much any competent IT guy would find hilarious and you either didn't read it or didn't get it.

People might stop attacking you and stop teasing you if you stopped calling everyone names (about 70% of your posts, 50% when you specifically initiate aggression). They might respect you more if you don't self-aggrandize with

Re:

[Zontar The Mindless]

I am responsible for security at an unnamed 3 letter government agency.

D. M. V.

What do I win?

If you're patched up to the latest, you're not getting infected - Windows, Mac or Linux is irrelevant to the conversation [wikipedia.org].

You're simply priceless. Please keep posting, and I'll keep wiping coffee from my keyboard.

Re:

[phantomfive]

If you're patched up to the latest, you're not getting infected

This is absolutely not true. A zero-day is by definition a vulnerability that is not yet known to the software vendor, so no patch can exist, and yet hackers can know about it.

We've actually seen examples where Microsoft hasn't patched security flaws, and the flaw was being exploited by hackers. Here is one example, [slashdot.org] there are plenty.

Re:

[110010001000]

You are responsible for security at a 3 letter government agency and you earn $50,000 in Silicon Valley?

Re:

[MoarSauce123]

Won't help you with zero days...but I guess your three letter agency has a broad catalog of zero days that are intentionally not shared with vendors.

Re: Time for the EU to put sanctions on China

[Narcocide]

No, dude. The criminals have their own astro-turfing moderators. If you registered you'd know everyone gets to moderate. The moderation used to overall still reflect the will of the community because even the assholes were still acting in good faith.

Re:

[hcs_$reboot]

And regarding criminal activities against the planet?

Re:

[AHuxley]

The Communist party has a few fears. That MI6, the CIA, NSA, GCHQ have set up secure communications networks with dissident groups in China.
The only way China can be sure is to test every connection into and out of China from both directions. The network activity often seen is just the seeking of a network origin. Is it a VPN, encrypted, how does the server respond. Its the only way China can really understand what someone connected to from China. A constant real time mapping of the internet to find e

Yet another reason to surf in VMs

[JoeyRox]

Congratulations on compromising my Virtual Machine. I will one-click delete you now.

MacOS target

[manu0601]

Hacker News's story notes MacOS is a target, but that information cannot be found in Checkpoint blog.

The infection involves installation of plugins from Chrome. Is that native code? If it is the case, it is unlikely that multiple targets are maintained, as it costs money

Re:

[gravewax]

Considering checkpoint has instructions at the bottom of the article for uninstall from MacOS and they state clearly it has multiple packaging methods I would say you simply didn't actually read the checkpoint report.

Re:

[manu0601]

Well I used the search feature of my browser for the "mac" word and did not find it in the article. Weird.

Re:

[DontBeAMoran]

My question is, can a website install a plugin in Chrome without our authorization?

Digital marketing and game apps...

[Narcocide]

... to 300 million unaware, unwilling customers? Brilliant! Maybe this explains why my resume seems so lackluster.

Old news?

[Altrag]

Sounds like its just Banzai Buddy 2.0..

Unless there's something TFA is glossing over, it sounds like fairly standard adware.. they even state that it safely goes away when you uninstall the offending container software, making it actually less obnoxious than Banzai Buddy and his friends from a decade ago.

Re:

[dbIII]

Minor nitpick (especially minor since a google search would now sort out the spelling mistake), but it was Bonzi Buddy.
It was incredibly annoying. I'd had to go back to doing support every now and again, had a user complain about a very slow PC, found that piece of shit malware on it, deleted it, and then had to explain to that user's manager why I had made the user angry by removing the user's "friend".

Re:

[Altrag]

Hah! Thanks, I knew that didn't look right but close enough that I didn't bother double-checking ;).

Re:

[AmiMoJo]

Also, why is it "Chinese" malware? Malware made by Americans isn't usually referred to as "American malware". That designation is reserved for US government malware.

Calm down

[TheOuterLinux]

Fireball is literally no different then the ad-based crap Window$ pushes. It's not harmful on its own but can be used maliciously. Though, I doubt anyone really read the source. Fireball is a Chinese thing. Do you get your freemium software from Chinese websites? If you are a Slashdotter, then hopeful not, or your a sadomasochist/complete moron. This is nothing more than a clever scare brought on by Micro$oft to get people on the M$ store bandwagon. Just learn to use FOSS applications. I know it's unjustifiably painful for whatever reason for Window$ users to not pay for things that are developed by hundreds of collaborators with source code to look at, but it won't actually hurt you.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[TheOuterLinux]

I did that part, but I own a Mac and adware doesn't work all that well. Some free VPN's use adware when launching a web browser, but that's what NoScript's for and your default browser shouldn't be Safari anyway. On top of which, by default, the current MacOS system prevents the launch of software from unknown developers, as well as checks the integrity DMGs and applications at opening. I'll say it again, use FOSS if you're not going to use your system's store. If you get adware as a Mac user, you just an i

Re:

[TheOuterLinux]

Sounds like instant gratification to me.

Follow the money

[Stan92057]

Ive said it a thousand times the only way this ends is to go after the money, The people who pay for the adverting.Affiliates have to get paid somehow and the product seller knows who they are.so records are kept and codes so affiliates"scumbag spammers. Then you actually need to go after these guys maybe if the NSA ,FBI,CIA scumbags stopped spying/data mining on regular people living their lives and go after these scumbags that would work too.