"Fireball" Malware Contains Digital Certificates

Topic

New Reply

Check Point Threat Intelligence Research Team have discovered a “high volume Chinese threat operation”, in the form of Fireball. The scope of this mal[See the full post at: “Fireball” Malware Contains Digital Certificates]

Link to the Code Red topic:
“Fireball” Malware – a Browser Hijacker / Malware Downloader

3 users thanked author for this post.

SueW, ch100, EstherD

Reply | Quote

Replies

So, according to Check Point, it only infects machines that had rigged freeware installed, right?

This malware can’t spread via any other way? I mean, the claimed numbers are incredibly high… It’s hard for me to believe in a threat based on social engineering working this well… I mean, it shouldn’t be hard to believe, I just don’t want to believe I guess…

But anyway, if I’m not installing freeware, well, not installing anything new in over a year, I should be safe against this one, right?

Reply | Quote

From the linked Check Point article (Code Red topic):

Fireball is spread mostly via bundling i.e. installed on victim machines alongside a wanted program, often without the user’s consent.

HOW CAN I KNOW IF I AM INFECTED?

To check if you’re infected, first open your web browser. Was your home-page set by you? Are you able to modify it? Are you familiar with your default search engine and can modify that as well? Do you remember installing all of your browser extensions?

If the answer to any of these questions is “NO”, this is a sign that you’re infected with adware. You can also use a recommended adware scanner, just to be extra cautious.

3 users thanked author for this post.

HiFlyer, jburk07, Elly

Reply | Quote

Is there software confirmed to detect Fireball infections at the current moment?

Reply | Quote

I haven’t seen any mentioned so far.
The quoted “How Can I Know If I Am Affected” is sensible advice. If it appears that a computer is infected, the full instructions on Check Point’s blog discuss uninstalling adware and malicious browser add-ons, resetting the browser settings, and running anti-malware/adware cleaner scans.

1 user thanked author for this post.

SueW

Reply | Quote

Any list of what specific freeware is carrying this malware?

Reply | Quote

I don’t believe there is a specific narrow list of affected downloads.

From the linked Check Point article (Code Red topic):

As with other types of malware, there are many ways for Fireball to spread. We suspect that two popular vectors are bundling the malware to other Rafotech products – Deal Wifi and Mustang Browser – as well as bundling via other freeware distributors: products such as “Soso Desktop”, “FVP Imageviewer” and others.

3 users thanked author for this post.

HiFlyer, jburk07, JDeC

Reply | Quote

But it is somewhat recent, right?

I mean, if one does not install anything new in a while, it is unlikely to get hit, is that correct?

Reply | Quote

Checkpoint advise they have recently discovered the threat. I haven’t seen anything to indicate how long they suspect it has been active, sorry.

It is interesting to see how widespread the infections are, and that may indicate it isn’t extremely recent (it wouldn’t appear likely, presumably).

According to our analysis, over 250 million computers worldwide have been infected: specifically, 25.3 million infections in India (10.1%), 24.1 million in Brazil (9.6%), 16.1 million in Mexico (6.4%), and 13.1 million in Indonesia (5.2%). The United States has witnessed 5.5 million infections (2.2%)…
Another indicator of the incredibly high infection rate is the popularity of Rafotech’s fake search engines. According to Alexa’s web traffic data, 14 of these fake search engines are among the top 10,000 websites, with some of them occasionally reaching the top 1,000.

CONCLUSION

In this research we’ve described Rafotech’s browser-hijackers operation – possibly the largest infection operation in history. We believe that although this is not a typical malware attack campaign, it has the potential to cause irreversible damage to its victims as well as worldwide internet users, and therefore it must be blocked by security companies.

The full distribution of Fireball is not yet known, but it is clear that it presents a great threat to the global cyber ecosystem. With a quarter billion infected machines and a grip in one of every five corporate networks, Rafotech’s activities make it an immense threat.

2 users thanked author for this post.

SueW, HiFlyer

Reply | Quote

According to the Check Point post, “20% of all corporate networks are affected . Hit rates in the US (10.7%) and China (4.7%) are alarming;but Indonesia (60%), India (43%) and Brazil (38%) have much more dangerous hit rates.”

It’s shocking that a third or more of company networks anywhere would leave themselves vulnerable like this.

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

This is why corporations should be using HOSTS files and utilizing applications like Spybot Search & Destroy and Teatimer.

Reply | Quote

Spybot was hopelessly obsolete last I checked them out. Fill your zones files with 10,000 double entries (HKLM/HKCU), never prune for decades old domains. Not sure if the same thing is as big an issue in the hosts files.

Reply | Quote

This subject is being discussed on Malware: Its Prevention, Detection & Blocking

1 user thanked author for this post.

satrow

Reply | Quote

What digital certificates does this contain? Self signed? Stolen/tampered? Purchased the normal way? What do they do with them? Hijack/inject all https?

Reply | Quote

From blog.checkpoint.com (linked on Code Red topic):

So how do they carry digital certificates? One possibility is that issuers make their living from providing certificates, and small issuers with flexible ethics can enjoy the lack of clarity in the adware world’s legality to approve software such as Rafotech’s browser-hijackers.

Reply | Quote